Rsyslog configuration to forward logs to elasticsearch in batch and in a Kibana-compatable format

rsyslog-elasticsearch.conf

# /etc/rsyslog.d/31-elasticsearch.conf
# send syslog messages to logstash/kibana

module(load="omelasticsearch") # for outputting to Elasticsearch
# this is for index names to be like: logstash-YYYY.MM.DD
template(name="logstash-index"
  type="list") {
    constant(value="logstash-")
    property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
    constant(value=".")
    property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
    constant(value=".")
    property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
}

# this is for formatting our syslog in JSON with @timestamp
template(name="plain-syslog"
  type="list"
  option.json="on") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")  property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"host\":\"")     property(name="hostname")
      constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
      constant(value="\",\"tag\":\"")      property(name="syslogtag")
      constant(value="\",\"message\":\"")  property(name="msg")
    constant(value="\"}")
}

# this is where we actually send the logs to Elasticsearch (localhost:9200 by default)
action(type="omelasticsearch"
    server="search-abc-dqponupmwzoyt5ndrrblrkjqoy.us-east-1.es.amazonaws.com"
    serverport="80"
    template="plain-syslog"
    searchIndex="logstash-index"
    searchType="syslog"
    bulkmode="on"
    queue.type="linkedlist"
    queue.size="5000"
    queue.dequeuebatchsize="300"
    action.resumeretrycount="-1"
)