-
Notifications
You must be signed in to change notification settings - Fork 3
/
rsyslog.conf
101 lines (93 loc) · 3.27 KB
/
rsyslog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
module(load="imptcp")
module(load="imudp" TimeRequery="10000")
module(load="imrelp")
module(load="imtcp" StreamDriver.AuthMode="anon" StreamDriver.Mode="1")
module(load="mmjsonparse")
module(load="mmutf8fix")
module(load="omelasticsearch")
global (
maxMessageSize="10000"
parser.escapeControlCharactersOnReceive="off"
action.reportSuspension="on"
action.reportSuspensionContinuation="on"
defaultNetstreamDriver="gtls"
defaultNetstreamDriverCAFile="/opt/sematext/rsyslog/ca.pem"
defaultNetstreamDriverKeyFile="/opt/sematext/rsyslog/machine-key.pem"
defaultNetstreamDriverCertFile="/opt/sematext/rsyslog/machine-cert.pem"
)
main_queue(
queue.type="LinkedList"
queue.size="2000000"
queue.dequeueBatchSize="1000"
queue.dequeueslowdown="10000"
queue.spoolDirectory="/mnt/rsyslog/queues"
queue.filename="main_queue"
queue.maxfilesize="100m"
queue.maxdiskspace="2g"
queue.highwatermark="20000"
queue.lowwatermark="10000"
queue.saveonshutdown="on"
)
input(type="imptcp" port="514")
input(type="imudp" port="514")
input(type="imtcp" port="10514")
input(type="imrelp" port="20514")
template(name="lumberjack" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text" caseConversion="upper")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslog-tag\":\"") property(name="syslogtag" format="json")
constant(value="\",\"source\":\"") property(name="app-name" format="json")
constant(value="\",") property(name="$!all-json" position.from="2")
}
template(name="plain" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text" caseConversion="upper")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslog-tag\":\"") property(name="syslogtag" format="json")
constant(value="\",\"source\":\"") property(name="app-name" format="json")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}")
}
action(
name="main_utf8fix"
type="mmutf8fix"
replacementChar="?"
)
action(
name="main_cee_parser"
type="mmjsonparse"
)
if $parsesuccess == "OK" then {
action(
name="es_json"
type="omelasticsearch"
server="logsene-token-receiver.prod.sematext.com"
serverport="443"
usehttps="on"
template="lumberjack"
searchIndex="TOKEN_GOES_HERE"
searchType="syslog-cee"
bulkmode="on"
action.resumeRetryCount="5"
action.resumeInterval="60"
)
} else {
action(
name="es_nojson"
type="omelasticsearch"
server="logsene-token-receiver.prod.sematext.com"
serverport="443"
usehttps="on"
template="plain"
searchIndex="TOKEN_GOES_HERE"
searchType="syslog"
bulkmode="on"
action.resumeRetryCount="5"
action.resumeInterval="60"
)
}