template(name="dynaName" type="string" string="/soft/rsyslog/%hostname%.log")

*.debug {
  action(
    type="omfile"
    name="debugActionName"
    template="templateName"
    dynafile="dynaName"
  )
}

*.info {
  action(
    type="omfile"
    name="infoActionName"
    template="templateName"
    file="/soft/rsyslog/everything.warn.log"
  )
}

You'll get the hang of it.  Enjoy.



On 10/30/18 6:07 AM, sophie.loewenthal--- via rsyslog wrote:
Hi,

I'm trying to change the rsyslog server to the new format, and decided to use 
the config generator on the rsyslogd.com website.

Previously I used Dynafile to send logs into %HOSTNAME%.log, but I don't see 
DynaFile available in the config generator.
Also I had set up different severities to be sent to different files.  Can this 
filtering be achieved the the new format?
.eg
$template DynaFile,"/soft/rsyslog/%HOSTNAME%.log"
*.debug ?DynaFile

Also I had set up this but cannot see yow to do this with the new format. I 
tried with omfile, but this did not work.  What is the recommended way?
*.info /soft/rsyslog/everything.warn.log
*.debuf /soft/rsyslog/everything.all.log

Lastly, I don't think the bulk method for elasticsearch is correctly set:
         bulkmode="1"
Because of the message:   "error during parsing file /etc/rsyslog.conf, on or before line 41: parameter 
'bulkmode' must be "on" or "off" but is neither. Results unpredictable."
Setting this to bulkmode="on" silenced the error message, but I don't know if 
this is correct.

My rsyslog version: # rsyslogd -v
rsyslogd 8.24.0/ x86_64-redhat-linux-gnu

Help, like usual, greatly appricated.

Best wishes,
Sophie


-------------------------------------------------------
# This configuration has been generated by using the
# rsyslog Configuration Builder which can be found at:
# http://www.rsyslog.com/rsyslog-configuration-builder/
#
# Default Settings

# Load Modules
module(load="imtcp")
module(load="imudp")
module(load="omelasticsearch")
module(load="imuxsock")

# rsyslog Templates
template(name="ElasticSearchTemplate"
type="list"
option.json="on") {
constant(value="{")
  constant(value="\"timestamp\":\"")      property(name="timereported" 
dateFormat="rfc3339")
  constant(value="\",\"message\":\"")     property(name="msg")
  constant(value="\",\"host\":\"")        property(name="hostname")
  constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
  constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
  constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
constant(value="\"}")
}
template(name="ElasticSearchTemplate"
type="list"
option.json="on") {
constant(value="{")
  constant(value="\"timestamp\":\"")      property(name="timereported" 
dateFormat="rfc3339")
  constant(value="\",\"message\":\"")     property(name="msg")
  constant(value="\",\"host\":\"")        property(name="hostname")
  constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
  constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
  constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
constant(value="\"}")
}

# rsyslog Input Modules
input(type="imtcp"
         port="")
input(type="imudp"
         port="")

# rsyslog RuleSets
# Default RuleSet
action(type="omelasticsearch"
         server="el8 "
         serverport="10514"
         searchIndex="unix"
         bulkmode="1"
         template="ElasticSearchTemplate")
action(type="omelasticsearch"
         server="el7 "
         serverport="10514"
         searchIndex="unix"
         bulkmode="1"
         template="ElasticSearchTemplate")
action(type="omfile"
         File="/soft/rsyslog/%HOSTNAME%.log"
         template="RSYSLOG_ForwardFormat")

# This configuration was generated on '2018-10-30 10:52:54'


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to