Hi all,
I'd like to use rsyslog to store all logs in a central MonoDB instance using
the ommongodb output module. I use a list template to map all variables to the
existing database fields:
/etc/rsyslog.conf:
module(load="imudp")
module(load="ommongodb")
input(type="imudp" port="514")
template(name="BSON" type="list"){
property(name="hostname" outname="host")
property(name="timereported" dateFormat="date-unixtimestamp")
property(name="msg")
property(name="procid")
property(name="syslogpriority-text")
property(name="syslogtag")
property(name="syslogfacility")
}
*.* action(type="ommongodb" server="my_server" db="logs"
collection="syslog" template="BSON")
Renaming fields is simple and works fine. But unfortunately this does not solve
everything.
All sample rsyslog configs using ommongodb store the timestamps as string. This
might be good for many cases, but storing dates as strings is not the best
option for querying and filtering the log database. The correct way would be
to store all dates as native ISODate() objects using UTC and not any local
timezone. What would be the correct why t
o achieve such a behavior?
A second much more frustrating issue is, that not everywhere the same log level
names are used. While syslog uses 'err', 'crit' and 'info, for example in
Python it is 'ERROR', 'CRITICAL' and 'INFO'. Does anyone have a good suggestio
n how to deal with this problem? Is there an easy way to define some kind of
pre-processing using RainerScript in th
e rsyslog.conf?
Thanks for your help in advance,
peter
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
