Created
November 27, 2017 08:59
-
-
Save arielshaqed/6b928602248c411b5b743b32b0149ff8 to your computer and use it in GitHub Desktop.
Report from RSyslog to Loggly, handling severity/priority for JSON and logrus.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module(load="mmjsonparse") | |
| set $.computed_pri = $pri; | |
| # TODO: Better ISO-8601 capture (e.g. this one doesn't handle some leap second representations). | |
| set $.inner_level = re_extract($msg, '^ *time="[1-9][0-9]{3,}-(1[12]|0[1-9])-(3[01]|[12][0-9]|0[1-9])T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])Z" +level=([a-z]+)', 0, 6, ''); | |
| if ($.inner_level == '') then { | |
| action(type="mmjsonparse" cookie="") | |
| if $parsesuccess == 'OK' then set $.inner_level = $!level; | |
| } | |
| # See /usr/include/sys/syslog.h for the values. These are an RFC | |
| # standard. | |
| # | |
| # TODO: If you use other levels, map them here. | |
| if $.inner_level == 'debug' then set $.computed_pri = 7; | |
| else if $.inner_level == 'info' then set $.computed_pri = 6; | |
| else if $.inner_level == 'warn' then set $.computed_pri = 4; | |
| else if $.inner_level == 'error' then set $.computed_pri = 3; | |
| # NOTICE that loggly is very particular about this header format. | |
| # Define the template used for sending logs to Loggly. Do not change this format. | |
| template(name="LogglyFormat" type="string" | |
| string="<%.computed_pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% {{service}} %procid% %msgid% [{{LOGGLY_TOKEN}}@41058 tag=\"YOUR-TAG-HERE\"] %msg%\n" | |
| ) | |
| # Setup disk assisted queues | |
| $WorkDirectory /var/spool/rsyslog # where to place spool files | |
| $ActionQueueFileName fwdRule1 # unique name prefix for spool files | |
| $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) | |
| $ActionQueueSaveOnShutdown on # save messages to disk on shutdown | |
| $ActionQueueType LinkedList # run asynchronously | |
| $ActionResumeRetryCount -1 # infinite retries if host is down | |
| # Send messages to Loggly over TCP using the template. | |
| action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="6514" template="LogglyFormat" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.loggly.com") | |
| #RsyslogGnuTLS | |
| $DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt | |
| # Uncomment to debug. | |
| # *.* /var/log/debugfmt;RSYSLOG_DebugFormat |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment