yup, thx. IMHO makes sense. Let's wait what David says, but I think it
would make sense to open an issue refering to this thread. ... I know,
I also must find time to actually work on some of them... ;-)
This is our current /core.conf/ draft:

   global(
        MaxMessageSize="32k"
        workDirectory="/data"
        parser.escapeControlCharactersOnReceive="off"
   )

   template(name="index" type="string" string="$!data!index")
   template(name="type" type="string" string="$!data!type")
   template(name="json" type="string" string="%$!data%")

   module(load="imelasticsearch")
   ruleset(name="elastic"){
        set $!data=$msg;
        set $!data!relay=$myhostname;
        set $!data!from=$hostname;
        action(
            action.reportSuspension="on"
            action.resumeRetryCount="-1"
            #queue.filename="omrelp.qi"
            queue.maxdiskspace="1G"
            queue.SaveOnShutdown="on"
            queue.type="LinkedList"
            type="omelasticsearch"
            server="server"
            serverport="9200"
            searchIndex="index"
            dynSearchIndex="on"
            searchType="type"
            dynSearchType="on"
            template="json"
        )
   }

   module(load="imrelp")
   input(
        port="20514"
        type="imrelp"
        name="imrelp"
   )

   # All files under rsyslog.d are automatically included, each will be
   like:
   # app.conf
   # ruleset(name="app") {
   #   #normalize/parse. ideally using inline rules
   #   #whatever
   #   set $!data!index="myindex-YYYY-MM-DD";
   #   set $!data!type="this_app_types_are_known_by_this_app";
   #   call another_app_in_pipeline
   #   stop
   # }

   call $!data!app

This is the best approach we have found so far.
Although @davidlang suggested having just one normalization ruleset could be faster, this appears to be flexible, easy to maintain, etc.
Thoughts.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to