-
-
Save mingderwang/c2af71ccd839b5e062f6 to your computer and use it in GitHub Desktop.
nxlog -> rsyslog -> logstash -> elasticsearch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| } | |
| filter { | |
| } | |
| output { | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # put your here, probably C:\Program Files\nxlog | |
| define ROOT C:\nxlog | |
| Moduledir %ROOT%\modules | |
| CacheDir %ROOT%\data | |
| Pidfile %ROOT%\data\nxlog.pid | |
| SpoolDir %ROOT%\data | |
| LogFile %ROOT%\data\nxlog.log | |
| <Extension syslog> | |
| Module xm_syslog | |
| </Extension> | |
| <Extension json> | |
| Module xm_json | |
| </Extension> | |
| <Input in> | |
| Module im_msvistalog | |
| # this kinda works for me, put * to get everything | |
| Query <QueryList>\ | |
| <Query Id="0">\ | |
| <Select Path="Application">*</Select>\ | |
| <Select Path="System">*</Select>\ | |
| <Select Path="Security">*</Select>\ | |
| </Query>\ | |
| </QueryList> | |
| Exec $Message = to_json(); to_syslog_bsd(); | |
| </Input> | |
| <Output out> | |
| Module om_tcp | |
| # obviously put your rsyslog ip here | |
| Host 192.168.x.xxx | |
| Port 514 | |
| </Output> | |
| <Route 1> | |
| Path in => out | |
| </Route> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #this should(!) be big enough | |
| $MaxMessageSize 64k | |
| #### MODULES #### | |
| # where we're getting logs from | |
| $ModLoad imuxsock | |
| $ModLoad imklog | |
| $ModLoad imudp | |
| $UDPServerRun 514 | |
| $ModLoad imtcp | |
| $InputTCPServerRun 514 | |
| # set some access rights to written log files | |
| $FileOwner root | |
| $FileGroup adm | |
| $FileCreateMode 0640 | |
| $DirCreateMode 0755 | |
| $Umask 0022 | |
| # do NOT escape control chars | |
| $EscapeControlCharactersOnReceive off | |
| # templates | |
| $template TraditionalRFC3164,"<%PRI%>%timereported% %timegenerated% %HOSTNAME% %syslogtag:1:32% %msg:::drop-last-lf%\n" | |
| $template DailyPerHostLogs,"/var/log/remote/%HOSTNAME:::lower%/messages.log" | |
| # json template for logstash | |
| # generic template (cisco, firewall, etc) | |
| $template generic_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":\"%msg:::json%\",\"@fields\":{%syslogfacility-text:::jsonf%,%syslogseverity-text:::jsonf%,%app-name:::jsonf%,%procid:::jsonf%}}" | |
| # windows hosts template (nxlog json) | |
| $template win_nxlog_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":%msg%,\"@fields\":{%app-name:::jsonf%,%syslogfacility-text:::jsonf%,%syslogseverity-text:::jsonf%,%procid:::jsonf%}}\n" | |
| # NB: I'm sending to UDP locally, use @@localhost:55514 if need TCP | |
| # generic hosts to logstash: | |
| if ($fromhost-ip == '...' or $fromhost-ip == '...' or $fromhost-ip == '...' ) then @localhost:55514;generic_json | |
| # windows hosts to logstash: | |
| if ($fromhost-ip == '...' or $fromhost-ip == '...' or $fromhost-ip == '...' ) then @localhost:55514;win_nxlog_json | |
| # Everything from remote hosts to files goes to disk in folders named by host | |
| if ($fromhost-ip != '127.0.0.1') then -?DailyPerHostLogs;TraditionalRFC3164 | |
| & ~ | |
| # NOTE: use your system's rules for local messages: | |
| # Standard log files. Log by facility. | |
| *.* -/var/log/messages |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment