Rsyslog » История » Редакция 6
Редакция 5 (Константин Пильник, 2022-12-01 17:10) → Редакция 6/9 (Константин Пильник, 2022-12-01 17:11)
h1. nginx -> rsyslog -> rsyslog-elasticsearch -> elasticsearch
apt install rsyslog-elasticsearch
<pre><code class="perl">
module(load="omelasticsearch")
module(load="mmjsonparse")
template(name="template_nginx_yyyy_mm_dd" type="list") {
constant(value="nginx-")
property(name="timereported" dateformat="year")
constant(value=".")
property(name="timereported" dateformat="month")
constant(value=".")
property(name="timereported" dateformat="day")
}
template(name="template_msg_to_json" type="list") {
property(name="$!msg")
}
if ($programname == "nginx") then {
action(type="mmjsonparse")
action(type="omelasticsearch"
server=["https://es1.domain.tld:443", "https://es2.domain.tld:443", "https://es3.domain.tld:443"]
uid="elastic"
pwd="secret"
template="template_msg_to_json"
dynSearchIndex="on"
searchIndex="template_nginx_yyyy_mm_dd"
searchType="nginx"
bulkmode="on"
maxbytes="100m"
queue.type="linkedlist"
queue.size="5000"
queue.dequeuebatchsize="300"
action.resumeretrycount="-1"
)
}
</code></pre>
h4. nginx/conf.d/log_format.conf
<pre><code class="perl">
# json for elastic
# access_log syslog:server=unix:/dev/log,tag=nginx,nohostname default_json;
log_format default_json escape=json
'{'
'"args":"$args",'
'"bytes_sent":"$bytes_sent",'
'"connection": "$connection",'
'"connection_requests": "$connection_requests",'
'"hostname": "$hostname",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"remote_addr":"$remote_addr",'
'"remote_port":"$remote_port",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"request_length":"$request_length",'
'"request_method":"$request_method",'
'"request_time":"$request_time",'
'"scheme": "$scheme",'
'"server_name": "$server_name",'
'"server_protocol": "$server_protocol",'
'"status": "$status",'
'"time_local":"$time_iso8601",'
'"upstream_addr": "$upstream_addr",'
'"upstream_response_time": "$upstream_response_time",'
'"upstream_status": "$upstream_status",'
'"uri": "$uri"'
'}';
</code></pre>
h1. rsyslog -> elasticsearch
<pre><code class="perl">
# elasticsearch
module(load="omelasticsearch")
template(name="elastic_date_template" type="list") {
constant(value="rsyslog-")
property(name="timereported" dateformat="year")
constant(value=".")
property(name="timereported" dateformat="month")
constant(value=".")
property(name="timereported" dateformat="day")
}
template(name="elastic_msg_template" type="list" option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\"}")
}
action(
type="omelasticsearch"
server="127.0.0.1"
serverport="9200"
usehttps="off"
uid="elastic"
pwd="mypass1"
template="elastic_msg_template"
dynSearchIndex="on"
searchIndex="elastic_date_template"
searchType="rsyslog"
bulkmode="on"
maxbytes="100m"
queue.type="linkedlist"
queue.size="5000"
queue.dequeuebatchsize="300"
action.resumeretrycount="-1"
)
</code></pre>