remote syslog via rsyslogs relp module
This is a config for rsyslogd with RELP
I am setting up rsyslog to send all of its logs to a remote log collection server where I will store them on disk.
Later I will talk about how I have used logstash to pull in these files once on the system.
I won’t bother posting the default lines almost all rsyslog config files will have.
I setup some basic udp collectors for legacy devices
$ModLoad imudp$UDPServerAddress 0.0.0.0
$UDPServerRun 514
Then load the relp module to provide more reliable tcp logging. I am going to have mine communicate on tcp port 1088
$ModLoad imrelp
$InputRELPServerRun 1088
The other two custom options I have set are for preserving fqdn because I need the full name to differentiate devices in different cities.
$PreserveFQDN on
I also tun off the message reduction to allow the systems I plan to implements better count messages.
$RepeatedMsgReduction off
Now on the client side all I have to do is include the relp module again and forward all messages via *.*
$ModLoad omrelp
*.* :omrelp:remotesyslog.example.org:1088;RSYSLOG_ForwardFormat
I am also using the RSYSLOG_ForwardFormat to preserve the severity and priority when the message is sent.
I think we both did the same sort of thing after looking at Graylog2, but I ended up with a Python-based liesentr service injecting logs into a Postgres database.I’ve been wanting to work more with solr for some time now. Will review what you have and will see where I can expand it. Thanks for the post!tom