template(name="dynaName" type="string" string="/soft/rsyslog/%hostname%.log")
*.debug {
action(
type="omfile"
name="debugActionName"
template="templateName"
dynafile="dynaName"
)
}
*.info {
action(
type="omfile"
name="infoActionName"
template="templateName"
file="/soft/rsyslog/everything.warn.log"
)
}
You'll get the hang of it. Enjoy.
On 10/30/18 6:07 AM, sophie.loewenthal--- via rsyslog wrote:
Hi,
I'm trying to change the rsyslog server to the new format, and decided to use
the config generator on the rsyslogd.com website.
Previously I used Dynafile to send logs into %HOSTNAME%.log, but I don't see
DynaFile available in the config generator.
Also I had set up different severities to be sent to different files. Can this
filtering be achieved the the new format?
.eg
$template DynaFile,"/soft/rsyslog/%HOSTNAME%.log"
*.debug ?DynaFile
Also I had set up this but cannot see yow to do this with the new format. I
tried with omfile, but this did not work. What is the recommended way?
*.info /soft/rsyslog/everything.warn.log
*.debuf /soft/rsyslog/everything.all.log
Lastly, I don't think the bulk method for elasticsearch is correctly set:
bulkmode="1"
Because of the message: "error during parsing file /etc/rsyslog.conf, on or before line 41: parameter
'bulkmode' must be "on" or "off" but is neither. Results unpredictable."
Setting this to bulkmode="on" silenced the error message, but I don't know if
this is correct.
My rsyslog version: # rsyslogd -v
rsyslogd 8.24.0/ x86_64-redhat-linux-gnu
Help, like usual, greatly appricated.
Best wishes,
Sophie
-------------------------------------------------------
# This configuration has been generated by using the
# rsyslog Configuration Builder which can be found at:
# http://www.rsyslog.com/rsyslog-configuration-builder/
#
# Default Settings
# Load Modules
module(load="imtcp")
module(load="imudp")
module(load="omelasticsearch")
module(load="imuxsock")
# rsyslog Templates
template(name="ElasticSearchTemplate"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported"
dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\"}")
}
template(name="ElasticSearchTemplate"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported"
dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\"}")
}
# rsyslog Input Modules
input(type="imtcp"
port="")
input(type="imudp"
port="")
# rsyslog RuleSets
# Default RuleSet
action(type="omelasticsearch"
server="el8 "
serverport="10514"
searchIndex="unix"
bulkmode="1"
template="ElasticSearchTemplate")
action(type="omelasticsearch"
server="el7 "
serverport="10514"
searchIndex="unix"
bulkmode="1"
template="ElasticSearchTemplate")
action(type="omfile"
File="/soft/rsyslog/%HOSTNAME%.log"
template="RSYSLOG_ForwardFormat")
# This configuration was generated on '2018-10-30 10:52:54'
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
