Re: [rsyslog] rsyslog output to elasticsearch doesn't works

[David Lang via rsyslog]

8.24 is over three years old, there are a lot of other fixed bugs in the 
meantime.

David Lang
On Fri, 27 Mar 2020, 来自小七and雨 via rsyslog wrote:

Date: Fri, 27 Mar 2020 10:48:09 +0800 (CST)
From: 来自小七and雨 via rsyslog <rsyslog@lists.adiscon.com>
To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
Cc: 来自小七and雨 <qykx2...@126.com>
Subject: Re: [rsyslog] rsyslog output to elasticsearch doesn't works

Hi，ALL

I have seen the modification history of rsyslog on github. This source code has 
been modified in v8.29.
The version of rsyslog I use is v8.24, which is a fixed bug.







At 2020-03-27 10:16:22, "来自小七and雨 via rsyslog" <rsyslog@lists.adiscon.com> 
wrote:
Hi,all
I tried the following command and got the same error：
curl -H "Content-Type: text/json" -XPOST 'manager.server:9200/books/es/1' -d 
'{"title":"Elasticsearch Server", "publicshed":2013}'
ERROR：
{"error":"Content-Type header [text/json] is not supported","status":406}
I changed the comand to this：
curl -H "Content-Type: application/json" -XPOST 'manager.server:9200/books/es/1' -d 
'{"title":"Elasticsearch Server", "publicshed":2013}'
This is right！
So, can anyone tell me how to modify the Content-Type of rsyslog sending 
request,Where can I set or modify this parameter?



At 2020-03-27 09:38:36, "来自小七and雨 via rsyslog" <rsyslog@lists.adiscon.com> 
wrote:
Thanks David Lang.
Now I get an error msg:
{ "request": { "url": "http:\/\/manager.server:9200\/test-index\/test-type", 
"postdata": "{\"message\":\"Unregistered Authentication Agent for unix-process:12318:17143977 (system bus name 
:1.345163, object path \\\/org\\\/freedesktop\\\/PolicyKit1\\\/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)\",\"fromhost\":\"master\",\"facility\":\"authpriv\",\"priority\
":\"notice\",\"timereported\":\"2020-03-27T09:33:46.020173+08:00\",\"timegenerated\":\"2020-03-27T09:33:46.020173+08:00\"}" }, 
"reply": { "error": "Content-Type header [text\/json; charset=utf-8] is not supported", "status": 406 } }
_________________________________________________________________________
"Content-Type header [text\/json; charset=utf-8] is not supported", "status": 406 
I used the template of the official document. Is there a problem?

















At 2020-03-27 09:22:35, "来自小七and雨 via rsyslog" <rsyslog@lists.adiscon.com> 
wrote:
All Config：
——————————————————————————————————
# rsyslog configuration file


# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html


#### MODULES ####


# The imjournal module bellow is now used as a message source instead of 
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger 
command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability


# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514


# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


#module(load="imfile") #needs to be done just once
module(load="imfile" PollingInterval="1")
module(load="omkafka")
module(load="omelasticsearch")
#### GLOBAL DIRECTIVES ####


# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog


# Use default timestamp format
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %msg%\n"
$ActionFileDefaultTemplate myFormat


template(name="testTemplate"
        type="list"
        option.json="on") {
          constant(value="{")
          constant(value="\"timestamp\":\"")      property(name="timereported" 
dateFormat="rfc3339")
          constant(value="\",\"message\":\"")     property(name="msg")
          constant(value="\",\"host\":\"")        property(name="hostname")
          constant(value="\",\"severity\":\"")    
property(name="syslogseverity-text")
          constant(value="\",\"facility\":\"")    
property(name="syslogfacility-text")
          constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
          constant(value="\"}")
}


# File syncing capability is disabled by default. This feature is usually not 
required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on


# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on


# File to store the position in the journal
$IMJournalStateFile imjournal.state




#### RULES ####


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console


# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages


# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure


# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog




# Log cron stuff
cron.*                                                  /var/log/cron


# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*


# Save news errors of level crit and higher in a special file.
uucp,news.*                                          /var/log/spooler


# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log




# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
input(type="imfile" File="/var/log/app.his.log" Tag="user-cmd" Severity="info"  
Facility="local1")


*.info;mail.none;authpriv.none;cron.none @@info.server.com:514




local1.info/data/log/testkafka
&action(type="omkafka" topic="mytopic" confParam="compression.codec=snappy" 
broker="manager.server:9092")


local1.info action(type="omelasticsearch" server="manager.server:9200" 
searchIndex="test-index" searchType="test-type")




_____________________________________________________________________________________________











At 2020-03-27 08:37:07, "来自小七and雨 via rsyslog" <rsyslog@lists.adiscon.com> 
wrote:



sorry,here is config:
__________________________________________________
module(load="omkafka")
module(load="omelasticsearch")
template(name="testTemplate"
        type="list"
        option.json="on") {
          constant(value="{")
          constant(value="\"timestamp\":\"")      property(name="timereported" 
dateFormat="rfc3339")
          constant(value="\",\"message\":\"")     property(name="msg")
          constant(value="\",\"host\":\"")        property(name="hostname")
          constant(value="\",\"severity\":\"")    
property(name="syslogseverity-text")
          constant(value="\",\"facility\":\"")    
property(name="syslogfacility-text")
          constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
          constant(value="\"}")
       }



local1.info     action(type="omelasticsearch" server="manager.server:9200" 
searchIndex="test-index" searchType="test-type")

___________________________________________________________
And, there is no error log。
I tried "rsyslogd -n" startup, but there was no extra information output, no 
error was reported, and elasticsearch did not receive the messages. This confuses me.


Also, I used it to forward the message to kafka's message successfully.


Any suggestions
thanks




At 2020-03-27 01:04:38, "John Chivian via rsyslog" <rsyslog@lists.adiscon.com> 
wrote:
No one can help you unless you provide detail.  Start with your exact 
rsyslog configuration, and any examples of error messages.

Regards,


On 3/26/20 5:34 AM, 来自小七and雨 via rsyslog wrote:
Hi everyone,
I tried using rsyslog to send log messages to es, but failed.
I checked that the IP and port of es are correct, and I have also confirmed 
that the es plugins is installed.
Checking that No corresponding index/type was created in es..
Can anyone help me? Thank you!
______________________________________
env :
elasticsearch v7.3
rsyslog v8.24
centos v7.4
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.