Skip to content

Instantly share code, notes, and snippets.

@pando85

pando85/rsyslog_elasticsearch_docker.conf

Last active February 24, 2021 03:37
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pando85/75f06fb9a3b67788342e700fa8365674 to your computer and use it in GitHub Desktop.
Save pando85/75f06fb9a3b67788342e700fa8365674 to your computer and use it in GitHub Desktop.
Download ZIP
rsyslog configuration omelasticsearch with docker
Raw
rsyslog_elasticsearch_docker.conf
#Ignore logs kibana
#:syslogtag, isequal, "kibana:" stop
#Ignore daemon severity
#daemon.* stop
#Ignore facility cron
#cron.* stop
#Ignore logs elasticsearch
#:HOSTNAME, isequal, "elasticsearch-01" stop
# Provides TCP syslog reception
## make gtls driver the default
#$DefaultNetstreamDriver gtls
#
## certificate files
#$DefaultNetstreamDriverCAFile /etc/pki/ca-trust/source/anchors/ca.cert.pem
#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.key
#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.crt
#
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer {{ default_network }}
#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
# For outputting to Elasticsearch
module(load="omelasticsearch")
index names to be like: logstash-YYYY.MM.DD
template(name="logstash-index"
type="list") {
constant(value="logstash-")
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
}
matting our syslog in JSON with @timestamp
template(name="plain-syslog"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\"}")
}
template(name="docker-syslog"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\",\"container\":\"") property(name="syslogtag" securepath="replace" regex.expression="docker/\\(.*\\)\\[" regex.submatch="1")
constant(value="\"}")
}
template(name="nginx-syslog"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"remote_user\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*" regex.submatch="1" regex.type="ERE")
constant(value="\",\"request\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" .*" regex.submatch="2" regex.type="ERE")
constant(value="\",\"status\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) .*" regex.submatch="3" regex.type="ERE")
constant(value="\",\"bytes_sent\":") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) ([0-9]*) .*" regex.submatch="4" regex.type="ERE")
constant(value=",\"http_referer\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) ([0-9]*) \\\"([^\\\"]*)\\\" .*" regex.submatch="5" regex.type="ERE")
constant(value="\",\"http_user_agent\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) ([0-9]*) \\\"([^\\\"]*)\\\" \\\"([^\\\"]*)\\\".*" regex.submatch="6" regex.type="ERE")
constant(value="\",\"client_ip\":\"") property(name="msg" regex.expression="[^-]- ([^ ]*) .*\\] \\\"([^\\\"]*)\\\" ([0-9]*) ([0-9]*) \\\"([^\\\"]*)\\\" \\\"([^\\\"]*)\\\" \\\"([^\\\"]*)\\\".*" regex.submatch="7" regex.type="ERE" regex.nomatchmode="BLANK")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\",\"programname\":\"") constant(value="nginx")
constant(value="\",\"container\":\"") property(name="syslogtag" securepath="replace" regex.expression="docker/\\(.*\\)\\[" regex.submatch="1")
constant(value="\"}")
}
# Send logs to Elasticsearch
if ($programname == 'docker') then {
if ($syslogtag contains 'nginx') then {
action(type="omelasticsearch"
server="127.0.0.1"
serverport="9200"
template="nginx-syslog"
searchIndex="logstash-index"
dynSearchIndex="on")
} else {
action(type="omelasticsearch"
server="127.0.0.1"
serverport="9200"
template="docker-syslog"
searchIndex="logstash-index"
dynSearchIndex="on")
}
} else {
action(type="omelasticsearch"
server="127.0.0.1"
serverport="9200"
template="plain-syslog"
searchIndex="logstash-index"
dynSearchIndex="on")
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment