Update syslog documentation
This commit is contained in:
parent
a63c0dda94
commit
5ec50b28ed
|
@ -75,6 +75,18 @@ $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
|
||||||
|
|
||||||
# forward over tcp with octet framing according to RFC 5425
|
# forward over tcp with octet framing according to RFC 5425
|
||||||
*.* @@(o)127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format
|
*.* @@(o)127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format
|
||||||
|
|
||||||
|
# uncomment to use udp according to RFC 5424
|
||||||
|
#*.* @127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format
|
||||||
|
```
|
||||||
|
|
||||||
|
You can alternately use `advanced` format (aka RainerScript):
|
||||||
|
```
|
||||||
|
# forward over tcp with octet framing according to RFC 5425
|
||||||
|
action(type="omfwd" Protocol="tcp" TCP_Framing="octet-counted" Target="127.0.0.1" Port="6514" Template="RSYSLOG_SyslogProtocol23Format")
|
||||||
|
|
||||||
|
# uncomment to use udp according to RFC 5424
|
||||||
|
#action(type="omfwd" Protocol="udp" Target="127.0.0.1" Port="6514" Template="RSYSLOG_SyslogProtocol23Format")
|
||||||
```
|
```
|
||||||
|
|
||||||
To complete TLS setup please refer to [rsyslog docs](https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html).
|
To complete TLS setup please refer to [rsyslog docs](https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html).
|
||||||
|
@ -91,18 +103,40 @@ To complete TLS setup please refer to [rsyslog docs](https://www.rsyslog.com/doc
|
||||||
- version (integer)
|
- version (integer)
|
||||||
- severity_code (integer)
|
- severity_code (integer)
|
||||||
- facility_code (integer)
|
- facility_code (integer)
|
||||||
- timestamp (integer)
|
- timestamp (integer): the time recorded in the syslog message
|
||||||
- procid (string)
|
- procid (string)
|
||||||
- msgid (string)
|
- msgid (string)
|
||||||
- sdid (bool)
|
- sdid (bool)
|
||||||
- *Structured Data* (string)
|
- *Structured Data* (string)
|
||||||
|
- timestamp: the time the messages was received
|
||||||
|
|
||||||
|
#### Structured Data
|
||||||
|
|
||||||
|
Structured data produces field keys by combining the `SD_ID` with the `PARAM_NAME` combined using the `sdparam_separator` as in the following example:
|
||||||
|
```
|
||||||
|
170 <165>1 2018-10-01:14:15.000Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] An application event log entry...
|
||||||
|
```
|
||||||
|
```
|
||||||
|
syslog,appname=evntslog,facility=local4,hostname=mymachine.example.com,severity=notice exampleSDID@32473_eventID="1011",exampleSDID@32473_eventSource="Application",exampleSDID@32473_iut="3",facility_code=20i,message="An application event log entry...",msgid="ID47",severity_code=5i,timestamp=1065910455003000000i,version=1i 1538421339749472344
|
||||||
|
```
|
||||||
|
|
||||||
### Troubleshooting
|
### Troubleshooting
|
||||||
|
|
||||||
The syslog plugin does not yet support RFC3164 format data. You may see the following error when this syslog format is received:
|
You can send debugging messages directly to the input plugin using netcat:
|
||||||
``
|
|
||||||
|
```sh
|
||||||
|
# TCP with octet framing
|
||||||
|
echo "57 <13>1 2018-10-01T12:00:00.0Z example.org root - - - test" | nc 127.0.0.1 6514
|
||||||
|
|
||||||
|
# UDP
|
||||||
|
echo "<13>1 2018-10-01T12:00:00.0Z example.org root - - - test" | nc -u 127.0.0.1 6514
|
||||||
|
```
|
||||||
|
|
||||||
|
#### RFC3164
|
||||||
|
|
||||||
|
RFC3164 encoded messages are not currently supported. You may see the following error if a message encoded in this format:
|
||||||
|
```
|
||||||
E! Error in plugin [inputs.syslog]: expecting a version value in the range 1-999 [col 5]
|
E! Error in plugin [inputs.syslog]: expecting a version value in the range 1-999 [col 5]
|
||||||
```
|
```
|
||||||
|
|
||||||
You can use rsyslog to translate RFC3164 syslog messages to RFC5424 or RFC5425 format.
|
You can use rsyslog to translate RFC3164 syslog messages into RFC5424 format.
|
||||||
|
|
Loading…
Reference in New Issue