[rsyslog-notify] Forum Thread: omelasticsearch not sending to logstash,stops local logging - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Wed Sep 17 12:17:43 CEST 2014 

User: devostash 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24935#p24935

Message: 
----------
I am running an instance in AWS amazonlinux.
I have upgraded rsyslog to 7
I install the omelaticsearch module.

I add the file below in /etc/rsyslog.d.  There are no errors but logs are
not getting sent. I also don't seem to be getting anything sent to local
logs 

logger "this is my message"

Doesn't appear locally or in logstash.  tcpdump doesn't show anything being
sent to the port I send logs on.
A newbie to rsyslog so am probably doing something stupid just following
the docs on the site.

somefile.conf --- 

module(load="imuxsock")             # for listening to /dev/log
module(load="omelasticsearch") # for outputting to Elasticsearch
# this is for index names to be like: logstash-YYYY.MM.DD
template(name="logstash-index"
  type="list") {
    constant(value="logstash-")
    property(name="timereported" dateFormat="rfc3339" position.from="1"
position.to="4")
    constant(value=".")
    property(name="timereported" dateFormat="rfc3339" position.from="6"
position.to="7")
    constant(value=".")
    property(name="timereported" dateFormat="rfc3339" position.from="9"
position.to="10")
}

# this is for formatting our syslog in JSON with @timestamp
template(name="plain-syslog"
  type="list") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")     property(name="timereported"
dateFormat="rfc3339")
      constant(value="\",\"host\":\"")        property(name="hostname")
      constant(value="\",\"severity\":\"")   
property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"")   
property(name="syslogfacility-text")
      constant(value="\",\"tag\":\"")   property(name="syslogtag"
format="json")
      constant(value="\",\"message\":\"")    property(name="msg"
format="json")
    constant(value="\"}")
}
# this is where we actually send the logs to Elasticsearch (localhost:9200
by default)
action(type="omelasticsearch"
    template="plain-syslog"
    server="%%someserver%%"
    serverport="%%someport%%"
    searchIndex="logstash-index"
    dynSearchIndex="on")
~

More information about the rsyslog-notify mailing list