143 lines
4.1 KiB
Text
143 lines
4.1 KiB
Text
# Load modules.
|
|
module(load="imudp")
|
|
module(load="imtcp")
|
|
module(load="builtin:omfile" dirCreateMode="0750" dirOwnerNum="0" dirGroupNum="0" fileCreateMode="0640" fileOwnerNum="0" fileGroupNum="0" compression.driver="zstd")
|
|
|
|
|
|
# Global configuration.
|
|
global(
|
|
workDirectory="/var/lib/rsyslog"
|
|
#stdlog.channelspec="on"
|
|
maxMessageSize="16K"
|
|
senders.keepTrack="on"
|
|
senders.timeoutAfter="2419200"
|
|
senders.reportGoneAway="on"
|
|
senders.reportNew="on"
|
|
)
|
|
|
|
|
|
# Inputs.
|
|
input(type="imudp" port="25414" ruleset="syslog")
|
|
input(type="imudp" port="25415" ruleset="httplog")
|
|
input(type="imtcp" port="25414" ruleset="syslog")
|
|
|
|
|
|
# Rulesets.
|
|
ruleset(name="syslog") {
|
|
set $.host = tolower(field($hostname, ".", 1));
|
|
set $.domain = tolower(re_extract($hostname, '[^.]+\\.(.*)', 0, 1, "unknown_domain"));
|
|
if ($app-name != "") then {
|
|
set $.proc = $app-name;
|
|
if ($procid != "" and $procid != "-") then {
|
|
set $.proc = '[' & $procid & ']';
|
|
}
|
|
} else {
|
|
set $.proc = '-';
|
|
}
|
|
if ($msgid != "") then {
|
|
set $.id = $msgid;
|
|
} else {
|
|
set $.id = '-';
|
|
}
|
|
|
|
template(name="LogLineSingleHost" type="string" string="%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
|
|
template(name="LogLineAllHosts" type="string" string="%timereported:::date-utc,date-rfc3339% %hostname% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
|
|
|
|
# FIXME: Log each facility to the AllHosts logs. Compression?
|
|
if prifilt("auth.*,authpriv.*") then {
|
|
action(type="omfile" file="/tmp/log/AllHosts/auth" template="LogLineAllHosts" zipLevel="6" asyncWriting="on" flushInterval="5" ioBufferSize="64k" )
|
|
} else if ... then {
|
|
|
|
|
|
|
|
template(name="LogFileeSingleHost" type="string" string="/tmp/logs/%$.host%/
|
|
%timereported:::date-utc,date-rfc3339% %$.host% %pri-text% %$.proc% %$.id% :%msg:::sp-if-no-1st-sp%%msg:::escape-cc,drop-last-lf%\n")
|
|
|
|
|
|
|
|
if prifilt("*.info") then {
|
|
action(type="omfile" file="/var/log/info.log")
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
#template(name="SyslogLineFormat" type="list") {
|
|
# property(name="timereported" dateFormat="rfc3339" caseConversion="lower") # Timestamp yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
|
|
# constant(value=" ")
|
|
# property(name="hostname") # Hostname
|
|
# constant(value=" ")
|
|
# property(name="syslogfacility") # Facility
|
|
# constant(value=".")
|
|
# property(name="syslogpriority") # Log priority
|
|
# constant(value=" ")
|
|
# property(name="syslogtag") # Syslog tag
|
|
# constant(value=": ")
|
|
# property(name="msg") # Message content
|
|
# constant(value="\n")
|
|
#}
|
|
|
|
|
|
|
|
|
|
#template(name="LogHostFile" type="string" string="/mnt/Data/logs/%HOSTNAME:::escape-cc,secpath-replace%/
|
|
#%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/
|
|
# %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
|
|
|
|
#template(name="LogAllHostsFile" type="string" string="/mnt/Data/logs/AllHosts/
|
|
#%TIMESTAMP:::date-utc,date-year%/%TIMESTAMP:::date-utc,date-month%/%TIMESTAMP:::date-utc,date-day%/
|
|
# %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n")
|
|
|
|
|
|
|
|
|
|
#VMWare: RFC 5424
|
|
|
|
|
|
|
|
# Parser.
|
|
#parser(
|
|
# name="FIXME"
|
|
# type="pmnormalize"
|
|
# rule=[
|
|
# "rule=:<%pri:number%> %fromhost-ip:ipv4% %hostname:word% %syslogtag:char-to:\\x3a%: %msg:rest%",
|
|
# "rule=:<%pri:number%> %hostname:word% %fromhost-ip:ipv4% %syslogtag:char-to:\\x3a%: %msg:rest%"
|
|
# ]
|
|
#)
|
|
|
|
|
|
# Rules
|
|
#ruleset(name="outp" parser="custom.pmnormalize") {
|
|
# action(type="omfile" File="/tmp/output")
|
|
#}
|
|
|
|
|
|
# Outputs.
|
|
action(type="omfile" file="/tmp/messages" template="LogLineSingleHost")
|
|
|
|
|
|
|
|
# Include additional configurations.
|
|
include(file="/etc/rsyslog.d/*.conf" mode="optional")
|
|
|
|
|
|
|
|
|
|
### Examples ####
|
|
|
|
# Send all logs to remote syslog via UDP.
|
|
# An on-disk queue is created for this action. If the remote host is
|
|
# down, messages are spooled to disk and sent when it is up again.
|
|
#*.* action(
|
|
# type="omfwd"
|
|
# target="192.168.0.1"
|
|
# port="514"
|
|
# protocol="udp"
|
|
# queue.filename="fwdRule1" # unique name prefix for spool files
|
|
# queue.type="LinkedList"
|
|
# queue.maxDiskSpace="256m"
|
|
# queue.saveOnShutdown="on"
|
|
# action.resumeRetryCount="-1"
|
|
# action.resumeInterval="30"
|
|
#)
|