Add rsyslog elasticsearch, graylog configs

6 years ago · 7fb5cfac39
parent c3828a0f64
commit 7fb5cfac39
3 changed files with 29 additions and 4 deletions
--- a/source/resources/apps/rsyslog/README.md
+++ b/source/resources/apps/rsyslog/README.md
@ -1,7 +1,6 @@
-# Add to /etc/rsyslog.d:
+# Add to /etc/rsyslog.d these files:

-# TCP use two @@.
-# UDP (use this):
-echo "*.* @10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format" > /etc/rsyslog.d/graylog.conf
+elasticsearch.conf
+graylog.conf

 systemctl restart rsyslog
--- a/source/resources/apps/rsyslog/elasticsearch.conf
+++ b/source/resources/apps/rsyslog/elasticsearch.conf
@ -0,0 +1,25 @@
+module(load="omelasticsearch")
+template(name="rsyslog"
+         type="list"
+         option.json="on") {
+           constant(value="{")
+             constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
+             constant(value="\",\"message\":\"")     property(name="msg")
+             constant(value="\",\"host\":\"")        property(name="hostname")
+             constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
+             constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
+             constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
+           constant(value="\"}")
+         }
+action(type="omelasticsearch"
+       server="10.22.22.124"
+       serverport="9200"
+       template="rsyslog"
+       searchIndex="rsyslog-index"
+       searchType="rsyslog-type"
+       bulkmode="on"
+       maxbytes="100m"
+       queue.type="linkedlist"
+       queue.size="5000"
+       queue.dequeuebatchsize="300"
+       action.resumeretrycount="-1")
--- a/source/resources/apps/rsyslog/graylog.conf
+++ b/source/resources/apps/rsyslog/graylog.conf
@ -0,0 +1 @@
+*.* @10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format
				`@ -0,0 +1 @@`
				`. @10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format`