База знаний

h1. nginx -> rsyslog -> rsyslog-elasticsearch -> elasticsearch

apt install rsyslog-elasticsearch

<pre><code class="perl">

module(load="omelasticsearch")

module(load="mmjsonparse")

template(name="template_nginx_yyyy_mm_dd" type="list") {

	constant(value="nginx-")

	property(name="timereported" dateformat="year")

	constant(value=".")

	property(name="timereported" dateformat="month")

	constant(value=".")

	property(name="timereported" dateformat="day")

}

template(name="template_msg_to_json" type="list") {

	property(name="$!msg")

}

if ($programname == "nginx") then {

	action(type="mmjsonparse")

	action(type="omelasticsearch"

		server=["https://es1.domain.tld:443", "https://es2.domain.tld:443", "https://es3.domain.tld:443"]

		uid="elastic"

		pwd="secret"

		template="template_msg_to_json"

		dynSearchIndex="on"

		searchIndex="template_nginx_yyyy_mm_dd"

		searchType="nginx"

		bulkmode="on"

		maxbytes="100m"

		queue.type="linkedlist"

		queue.size="5000"

		queue.dequeuebatchsize="300"

		action.resumeretrycount="-1"

	)

}

</code></pre>

h4. nginx/conf.d/log_format.conf

# access_log syslog:server=unix:/dev/log,tag=nginx,nohostname default_json;

<pre><code class="perl">

log_format default_json escape=json

	'{'

		'"args":"$args",'

		'"bytes_sent":"$bytes_sent",'

		'"connection": "$connection",'

		'"connection_requests": "$connection_requests",'

		'"hostname": "$hostname",'

		'"http_referrer":"$http_referer",'

		'"http_user_agent":"$http_user_agent",'

		'"remote_addr":"$remote_addr",'

		'"remote_port":"$remote_port",'

		'"remote_user":"$remote_user",'

		'"request":"$request",'

		'"request_length":"$request_length",'

		'"request_method":"$request_method",'

		'"request_time":"$request_time",'

		'"scheme": "$scheme",'

		'"server_name": "$server_name",'

		'"server_protocol": "$server_protocol",'

		'"status": "$status",'

		'"time_local":"$time_iso8601",'

		'"upstream_addr": "$upstream_addr",'

		'"upstream_response_time": "$upstream_response_time",'

		'"upstream_status": "$upstream_status",'

		'"uri": "$uri"'

	'}';

</code></pre>

h1. rsyslog -> elasticsearch

<pre><code class="perl">

# elasticsearch

module(load="omelasticsearch")

template(name="elastic_date_template" type="list") {

	constant(value="rsyslog-")

	property(name="timereported" dateformat="year")

	constant(value=".")

	property(name="timereported" dateformat="month")

	constant(value=".")

	property(name="timereported" dateformat="day")

}

template(name="elastic_msg_template" type="list" option.json="on") {

	constant(value="{")

	constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")

	constant(value="\",\"message\":\"")     property(name="msg")

	constant(value="\",\"host\":\"")        property(name="hostname")

	constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")

	constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")

	constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")

	constant(value="\",\"programname\":\"") property(name="programname")

	constant(value="\",\"procid\":\"")      property(name="procid")

	constant(value="\"}")

}

action(

	type="omelasticsearch"

	server="127.0.0.1"

	serverport="9200"

	usehttps="off"

	uid="elastic"

	pwd="mypass1"

	template="elastic_msg_template"

	dynSearchIndex="on"

	searchIndex="elastic_date_template"

	searchType="rsyslog"

	bulkmode="on"

	maxbytes="100m"

	queue.type="linkedlist"

	queue.size="5000"

	queue.dequeuebatchsize="300"

	action.resumeretrycount="-1"

)

</code></pre>