# Load modules. module(load="imudp") module(load="imtcp") module(load="builtin:omfile" dirCreateMode="0750" dirOwnerNum="0" dirGroupNum="0" fileCreateMode="0640" fileOwnerNum="0" fileGroupNum="0" compression.driver="zstd") # Global configuration. global( workDirectory="/var/lib/rsyslog" #stdlog.channelspec="on" maxMessageSize="16K" senders.keepTrack="on" senders.timeoutAfter="2419200" senders.reportGoneAway="on" senders.reportNew="on" ) # Inputs. input(type="imudp" port="25414" ruleset="syslog") input(type="imudp" port="25415" ruleset="httplog") input(type="imtcp" port="25414" ruleset="syslog") # Rulesets. ruleset(name="syslog") { set $.host = tolower(field($hostname, ".", 1)); set $.domain = tolower(re_extract($hostname, '[^.]+\\.(.*)', 0, 1, "unknown_domain")); if ($app-name != "") then { set $.proc = $app-name; if ($procid != "" and $procid != "-") then { set $.proc = '[' & $procid & ']'; } } else { set $.proc = '-'; } if ($msgid != "") then { set $.id = $msgid; } else { set $.id = '-'; } template(name="LogLineSingleHost" type="string" string="%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n") template(name="LogLineAllHosts" type="string" string="%timereported:::date-utc,date-rfc3339% %hostname% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n") # FIXME: Log each facility to the AllHosts logs. Compression? if prifilt("auth.*,authpriv.*") then { action(type="omfile" file="/tmp/log/AllHosts/auth" template="LogLineAllHosts" zipLevel="6" asyncWriting="on" flushInterval="5" ioBufferSize="64k" ) } else if ... then { template(name="LogFileeSingleHost" type="string" string="/tmp/logs/%$.host%/ %timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n") if prifilt("*.info") then { action(type="omfile" file="/var/log/info.log") } } #template(name="SyslogLineFormat" type="list") { # property(name="timereported" dateFormat="rfc3339" caseConversion="lower") # Timestamp yyyy-MM-dd'T'HH:mm:ss.SSS'Z' # constant(value=" ") # property(name="hostname") # Hostname # constant(value=" ") # property(name="syslogfacility") # Facility # constant(value=".") # property(name="syslogpriority") # Log priority # constant(value=" ") # property(name="syslogtag") # Syslog tag # constant(value=": ") # property(name="msg") # Message content # constant(value="\n") #} #template(name="LogHostFile" type="string" string="/mnt/Data/logs/%HOSTNAME:::escape-cc,secpath-replace%/ #%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/ # %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n") #template(name="LogAllHostsFile" type="string" string="/mnt/Data/logs/AllHosts/ #%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/ # %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n") #VMWare: RFC 5424 # Parser. #parser( # name="FIXME" # type="pmnormalize" # rule=[ # "rule=:<%pri:number%> %fromhost-ip:ipv4% %hostname:word% %syslogtag:char-to:\\x3a%: %msg:rest%", # "rule=:<%pri:number%> %hostname:word% %fromhost-ip:ipv4% %syslogtag:char-to:\\x3a%: %msg:rest%" # ] #) # Rules #ruleset(name="outp" parser="custom.pmnormalize") { # action(type="omfile" File="/tmp/output") #} # Outputs. action(type="omfile" file="/tmp/messages" template="LogLineSingleHost") # Include additional configurations. include(file="/etc/rsyslog.d/*.conf" mode="optional") ### Examples #### # Send all logs to remote syslog via UDP. # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #*.* action( # type="omfwd" # target="192.168.0.1" # port="514" # protocol="udp" # queue.filename="fwdRule1" # unique name prefix for spool files # queue.type="LinkedList" # queue.maxDiskSpace="256m" # queue.saveOnShutdown="on" # action.resumeRetryCount="-1" # action.resumeInterval="30" #)