rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2026-06-19 05:52:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #154 from friedl/gelf

Browse Source 
Gelf doc tutorial
This commit is contained in:
Rainer Gerhards 2015-05-04 11:21:55 +02:00
commit 16de803723
2 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
source/tutorials/gelf_forwarding.rst Normal file
View File

@ -0,0 +1,68 @@
GELF forwarding in rsyslog
==========================
*Written by Florian Riedl*
Situation
---------
The current setup has a system with rsyslog as the central syslog server
and a system with Graylog for storage and analyzing the log messages.
Graylog expects the log messages to arrive in GELF (Graylog Extended Log
Format).
Changing the default log format to GELF
---------------------------------------
To make rsyslog send GELF we basically need to create a custom template.
This template will define the format in which the log messages will get
sent to Graylog.
::
template(name="gelf" type="list") {
constant(value="{\"version\":\"1.1\",")
constant(value="\"host\":\"")
property(name="hostname")
constant(value="\",\"short_message\":\"")
property(name="msg" format="json")
constant(value="\",\"timestamp\":\"")
property(name="timegenerated" dateformat="unixtimestamp")
constant(value="\",\"level\":\"")
property(name="syslogseverity")
constant(value="\"}")
}
This is a typical representation in the list format with all the necessary
fields and format definitions that Graylog expects.
Applying the template to a syslog action
----------------------------------------
The next step is applying the template to our output action. Since we
are forwarding log messages to Graylog, this is usually a syslog sending
action.
::
# syslog forwarder via UDP
action(type="omfwd" target="graylogserver" port="514" protocol="udp" template="gelf")
We now have a syslog forwarding action. This uses the omfwd module. Please
note that the case above only works for UDP transport. When using TCP,
Graylog expects a Nullbyte as message delimiter. This is currently not
possible with rsyslog.
Conclusion
----------
With this quick and easy setup you can feed Graylog with the correct
log message format so it can do its work. This case can be applied to
a lot of different scenarios as well, but with different templates.
This documentation is part of the `rsyslog <http://www.rsyslog.com/>`_
project.
Copyright © 2008 by `Rainer Gerhards <http://www.gerhards.net/rainer>`_
and `Adiscon <http://www.adiscon.com/>`_. Released under the GNU GPL
version 2 or higher.

1
source/tutorials/index.rst
View File

@ -12,3 +12,4 @@ Tutorials
recording_pri
failover_syslog_server
log_rotation_fix_size
gelf_forwarding