From ef056358c7ac70412e0429ab46cd74f261f7c38f Mon Sep 17 00:00:00 2001 From: Radu Gheorghe Date: Tue, 12 Mar 2013 19:59:59 +0200 Subject: initial documentation for the Elasticsearch output module --- doc/omelasticsearch.html | 177 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 doc/omelasticsearch.html (limited to 'doc/omelasticsearch.html') diff --git a/doc/omelasticsearch.html b/doc/omelasticsearch.html new file mode 100644 index 00000000..618b7065 --- /dev/null +++ b/doc/omelasticsearch.html @@ -0,0 +1,177 @@ + + + + + Elasticsearch Output Module + + +

+ back

+ Elasticsearch Output Module

+ Module Name: omelasticsearch

+ Author: Rainer Gerhards <rgerhards@adiscon.com>

+ Available since: 6.4.0+

+ Description:

+ This module provides native support for logging to Elasticsearch.

+ Action Parameters:

+ server
+ Host name or IP address of the Elasticsearch server. Defaults to "localhost"
+ serverport
+ HTTP port to connect to Elasticsearch. Defaults to 9200
+ searchIndex
+ Elasticsearch index to send your logs to. Defaults to "system"
+ dynSearchIndex <on/off>
+ Whether the string provided for searchIndex should be taken as a template. Defaults to "off", which means the index name will be taken literally. Otherwise, it will look for a template with that name, and the resulting string will be the index name. For example, let's assume you define a template named "date-days" containing "%timereported:1:10:date-rfc3339%". Then, with dynSearchIndex="on", if you say searchIndex="date-days", each log will be sent to and index named after the first 10 characters of the timestamp, like "2013-03-22".
+ searchType
+ Elasticsearch type to send your index to. Defaults to "events"
+ dynSearchType <on/off>
+ Like dynSearchIndex, it allows you to specify a template for searchType, instead of a static string.
+ asyncrepl <on/off>
+ By default, an indexing operation returns after all replica shards have indexed the document. With asyncrepl="on" it will return after it was indexed on the primary shard only - thus trading some consistency for speed.
+ timeout
+ How long Elasticsearch will wait for a primary shard to be available for indexing your log before sending back an error. Defaults to "1m".
+ template
+ This is the JSON document that will be indexed in Elasticsearch. The resulting string needs to be a valid JSON, otherwise Elasticsearch will return an error. Defaults to:

+$template JSONDefault, "{\"message\":\"%msg:::json%\",\"fromhost\":\"%HOSTNAME:::json%\",\"facility\":\"%syslogfacility-text%\",\"priority\":\"%syslogpriority-text%\",\"timereported\":\"%timereported:::date-rfc3339%\",\"timegenerated\":\"%timegenerated:::date-rfc3339%\"}"
+

+ Which will produce this sort of documents (pretty-printed here for readability):

+ +

+{
+    "message": " this is a test message",
+    "fromhost": "test-host",
+    "facility": "user",
+    "priority": "info",
+    "timereported": "2013-03-12T18:05:01.344864+02:00",
+    "timegenerated": "2013-03-12T18:05:01.344864+02:00"
+}

+ bulkmode <on/off>
+ The default "off" setting means logs are shipped one by one. Each in its own HTTP request, using the Index API. Set it to "on" and it will use Elasticsearch's Bulk API to send multiple logs in the same request. The maximum number of logs sent in a single bulk request depends on your queue settings - usually limited by the dequeue batch size. More information about queues can be found here.
+ parent
+ Specifying a string here will index your logs with that string the parent ID of those logs. Please note that you need to define the parent field in your mapping for that to work. By default, logs are indexed without a parent.
+ dynParent <on/off>
+ Using the same parent for all the logs sent in the same action is quite unlikely. So you'd probably want to turn this "on" and specify a template that will provide meaningful parent IDs for your logs.
+ uid
+ If you have basic HTTP authentication deployed (eg: through the elasticsearch-basic plugin), you can specify your user-name here.
+ pwd
+ Password for basic authentication.

+ Samples:

+ The following sample does the following:

+ loads the omelasticsearch module
+ outputs all logs to Elasticsearch using the default settings

+module(load="omelasticsearch")
+*.*     action(type="omelasticsearch")

+ The following sample does the following:

+ loads the omelasticsearch module
+ defines a template that will make the JSON contain the following properties (more info about what properties you can use here): +
- + RFC-3339 timestamp when the event was generated
- + the message part of the event
- + hostname of the system that generated the message
- + severity of the event, as a string
- + facility, as a string
- + the tag of the event
+
+ outputs to Elasticsearch with the following settings +
- + host name of the server is myserver.local
- + port is 9200
- + JSON docs will look as defined in the template above
- + index will be "test-index"
- + type will be "test-type"
- + activate bulk mode. For that to work effectively, we use an in-memory queue that can hold up to 5000 events. The maximum bulk size will be 300
- + retry indefinitely if the HTTP request failed (eg: if the target server is down)
+

+module(load="omelasticsearch")
+template(name="testTemplate"
+         type="list"
+         option.json="on") {
+           constant(value="{")
+             constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
+             constant(value="\",\"message\":\"")     property(name="msg")
+             constant(value="\",\"host\":\"")        property(name="hostname")
+             constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
+             constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
+             constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
+           constant(value="\"}")
+         }
+*.* action(type="omelasticsearch"
+           server="myserver.local"
+           serverport="9200"
+           template="testTemplate"
+           searchIndex="test-index"
+           searchType="test-type"
+           bulkmode="on"
+           queue.type="linkedlist"
+           queue.size="5000"
+           queue.dequeuebatchsize="300"
+           action.resumeretrycount="-1")

+ [rsyslog.conf overview] [manual index] [rsyslog site]

+ + + -- cgit v1.2.3