Hello,
I have an ElasticStack setup, and am looking at simplifying the footprint. As such I have setup an rsyslog server, which will ship the logs to logstash, store in elasticsearch, and viewable in Kibana.
Using guides found online the rsyslog server I have this json template:
template(name="json-template"
type="list") {
constant(value="{")
constant(value=""@timestamp":"") property(name="timereported" dateFormat="rfc3339")
constant(value="","@version":"1")
constant(value="","message":"") property(name="msg" format="json")
constant(value="","sysloghost":"") property(name="hostname")
constant(value="","severity":"") property(name="syslogseverity-text")
constant(value="","facility":"") property(name="syslogfacility-text")
constant(value="","programname":"") property(name="programname")
constant(value="","procid":"") property(name="procid")
constant(value=""}\n")
}
Simple output file on rsyslog:
This line sends all lines to defined IP address at port 10514,
using the "json-template" format template
. @192.168.19.122:10514;json-template
And in logstash the input file is as so:
This input block will listen on port 10514 for logs to come in.
host should be an IP on the Logstash server.
codec => "json" indicates that we expect the lines we're receiving to be in JSON format
type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline.
input {
udp {
host => "192.168.19.122"
port => 10514
codec => "json"
type => "rsyslog"
}
}
This is an empty filter block. You can later add other filters here to further process
your log lines
filter { }
This output block will send all events of type "rsyslog" to Elasticsearch at the configured
host and port into daily indices of the pattern, "rsyslog-YYYY.MM.DD"
output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "192.168.19.122:9200" ]
}
}
}
My issue, whether I specifically name the index or not, is that the index name becomes this:
%{[@metadata][beat]}-%{[@metadata][version]}-2018.04.18
Any idea what I've got wrong.