diff --git a/roles/float-infra-log-collector/templates/rsyslog-collector.conf.j2 b/roles/float-infra-log-collector/templates/rsyslog-collector.conf.j2
index 9adc7e16d69f1b381fd795f7a2d1e9725acef16e..c477488411f5aa44a1bf1bd06c34dd0dc6f3a0a4 100644
--- a/roles/float-infra-log-collector/templates/rsyslog-collector.conf.j2
+++ b/roles/float-infra-log-collector/templates/rsyslog-collector.conf.j2
@@ -50,6 +50,8 @@ template(name="TmplFile" type="list"){
module(
load="omelasticsearch"
)
+
+# Templates for index names
template(name="esIndex" type="list") {
constant(value="logstash-")
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
@@ -74,45 +76,46 @@ template(name="esIndexHTTP" type="list") {
constant(value=".")
property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
}
+
+# JSON template for standard log messages
template(name="esTemplate"
- type="list") {
- constant(value="{")
- constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
- constant(value="\",\"host\":\"") property(name="hostname")
- constant(value="\",\"severity\":\"") property(name="syslogseverity-text" caseConversion="upper")
- constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
- constant(value="\",\"tag\":\"") property(name="syslogtag" format="json")
- constant(value="\",\"program\":\"") property(name="programname" format="json")
- constant(value="\",\"message\":\"") property(name="msg" format="json")
- constant(value="\",")
- property(name="$!all-json" position.from="2")
+ type="list"
+ option.jsonf="on") {
+ property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
+ property(outname="host" name="hostname" format="jsonf")
+ property(outname="severity" name="syslogseverity-text" caseConversion="upper" format="jsonf")
+ property(outname="facility" name="syslogfacility-text" format="jsonf")
+ property(outname="tag" name="syslogtag" format="jsonf")
+ property(outname="program" name="programname" format="jsonf")
+ property(outname="message" name="msg" format="jsonf")
}
+
+# JSON template for HTTP logs
template(name="esTemplateHTTP"
- type="list") {
- constant(value="{")
- constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
- constant(value="\",\"host\":\"") property(name="hostname")
- constant(value="\",")
- property(name="$!all-json" position.from="2")
+ type="list"
+ option.jsonf="on") {
+ property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
+ property(outname="host" name="hostname" format="jsonf")
+ property(name="$!all-json")
}
+
+# JSON template for structured messages. Does not include the original
+# 'message' field (since it has supposedly been parsed already as JSON).
template(name="esTemplateJSON"
- type="list") {
- constant(value="{")
- constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
- constant(value="\",\"host\":\"") property(name="hostname")
- constant(value="\",\"tag\":\"") property(name="syslogtag" format="json")
- constant(value="\",\"program\":\"") property(name="programname" format="json")
- constant(value="\",")
- property(name="$!all-json" position.from="2")
+ type="list"
+ option.jsonf="on") {
+ property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
+ property(outname="host" name="hostname" format="jsonf")
+ property(outname="tag" name="syslogtag" format="jsonf")
+ property(outname="program" name="programname" format="jsonf")
+ property(name="$!all-json")
}
# Structured audit logs already contain a @timestamp field, so we
# don't have to add our own.
template(name="esTemplateAudit"
type="list") {
- constant(value="{")
- constant(value="\"host\":\"") property(name="hostname")
- constant(value="\",")
- property(name="$!all-json" position.from="2")
+ property(outname="host" name="hostname" format="jsonf")
+ property(name="$!all-json")
}
{% endif %}