From 7fb5cfac39f0e46abd3fae7c5b382404a3b4e1df Mon Sep 17 00:00:00 2001
From: Jeff Moe <moe@forksand.com>
Date: Thu, 9 Aug 2018 15:47:42 -0600
Subject: [PATCH] Add rsyslog elasticsearch, graylog configs

---
 source/resources/apps/rsyslog/README.md       |  7 +++---
 .../resources/apps/rsyslog/elasticsearch.conf | 25 +++++++++++++++++++
 source/resources/apps/rsyslog/graylog.conf    |  1 +
 3 files changed, 29 insertions(+), 4 deletions(-)
 create mode 100644 source/resources/apps/rsyslog/elasticsearch.conf
 create mode 100644 source/resources/apps/rsyslog/graylog.conf

diff --git a/source/resources/apps/rsyslog/README.md b/source/resources/apps/rsyslog/README.md
index c992b7f..a590886 100644
--- a/source/resources/apps/rsyslog/README.md
+++ b/source/resources/apps/rsyslog/README.md
@@ -1,7 +1,6 @@
-# Add to /etc/rsyslog.d:
+# Add to /etc/rsyslog.d these files:
 
-# TCP use two @@.
-# UDP (use this):
-echo "*.* @10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format" > /etc/rsyslog.d/graylog.conf
+elasticsearch.conf
+graylog.conf
 
 systemctl restart rsyslog
diff --git a/source/resources/apps/rsyslog/elasticsearch.conf b/source/resources/apps/rsyslog/elasticsearch.conf
new file mode 100644
index 0000000..e76e875
--- /dev/null
+++ b/source/resources/apps/rsyslog/elasticsearch.conf
@@ -0,0 +1,25 @@
+module(load="omelasticsearch")
+template(name="rsyslog"
+         type="list"
+         option.json="on") {
+           constant(value="{")
+             constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
+             constant(value="\",\"message\":\"")     property(name="msg")
+             constant(value="\",\"host\":\"")        property(name="hostname")
+             constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
+             constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
+             constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
+           constant(value="\"}")
+         }
+action(type="omelasticsearch"
+       server="10.22.22.124"
+       serverport="9200"
+       template="rsyslog"
+       searchIndex="rsyslog-index"
+       searchType="rsyslog-type"
+       bulkmode="on"
+       maxbytes="100m"
+       queue.type="linkedlist"
+       queue.size="5000"
+       queue.dequeuebatchsize="300"
+       action.resumeretrycount="-1")
diff --git a/source/resources/apps/rsyslog/graylog.conf b/source/resources/apps/rsyslog/graylog.conf
new file mode 100644
index 0000000..5eeeb4f
--- /dev/null
+++ b/source/resources/apps/rsyslog/graylog.conf
@@ -0,0 +1 @@
+*.* @10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format