Hi, Is your template "ElasticSearchTemplate" defined somewhere ?
It's specified in action, but no definition is visible. Flo On Tue, Oct 30, 2018 at 4:22 PM sophie.loewenthal--- via rsyslog < [email protected]> wrote: > Hi John, > > > You'll get the hang of it. Enjoy. > I don't think I'll get the hang of this. > > I tried with a copy and paste of your example & had nothing. So I tried > modifying this to be, > # Default RuleSet > *.info { action (type="omelasticsearch" > server="el7" > serverport="10514" > searchIndex="unix" > bulkmode="on" > template="ElasticSearchTemplate") > } > *.info { action (type="omelasticsearch" > server="el8" > serverport="10514" > searchIndex="unix" > bulkmode="on" > template="ElasticSearchTemplate") > } > > template(name="dynaName" type="string" > string="/soft/rsyslog/%hostname%.log") > > *.debug { > action ( > type="omfile" > name="debugActionName" > template="dynaName" > dynafile="dynaName" > ) > } > > *.warn { > action ( > type="omfile" > name="infoActionName" > #template="templateName" > file="/soft/rsyslog/everything.warn.log" > ) > } > > And this wrote nothing to any file. > > > > > -----Original Message----- > > From: rsyslog [mailto:[email protected]] On Behalf Of > John > > Chivian > > Sent: Tuesday, October 30, 2018 3:24 PM > > To: sophie.loewenthal--- via rsyslog > > Subject: Re: [rsyslog] Moving from legacy to new rsyslog syntax - > dynafile and > > severity levels > > > > template(name="dynaName" type="string" > > string="/soft/rsyslog/%hostname%.log") > > > > *.debug { > > action( > > type="omfile" > > name="debugActionName" > > template="templateName" > > dynafile="dynaName" > > ) > > } > > > > *.info { > > action( > > type="omfile" > > name="infoActionName" > > template="templateName" > > file="/soft/rsyslog/everything.warn.log" > > ) > > } > > > > You'll get the hang of it. Enjoy. > > > > > > > > On 10/30/18 6:07 AM, sophie.loewenthal--- via rsyslog wrote: > > > Hi, > > > > > > I'm trying to change the rsyslog server to the new format, and decided > to use > > the config generator on the rsyslogd.com website. > > > > > > Previously I used Dynafile to send logs into %HOSTNAME%.log, but I > don't see > > DynaFile available in the config generator. > > > Also I had set up different severities to be sent to different files. > Can this > > filtering be achieved the the new format? > > > .eg > > > $template DynaFile,"/soft/rsyslog/%HOSTNAME%.log" > > > *.debug ?DynaFile > > > > > > Also I had set up this but cannot see yow to do this with the new > format. I tried > > with omfile, but this did not work. What is the recommended way? > > > *.info /soft/rsyslog/everything.warn.log > > > *.debuf /soft/rsyslog/everything.all.log > > > > > > Lastly, I don't think the bulk method for elasticsearch is correctly > set: > > > bulkmode="1" > > > Because of the message: "error during parsing file > /etc/rsyslog.conf, on or > > before line 41: parameter 'bulkmode' must be "on" or "off" but is > neither. > > Results unpredictable." > > > Setting this to bulkmode="on" silenced the error message, but I don't > know if > > this is correct. > > > > > > My rsyslog version: # rsyslogd -v > > > rsyslogd 8.24.0/ x86_64-redhat-linux-gnu > > > > > > Help, like usual, greatly appricated. > > > > > > Best wishes, > > > Sophie > > > > > > > > > ------------------------------------------------------- > > > # This configuration has been generated by using the > > > # rsyslog Configuration Builder which can be found at: > > > # http://www.rsyslog.com/rsyslog-configuration-builder/ > > > # > > > # Default Settings > > > > > > # Load Modules > > > module(load="imtcp") > > > module(load="imudp") > > > module(load="omelasticsearch") > > > module(load="imuxsock") > > > > > > # rsyslog Templates > > > template(name="ElasticSearchTemplate" > > > type="list" > > > option.json="on") { > > > constant(value="{") > > > constant(value="\"timestamp\":\"") property(name="timereported" > > dateFormat="rfc3339") > > > constant(value="\",\"message\":\"") property(name="msg") > > > constant(value="\",\"host\":\"") property(name="hostname") > > > constant(value="\",\"severity\":\"") > property(name="syslogseverity-text") > > > constant(value="\",\"facility\":\"") > property(name="syslogfacility-text") > > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > > > constant(value="\"}") > > > } > > > template(name="ElasticSearchTemplate" > > > type="list" > > > option.json="on") { > > > constant(value="{") > > > constant(value="\"timestamp\":\"") property(name="timereported" > > dateFormat="rfc3339") > > > constant(value="\",\"message\":\"") property(name="msg") > > > constant(value="\",\"host\":\"") property(name="hostname") > > > constant(value="\",\"severity\":\"") > property(name="syslogseverity-text") > > > constant(value="\",\"facility\":\"") > property(name="syslogfacility-text") > > > constant(value="\",\"syslogtag\":\"") property(name="syslogtag") > > > constant(value="\"}") > > > } > > > > > > # rsyslog Input Modules > > > input(type="imtcp" > > > port="") > > > input(type="imudp" > > > port="") > > > > > > # rsyslog RuleSets > > > # Default RuleSet > > > action(type="omelasticsearch" > > > server="el8 " > > > serverport="10514" > > > searchIndex="unix" > > > bulkmode="1" > > > template="ElasticSearchTemplate") > > > action(type="omelasticsearch" > > > server="el7 " > > > serverport="10514" > > > searchIndex="unix" > > > bulkmode="1" > > > template="ElasticSearchTemplate") > > > action(type="omfile" > > > File="/soft/rsyslog/%HOSTNAME%.log" > > > template="RSYSLOG_ForwardFormat") > > > > > > # This configuration was generated on '2018-10-30 10:52:54' > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > This message and any attachments (the "message") is > intended solely for the intended addressees and is confidential. > If you receive this message in error,or are not the intended recipient(s), > please delete it and any copies from your systems and immediately notify > the sender. Any unauthorized view, use that does not comply with its > purpose, > dissemination or disclosure, either whole or partial, is prohibited. Since > the internet > cannot guarantee the integrity of this message which may not be reliable, > BNP PARIBAS > (and its subsidiaries) shall not be liable for the message if modified, > changed or falsified. > Do not print this message unless it is necessary, consider the environment. > > > ---------------------------------------------------------------------------------------------------------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") > sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > immediatement l'expediteur. Toute lecture non autorisee, toute utilisation > de > ce message qui n'est pas conforme a sa destination, toute diffusion ou > toute > publication, totale ou partielle, est interdite. L'Internet ne permettant > pas d'assurer > l'integrite de ce message electronique susceptible d'alteration, BNP > Paribas > (et ses filiales) decline(nt) toute responsabilite au titre de ce message > dans l'hypothese > ou il aurait ete modifie, deforme ou falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
