diff --git a/source/resources/apps/rsyslog/README.md b/source/resources/apps/rsyslog/README.md index c992b7f..a590886 100644 --- a/source/resources/apps/rsyslog/README.md +++ b/source/resources/apps/rsyslog/README.md @@ -1,7 +1,6 @@ -# Add to /etc/rsyslog.d: +# Add to /etc/rsyslog.d these files: -# TCP use two @@. -# UDP (use this): -echo "*.* @10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format" > /etc/rsyslog.d/graylog.conf +elasticsearch.conf +graylog.conf systemctl restart rsyslog diff --git a/source/resources/apps/rsyslog/elasticsearch.conf b/source/resources/apps/rsyslog/elasticsearch.conf new file mode 100644 index 0000000..e76e875 --- /dev/null +++ b/source/resources/apps/rsyslog/elasticsearch.conf @@ -0,0 +1,25 @@ +module(load="omelasticsearch") +template(name="rsyslog" + type="list" + option.json="on") { + constant(value="{") + constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339") + constant(value="\",\"message\":\"") property(name="msg") + constant(value="\",\"host\":\"") property(name="hostname") + constant(value="\",\"severity\":\"") property(name="syslogseverity-text") + constant(value="\",\"facility\":\"") property(name="syslogfacility-text") + constant(value="\",\"syslogtag\":\"") property(name="syslogtag") + constant(value="\"}") + } +action(type="omelasticsearch" + server="10.22.22.124" + serverport="9200" + template="rsyslog" + searchIndex="rsyslog-index" + searchType="rsyslog-type" + bulkmode="on" + maxbytes="100m" + queue.type="linkedlist" + queue.size="5000" + queue.dequeuebatchsize="300" + action.resumeretrycount="-1") diff --git a/source/resources/apps/rsyslog/graylog.conf b/source/resources/apps/rsyslog/graylog.conf new file mode 100644 index 0000000..5eeeb4f --- /dev/null +++ b/source/resources/apps/rsyslog/graylog.conf @@ -0,0 +1 @@ +*.* @10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format