you have the right idea, I don't understand what you are asking for help on.
David Lang
On Tue, 22 Jul 2014, Cristian Falcas wrote:
Hi,
I have configured a rsyslog server where I want to send the logs from the
other machines.
Here I want to keep local logs and also to send them to elastic search. For
elasticsearch I have multiple actions, because I want httpd (for ex.) to go
to searchType="httpd" and so on. After each action I would like to drop
the previously catched lines, because I want a last action with the default
search type. Because of my dop rule, nothing reaches past the first action:
not the omfile writer and not the elasticsearch actions.
I'm using the same $RuleSet remote for both output modules.
Can anyone help me in setting this correctly?
Something like this (with multiple templates and actions):
$RuleSet remote
$ModLoad omelasticsearch
template(name="10-audit"
type="list"
option.json="on").
{
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"timereported\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"timegenerated\":\"")
property(name="timegenerated" dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"")
property(name="hostname")
constant(value="\",\"severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"priority\":\"")
property(name="syslogpriority-text")
constant(value="\",\"facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"tag\":\"")
property(name="syslogtag")
constant(value="\",\"program_name\":\"")
property(name="programname")
constant(value="\"}")
}
*.* action(type="omelasticsearch"
name="action_10-audit"
server="v-so-repo-02"
serverport="9200"
template="10-audit"
searchIndex="default-index"
searchType="audit"
bulkmode="on" # use the Bulk API
queue.dequeuebatchsize="5000" # ES bulk size
queue.size="100000" # capacity of the action queue
queue.workerthreads="15" # 5 workers for the action
queue.type="linkedlist"
queue.FileName="es_queue"
queue.MaxDiskSpace="1g"
queue.SaveOnShutdown="on"
action.resumeretrycount="-1"
errorFile="/srv/log/rsyslog_ES-error_default-index_audit.log"
)
& stop
Best regards,
Cristian Falcas
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
