Is there any way to adding a Tag to Logs which sent by rsyslog? I send these logs to another server, and I can detect source IP as destination, but I need to adding tag in source.
1 Answer
You should be able to match the hostname of the system emitting your log. Isn't that enough?
Rsyslog has an option $PreserveFQDN on, to replace that hostname with your FQDN, which is probably better with syslog concentrators, ...
I suppose on the other end you have some logstash or elasticsearch? Either way, rsyslog also allows you to define templates such as:
template(name="jsonfmt" type="list" option.json="on") { constant(value="{") constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339") constant(value="\",\"@version\":\"1") constant(value="\",\"message\":\"") property(name="msg") constant(value="\",\"@fields.host\":\"") property(name="hostname") constant(value="\",\"@fields.severity\":\"") property(name="syslogseverity-text") constant(value="\",\"@fields.facility\":\"") property(name="syslogfacility-text") constant(value="\",\"@fields.programname\":\"") property(name="programname") constant(value="\",\"@fields.procid\":\"") property(name="procid") constant(value="\",\"@fields.mytag\":\"foobarStaticTag\"}\n") } local7.* @logstash.example.com:1514;jsonfmt local7.* action(type="omelasticsearch" action.resumeretrycount="-1" dynSearchIndex="on" bulkmode="on" queue.type="linkedlist" queue.size="1000000" queue.dequeuebatchsize="1000" queue.workerthreads="2" searchIndex="logidx" server="esearchgw.example.com" template="jsonfmt") Note that the sample logstash forwarder assumes your input definition includes codec => json. The foobarStaticTag being whatever Tag you wanted to add.
- thx, this worked for me.Seyed M– Seyed M2017-01-29 11:32:27 +00:00Commented Jan 29, 2017 at 11:32