Hi Brandon, I haven't used graylog2 in years, so I might be completely off, but here here are two ideas that might help.
AFAIK, graylog2 uses Elasticsearch as the backend for storing logs, so if you figure out how data is normally written, you could hook rsyslog directly to ES via omelasticsearch. I didn't do this with graylog, only with logstash: http://blog.sematext.com/2013/07/01/recipe-rsyslog-elasticsearch-kibana/ The problem with this approach is if your original logs don't have a timezone. Then rsyslog assumes it's UTC which may or may not be true. If you need to mangle with the timestamp, I think there's currently no way to do that. So you'd need something external to change the timestamp. It looks like Logstash can do it with the date filter: http://www.elasticsearch.org/guide/en/logstash/master/plugins-filters-date.html#plugins-filters-date-timezone Actually, there might just be a dirty way to do it in rsyslog via templates. date-rfc3339 should output something like: 2015-01-27T16:17:57Z And you can output everything except that Z (or it may be +00:00, I don't remember) and append a hardcoded timezone (like -05:00 or something) directly in the template. Ugly? You bet! But maybe less ugly that using something else just for timestamp changing. Though a cleaner method could be to add this functionality to rsyslog. Best regards, Radu -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ On Thu, Jan 29, 2015 at 7:22 AM, Brandon <[email protected]> wrote: > Hi, I am having problems with getting some ESXi logs into graylog2 via > rsyslog and I am hoping someone can help me out. Currently, I ship logs > from the esxi 5.1 host to a satellite rsyslog server, which then sends the > logs on to a central rsyslog log repository. The logs are stored locally > and then passed on to the graylog2 server. The central log repository and > satellite nodes are running rsyslog v8.7 on CentOS. I can get logs from > other Linux servers without any issues. They all show up in the graylog2 > interface as expected under the right hostname and the file is created with > the right hostname on the log store server. > > The problem is logs are not forwarded into graylog2 (or they are and I > can't see them). I have tried using a template found from a google search > but it doesn't seem to work. I think the timestamp needs to be converted to > CST from UTC but don't know how to do that if it is possible. > > Jan 29 03:20:01 host.domain.tld crond[2465]: crond: USER root pid 4324392 > cmd /sbin/hostd-probe > Jan 29 03:20:02 host.domain.tld syslog[4324393]: starting hostd probing. > Jan 29 03:20:02 host.domain.tld hostd-probe: [FFC6ECB0 warning 'Default'] > Unrecognized log/level 'audit' using 'info' > > $template (name="GRAYLOGRFC5424" type="string" > string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% > %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" > ) > > *.* @@graylog2.domain.tld:10514;GRAYLOGRFC5424 > > Any help is appreciated. > Regards, > Brandon > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
