Log forwarding with quattor
- All the configurations pertaining to rsyslog are in sites/.../config/rsyslog
- rsyslog.pan is handling the quattor filecopy of the conf files
- configs/*.conf are the rsyslog conf file that indicate wich log file to forward
- We use the Module imfile. It is automatically loaded inside base.conf. Also, all syslog locals are forwarded to the log server in this file.
$ModLoad imfile *.* @@log10.wn.iihe.ac.be:5544
- To add a specific file:
- You first need to create a conf file in configs/ , for instance myservice.conf:
$InputFileName /path/to/my/log.log # Complete path to the log file on the machine. Regex are not possible (so no *.log) $InputFileTag myservice: # service name: will be stored into 'program' inside elk, for an easy grep. $InputFileStateFile myservice_accounting # name of the state file (can be whatever). Just to store the file position for which rsyslog has already sent hte log lines. $InputFileFacility local6 # Faclility. Unless you know hwat you want, local6 is fine. Anyway all locals are forwarded (in base.conf) $InputRunFileMonitor # Add the file to the monitored ones using the variables you just set before.
- 2. Then you need to make sure this myservice.conf will be copied to the machine(s) you want to inside its /etc/rsyslogd.d/ and the rsyslogd service is reloaded. For this, edit rsyslog.conf and add:
variable CONTENTS = file_contents('config/rsyslog/configs/myservice.conf'); # Loads the content of myservice.conf into CONTENTS "/software/components/filecopy/services" = if( match(FULL_HOSTNAME,'^mymachine.iihe') ) return( # filecopy service + regex to match host name (optionnal) npush(escape("/etc/rsyslog.d/myservice.conf"), # filename where to copy what's in CONTENTS dict('config',CONTENTS , 'owner','root:root' , 'perms','0644' , 'restart','service rsyslog restart' ) ) ) else SELF; # Nothing to change
- 3. You need to commit + runcheck, then the logs should appear on the kibana dashboard Logstash Search here. To see your logs, type in the Query bar program: myservice .