Last active
February 24, 2021 03:37
-
-
Save pando85/75f06fb9a3b67788342e700fa8365674 to your computer and use it in GitHub Desktop.
rsyslog configuration omelasticsearch with docker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ignore logs kibana | |
| #:syslogtag, isequal, "kibana:" stop | |
| #Ignore daemon severity | |
| #daemon.* stop | |
| #Ignore facility cron | |
| #cron.* stop | |
| #Ignore logs elasticsearch | |
| #:HOSTNAME, isequal, "elasticsearch-01" stop | |
| # Provides TCP syslog reception | |
| ## make gtls driver the default | |
| #$DefaultNetstreamDriver gtls | |
| # | |
| ## certificate files | |
| #$DefaultNetstreamDriverCAFile /etc/pki/ca-trust/source/anchors/ca.cert.pem | |
| #$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.key | |
| #$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.crt | |
| # | |
| #$ActionSendStreamDriverAuthMode x509/name | |
| #$ActionSendStreamDriverPermittedPeer {{ default_network }} | |
| #$ActionSendStreamDriverMode 1 # run driver in TLS-only mode | |
| # For outputting to Elasticsearch | |
| module(load="omelasticsearch") | |
| index names to be like: logstash-YYYY.MM.DD | |
| template(name="logstash-index" | |
| type="list") { | |
| constant(value="logstash-") | |
| property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4") | |
| constant(value=".") | |
| property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7") | |
| constant(value=".") | |
| property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10") | |
| } | |
| matting our syslog in JSON with @timestamp | |
| template(name="plain-syslog" | |
| type="list" | |
| option.json="on") { | |
| constant(value="{") | |
| constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339") | |
| constant(value="\",\"message\":\"") property(name="msg") | |
| constant(value="\",\"host\":\"") property(name="hostname") | |
| constant(value="\",\"severity\":\"") property(name="syslogseverity-text") | |
| constant(value="\",\"facility\":\"") property(name="syslogfacility-text") | |
| constant(value="\",\"syslogtag\":\"") property(name="syslogtag") | |
| constant(value="\",\"programname\":\"") property(name="programname") | |
| constant(value="\"}") | |
| } | |
| template(name="docker-syslog" | |
| type="list" | |
| option.json="on") { | |
| constant(value="{") | |
| constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339") | |
| constant(value="\",\"message\":\"") property(name="msg") | |
| constant(value="\",\"host\":\"") property(name="hostname") | |
| constant(value="\",\"severity\":\"") property(name="syslogseverity-text") | |
| constant(value="\",\"facility\":\"") property(name="syslogfacility-text") | |
| constant(value="\",\"syslogtag\":\"") property(name="syslogtag") | |
| constant(value="\",\"programname\":\"") property(name="programname") | |
| constant(value="\",\"container\":\"") property(name="syslogtag" securepath="replace" regex.expression="docker/\\(.*\\)\\[" regex.submatch="1") | |
| constant(value="\"}") | |
| } | |
| template(name="nginx-syslog" | |
| type="list" | |
| option.json="on") { | |
| constant(value="{") | |
| constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339") | |
| constant(value="\",\"message\":\"") property(name="msg") | |
| constant(value="\",\"remote_user\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*" regex.submatch="1" regex.type="ERE") | |
| constant(value="\",\"request\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" .*" regex.submatch="2" regex.type="ERE") | |
| constant(value="\",\"status\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) .*" regex.submatch="3" regex.type="ERE") | |
| constant(value="\",\"bytes_sent\":") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) ([0-9]*) .*" regex.submatch="4" regex.type="ERE") | |
| constant(value=",\"http_referer\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) ([0-9]*) \\\"([^\\\"]*)\\\" .*" regex.submatch="5" regex.type="ERE") | |
| constant(value="\",\"http_user_agent\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) ([0-9]*) \\\"([^\\\"]*)\\\" \\\"([^\\\"]*)\\\".*" regex.submatch="6" regex.type="ERE") | |
| constant(value="\",\"client_ip\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) ([0-9]*) \\\"([^\\\"]*)\\\" \\\"([^\\\"]*)\\\" \\\"([^\\\"]*)\\\".*" regex.submatch="7" regex.type="ERE" regex.nomatchmode="BLANK") | |
| constant(value="\",\"host\":\"") property(name="hostname") | |
| constant(value="\",\"severity\":\"") property(name="syslogseverity-text") | |
| constant(value="\",\"facility\":\"") property(name="syslogfacility-text") | |
| constant(value="\",\"syslogtag\":\"") property(name="syslogtag") | |
| constant(value="\",\"programname\":\"") constant(value="nginx") | |
| constant(value="\",\"container\":\"") property(name="syslogtag" securepath="replace" regex.expression="docker/\\(.*\\)\\[" regex.submatch="1") | |
| constant(value="\"}") | |
| } | |
| # Send logs to Elasticsearch | |
| if ($programname == 'docker') then { | |
| if ($syslogtag contains 'nginx') then { | |
| action(type="omelasticsearch" | |
| server="127.0.0.1" | |
| serverport="9200" | |
| template="nginx-syslog" | |
| searchIndex="logstash-index" | |
| dynSearchIndex="on") | |
| } else { | |
| action(type="omelasticsearch" | |
| server="127.0.0.1" | |
| serverport="9200" | |
| template="docker-syslog" | |
| searchIndex="logstash-index" | |
| dynSearchIndex="on") | |
| } | |
| } else { | |
| action(type="omelasticsearch" | |
| server="127.0.0.1" | |
| serverport="9200" | |
| template="plain-syslog" | |
| searchIndex="logstash-index" | |
| dynSearchIndex="on") | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment