我正在尝试配置rsyslog发送日志到logstash,然后将它们转发到elasticsearch。
我创建了一个配置文件/etc/rsyslog.d/60-output.conf,内容如下:
*.* @localhost:10514;json-template
和模板文件/etc/rsyslog.d/01-json-template.conf,其内容如下:
template(name="json-template"
type="list") {
constant(value="{")
constant(value=""@timestamp":"") property(name="timereported" dateFormat="rfc3339")
constant(value="","@version":"1")
constant(value="","message":"") property(name="msg" format="json")
constant(value="","sysloghost":"") property(name="hostname")
constant(value="","severity":"") property(name="syslogseverity-text")
constant(value="","facility":"") property(name="syslogfacility-text")
constant(value="","programname":"") property(name="programname")
constant(value="","procid":"") property(name="procid")
constant(value=""}n")
}
然后重新启动rsyslog服务。对于logstash,我创建了一个配置文件/etc/logstash/conf.d/logstash.conf,内容如下:
input {
udp {
port => 10514
codec => "json"
type => "rsyslog"
}
}
filter { }
output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}
}
然后重新启动logstash.
当我运行sudo netstat -tulpn | grep 10514时,我得到这个:
user@rsyslog-server:/var/log$ sudo netstat -tulpn | grep 10514
udp 0 0 0.0.0.0:10514 0.0.0.0:* 5327/java
表示Logstash正在监听端口10514。
为了验证elasticsearch输入,我运行curl -XGET 'http://localhost:9200/logstash-*/_search?q=*&pretty',但这不会返回任何结果:
{
"took" : 0,
"timed_out" : false,
"_shards" : {
"total" : 0,
"successful" : 0,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 0,
"relation" : "eq"
},
"max_score" : 0.0,
"hits" : [ ]
}
}
我用:
- rsyslogd 8.2208.0 (aka 2022.08)
- logstash 7.17.8
- elastisearch 7.17.8
如何解决这个问题?
配置Rsyslog通过TCP发送日志logstash。Logstash被配置为侦听UDP消息。
通过UDP发送日志,编辑/etc/rsyslog.d/60-output.conf:
*.* @@localhost:10514;json-template # note the second @ sign
为了更清楚,可以使用RainerScript语法,如下所示:
# load omfwd module
module(load="omfwd")
*.* action(type="omfwd" target="127.0.0.1" port="10514" protocol="udp")