Last active
December 19, 2015 15:18
-
-
Save portante/39798a6b65a9d4b5141a to your computer and use it in GitHub Desktop.
EPEL 7 rsyslog configuration for forwarding log data as JSON
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # LIVES in /etc/rsyslog.d/ *** | |
| # | |
| # This is basically the RSYSLOG_SyslogProtocol23Format, which is RFC 5424 on | |
| # the wire, but with the message payload a CEE/Lumberjack JSON document. | |
| template(name="EXAMPLE_SyslogProtocol23Format" type="string" | |
| string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% @cee:%$!%\n") | |
| $ActionQueueType LinkedList # run asynchronously | |
| $ActionQueueFileName rsyslog1 # unique name prefix for spool files | |
| $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) | |
| $ActionQueueSaveOnShutdown on # save messages to disk on shutdown | |
| $ActionResumeRetryCount -1 # infinite retries if host is down | |
| *.* @@rsyslog.host.com:514;EXAMPLE_SyslogProtocol23Format |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # rsyslog configuration file | |
| # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html | |
| # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html | |
| #### MODULES #### | |
| # The imjournal module below is now used as a message source instead of imuxsock, | |
| # providing access to the systemd journal and /dev/log messages. | |
| $ModLoad imjournal | |
| #### GLOBAL DIRECTIVES #### | |
| # Where to place auxiliary files | |
| $WorkDirectory /var/lib/rsyslog | |
| # Use updated timestamp format for local files | |
| $ActionFileDefaultTemplate RSYSLOG_FileFormat | |
| # perf-dept: we want fully qualified domain names for common logging | |
| $PreserveFQDN on | |
| # File to store the position in the journal | |
| $IMJournalStateFile imjournal.state | |
| # Include all config files in /etc/rsyslog.d/ | |
| $IncludeConfig /etc/rsyslog.d/*.conf | |
| #### RULES #### | |
| # Log anything (except mail) of level info or higher. | |
| # Don't log private authentication messages! | |
| *.info;mail.none;authpriv.none;cron.none /var/log/messages | |
| # The authpriv file has restricted access. | |
| authpriv.* /var/log/secure | |
| # Log all the mail messages in one place. | |
| mail.* -/var/log/maillog | |
| # Log cron stuff | |
| cron.* /var/log/cron | |
| # Everybody gets emergency messages | |
| *.emerg :omusrmsg:* | |
| # Save news errors of level crit and higher in a special file. | |
| uucp,news.crit /var/log/spooler | |
| # Save boot messages also to boot.log | |
| local7.* /var/log/boot.log |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This assumes just pulling log data from the journal by default. It also updates the local log file format to use better timestamps and include a bit more metadata, see line 19, and turns on FQDN preservation so that central logging warehouses have a better chance of keeping logs separate from different namespaces, see line 22.
This is based off a RHEL 7 default
rsyslog.conf, which is rsyslog v7 based, but works with rsyslog v8.Notice that we include from
/etc/rsyslog.d/*.confto get other configuration setup, so the0*-*.conffiles need to be placed in/etc/rsyslog.d/or another include directory of your choice (appropriately updating thersyslog.conffile).