Rsyslog » История » Версия 8
Константин Пильник, 2022-12-01 17:12
| 1 | 5 | Константин Пильник | h1. nginx -> rsyslog -> rsyslog-elasticsearch -> elasticsearch |
|---|---|---|---|
| 2 | |||
| 3 | 6 | Константин Пильник | apt install rsyslog-elasticsearch |
| 4 | |||
| 5 | 5 | Константин Пильник | <pre><code class="perl"> |
| 6 | module(load="omelasticsearch") |
||
| 7 | module(load="mmjsonparse") |
||
| 8 | |||
| 9 | template(name="template_nginx_yyyy_mm_dd" type="list") { |
||
| 10 | constant(value="nginx-") |
||
| 11 | property(name="timereported" dateformat="year") |
||
| 12 | constant(value=".") |
||
| 13 | property(name="timereported" dateformat="month") |
||
| 14 | constant(value=".") |
||
| 15 | property(name="timereported" dateformat="day") |
||
| 16 | } |
||
| 17 | |||
| 18 | template(name="template_msg_to_json" type="list") { |
||
| 19 | property(name="$!msg") |
||
| 20 | } |
||
| 21 | |||
| 22 | if ($programname == "nginx") then { |
||
| 23 | action(type="mmjsonparse") |
||
| 24 | action(type="omelasticsearch" |
||
| 25 | server=["https://es1.domain.tld:443", "https://es2.domain.tld:443", "https://es3.domain.tld:443"] |
||
| 26 | uid="elastic" |
||
| 27 | pwd="secret" |
||
| 28 | template="template_msg_to_json" |
||
| 29 | dynSearchIndex="on" |
||
| 30 | searchIndex="template_nginx_yyyy_mm_dd" |
||
| 31 | searchType="nginx" |
||
| 32 | bulkmode="on" |
||
| 33 | maxbytes="100m" |
||
| 34 | queue.type="linkedlist" |
||
| 35 | queue.size="5000" |
||
| 36 | queue.dequeuebatchsize="300" |
||
| 37 | action.resumeretrycount="-1" |
||
| 38 | ) |
||
| 39 | } |
||
| 40 | </code></pre> |
||
| 41 | |||
| 42 | h4. nginx/conf.d/log_format.conf |
||
| 43 | |||
| 44 | 7 | Константин Пильник | <pre><code class="perl"> |
| 45 | 8 | Константин Пильник | # access_log syslog:server=unix:/dev/log,tag=nginx,nohostname default_json; |
| 46 | 5 | Константин Пильник | log_format default_json escape=json |
| 47 | '{' |
||
| 48 | '"args":"$args",' |
||
| 49 | '"bytes_sent":"$bytes_sent",' |
||
| 50 | '"connection": "$connection",' |
||
| 51 | '"connection_requests": "$connection_requests",' |
||
| 52 | '"hostname": "$hostname",' |
||
| 53 | '"http_referrer":"$http_referer",' |
||
| 54 | '"http_user_agent":"$http_user_agent",' |
||
| 55 | '"remote_addr":"$remote_addr",' |
||
| 56 | '"remote_port":"$remote_port",' |
||
| 57 | '"remote_user":"$remote_user",' |
||
| 58 | '"request":"$request",' |
||
| 59 | '"request_length":"$request_length",' |
||
| 60 | '"request_method":"$request_method",' |
||
| 61 | '"request_time":"$request_time",' |
||
| 62 | '"scheme": "$scheme",' |
||
| 63 | '"server_name": "$server_name",' |
||
| 64 | '"server_protocol": "$server_protocol",' |
||
| 65 | '"status": "$status",' |
||
| 66 | '"time_local":"$time_iso8601",' |
||
| 67 | '"upstream_addr": "$upstream_addr",' |
||
| 68 | '"upstream_response_time": "$upstream_response_time",' |
||
| 69 | '"upstream_status": "$upstream_status",' |
||
| 70 | '"uri": "$uri"' |
||
| 71 | '}'; |
||
| 72 | </code></pre> |
||
| 73 | |||
| 74 | 1 | Константин Пильник | h1. rsyslog -> elasticsearch |
| 75 | |||
| 76 | <pre><code class="perl"> |
||
| 77 | # elasticsearch |
||
| 78 | module(load="omelasticsearch") |
||
| 79 | template(name="elastic_date_template" type="list") { |
||
| 80 | constant(value="rsyslog-") |
||
| 81 | property(name="timereported" dateformat="year") |
||
| 82 | constant(value=".") |
||
| 83 | property(name="timereported" dateformat="month") |
||
| 84 | constant(value=".") |
||
| 85 | property(name="timereported" dateformat="day") |
||
| 86 | } |
||
| 87 | |||
| 88 | template(name="elastic_msg_template" type="list" option.json="on") { |
||
| 89 | constant(value="{") |
||
| 90 | constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339") |
||
| 91 | constant(value="\",\"message\":\"") property(name="msg") |
||
| 92 | constant(value="\",\"host\":\"") property(name="hostname") |
||
| 93 | constant(value="\",\"severity\":\"") property(name="syslogseverity-text") |
||
| 94 | constant(value="\",\"facility\":\"") property(name="syslogfacility-text") |
||
| 95 | constant(value="\",\"syslogtag\":\"") property(name="syslogtag") |
||
| 96 | constant(value="\",\"programname\":\"") property(name="programname") |
||
| 97 | constant(value="\",\"procid\":\"") property(name="procid") |
||
| 98 | constant(value="\"}") |
||
| 99 | } |
||
| 100 | |||
| 101 | action( |
||
| 102 | type="omelasticsearch" |
||
| 103 | server="127.0.0.1" |
||
| 104 | serverport="9200" |
||
| 105 | 4 | Константин Пильник | usehttps="off" |
| 106 | 1 | Константин Пильник | uid="elastic" |
| 107 | pwd="mypass1" |
||
| 108 | template="elastic_msg_template" |
||
| 109 | dynSearchIndex="on" |
||
| 110 | searchIndex="elastic_date_template" |
||
| 111 | 2 | Константин Пильник | searchType="rsyslog" |
| 112 | 1 | Константин Пильник | bulkmode="on" |
| 113 | maxbytes="100m" |
||
| 114 | queue.type="linkedlist" |
||
| 115 | queue.size="5000" |
||
| 116 | queue.dequeuebatchsize="300" |
||
| 117 | action.resumeretrycount="-1" |
||
| 118 | ) |
||
| 119 | </code></pre> |