forked from mrlesmithjr/Logstash_Kibana3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rsyslog-logstash.sh
52 lines (45 loc) · 1.58 KB
/
rsyslog-logstash.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com AEF0CF8E
gpg --export --armor AEF0CF8E | sudo apt-key add -
echo "# Rsyslog updated repo
# Adiscon repository
deb http://ubuntu.adiscon.com/v7-stable precise/
deb-src http://ubuntu.adiscon.com/v7-stable precise/" | tee -a /etc/apt/sources.list
apt-get update && apt-get upgrade
apt-get -y install rsyslog rsyslog-mmjsonparse
sed -i -e 's|#$ModLoad immark|$ModLoad immark|' /etc/rsyslog.conf
sed -i -e 's|#$ModLoad imudp|$ModLoad imudp|' /etc/rsyslog.conf
sed -i -e 's|#$UDPServerRun 514|$UDPServerRun 514|' /etc/rsyslog.conf
sed -i -e 's|*.*;auth,authpriv.none|#*.*;auth,authpriv.none|' /etc/rsyslog.d/50-default.conf
(
cat <<'EOF'
# Adding JSON support
$ModLoad mmjsonparse
*.* :mmjsonparse:
EOF
)| tee -a /etc/rsyslog.conf
(
cat <<'EOF'
$template ls_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,\"@message\":\"%msg:::json%\",\"@fields\":{%fromhost:::jsonf:host%,%syslogfacility-text:::jsonf:syslog_facility%,%syslogfacility:::jsonf:syslog_facility_code%,%syslogseverity-text:::jsonf:syslog_severity%,%syslogseverity:::jsonf:syslog_severity_code%,%app-name:::jsonf:program%,%procid:::jsonf:pid%}}"
*.* @localhost:10514;ls_json
EOF
) | tee /etc/rsyslog.d/60-rsyslog-logstash.conf
mv /etc/logstash/logstash.conf /etc/logstash/logstash.conf.orig
tee -a /etc/logstash/logstash.conf <<EOF
input {
udp {
type => "syslog"
port => "10514"
buffer_size => 8192
format => "json_event"
}
}
output {
elasticsearch_http {
host => "127.0.0.1"
flush_size => 1
}
}
EOF
service logstash stop
service rsyslog restart
service logstash start