forked from ISTI-ansible-roles/ansible-roles
71 lines
2.8 KiB
Django/Jinja
71 lines
2.8 KiB
Django/Jinja
{% if rsys_logfiles is defined %}
|
|
{% if rsyslog_use_inotify %}
|
|
module(load="imfile" mode="inotify" )
|
|
{% else %}
|
|
module(load="imfile" mode="polling" PollingInterval="10" )
|
|
{% endif %}
|
|
{% for log in rsys_logfiles %}
|
|
input(
|
|
Type="imfile"
|
|
File="{{ log.logfile }}"
|
|
Tag="{{ log.log_tag }}"
|
|
)
|
|
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% if rsyslog_use_elasticsearch_module %}
|
|
module(load="omelasticsearch")
|
|
|
|
{% if rsyslog_use_queues %}
|
|
main_queue(
|
|
queue.size="{{ rsyslog_main_queue_size }}" # capacity of the main queue
|
|
queue.debatchsize="{{ rsyslog_main_queue_debatchsize }}" # process messages in batches of 1000 and move them to the action queues
|
|
queue.workerthreads="{{ rsyslog_main_queue_workerthreads }}" # threads for the main queue
|
|
)
|
|
{% endif %}
|
|
|
|
template(name="logstash-index"
|
|
type="list") {
|
|
constant(value="logstash-")
|
|
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
|
|
constant(value=".")
|
|
property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
|
|
constant(value=".")
|
|
property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
|
|
}
|
|
|
|
# this is for formatting our syslog in JSON with @timestamp
|
|
template(name="plain-syslog"
|
|
type="list") {
|
|
constant(value="{")
|
|
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
|
|
constant(value="\"received_at\":\"") property(name="timereported" dateFormat="rfc3339")
|
|
constant(value="\",\"host\":\"") property(name="hostname")
|
|
constant(value="\",\"received_from\":\"") property(name="hostname")
|
|
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
|
|
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
|
|
constant(value="\",\"tag\":\"") property(name="syslogtag" format="json")
|
|
constant(value="\",\"message\":\"") property(name="msg" format="json")
|
|
constant(value="\"}")
|
|
}
|
|
# this is where we actually send the logs to Elasticsearch ({{ rsys_elasticsearch_collector_host }}:{{ rsys_elasticsearch_collector_port }})
|
|
*.* action(type="omelasticsearch"
|
|
template="plain-syslog"
|
|
searchIndex="logstash-index"
|
|
dynSearchIndex="on"
|
|
{% if rsyslog_use_queues %}
|
|
bulkmode="on"
|
|
queue.dequeuebatchsize="{{ rsyslog_action_queue_debatchsize }}" # ES bulk size
|
|
queue.size="{{ rsyslog_action_queue_size }}" # capacity of the action queue
|
|
queue.workerthreads="{{ rsyslog_action_queue_workerthreads }}" # workers for the action
|
|
action.resumeretrycount="{{ rsyslog_action_resumeretrycount }}"
|
|
{% endif %}
|
|
server="{{ rsys_elasticsearch_collector_host }}"
|
|
serverport="{{ rsys_elasticsearch_collector_port }}"
|
|
)
|
|
{% else %}
|
|
# Send all to the logstash server
|
|
*.* @@{{ rsys_logstash_collector_host }}:{{ rsys_logstash_collector_port }}
|
|
{% endif %}
|
|
|