[rsyslog] separate remote logs and elasticsearch logs

Cristian Falcas Tue, 22 Jul 2014 09:52:36 -0700

Hi,

I have configured a rsyslog server where I want to send the logs from the
other machines.


Here I want to keep local logs and also to send them to elastic search. For
elasticsearch I have multiple actions, because I want httpd (for ex.) to go
to  searchType="httpd" and so on. After each action I would like to drop
the previously catched lines, because I want a last action with the default
search type. Because of my dop rule, nothing reaches past the first action:
not the omfile writer and not the elasticsearch actions.

I'm using the same $RuleSet remote for both output modules.

Can anyone help me in setting this correctly?

Something like this (with multiple templates and actions):

$RuleSet remote

$ModLoad omelasticsearch

template(name="10-audit"
         type="list"
         option.json="on").
         {
           constant(value="{")
             constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
             constant(value="\",\"timereported\":\"")
property(name="timereported" dateFormat="rfc3339")
             constant(value="\",\"timegenerated\":\"")
property(name="timegenerated" dateFormat="rfc3339")
             constant(value="\",\"message\":\"")        property(name="msg")
             constant(value="\",\"host\":\"")
property(name="hostname")
             constant(value="\",\"severity\":\"")
property(name="syslogseverity-text")
             constant(value="\",\"priority\":\"")
property(name="syslogpriority-text")
             constant(value="\",\"facility\":\"")
property(name="syslogfacility-text")
             constant(value="\",\"tag\":\"")
property(name="syslogtag")
             constant(value="\",\"program_name\":\"")
property(name="programname")
           constant(value="\"}")
         }
*.* action(type="omelasticsearch"
       name="action_10-audit"
       server="v-so-repo-02"
       serverport="9200"
       template="10-audit"
       searchIndex="default-index"
       searchType="audit"
       bulkmode="on"                    # use the Bulk API
       queue.dequeuebatchsize="5000"    # ES bulk size
       queue.size="100000"              # capacity of the action queue
       queue.workerthreads="15"         # 5 workers for the action
       queue.type="linkedlist"
       queue.FileName="es_queue"
       queue.MaxDiskSpace="1g"
       queue.SaveOnShutdown="on"
       action.resumeretrycount="-1"
       errorFile="/srv/log/rsyslog_ES-error_default-index_audit.log"
    )
& stop

Best regards,
Cristian Falcas
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] separate remote logs and elasticsearch logs

Reply via email to