Difference between revisions of "Sumologic Rsyslog Fowarder"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 146: Line 146:
 
lxc network attach lxdbr0 rsyslog eth0 eth0
 
lxc network attach lxdbr0 rsyslog eth0 eth0
 
lxc config device set rsyslog eth0 ipv4.address 172.x.x.x
 
lxc config device set rsyslog eth0 ipv4.address 172.x.x.x
lxc config device remove wjp1-lxd-rsyslog proxyv4 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
+
lxc config device remove lxd-rsyslog proxyv4 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
lxc config device add wjp1-lxd-rsyslog tcp514 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
+
lxc config device add lxd-rsyslog tcp514 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
 
```
 
```

Revision as of 23:15, 17 December 2021

Install rsyslog (usually already installed

Add tls 

sudo apt-get -y install rsyslog-gnutls

Add cert 

 mkdir -p /etc/rsyslog.d/keys/ca.d && curl -L https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt.pem -o /etc/rsyslog.d/keys/ca.d/digicert_ca.crt

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
# module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


# module(load="omelasticsearch")
# template(name="testTemplate"
#          type="list"
#          option.json="on") {
#            constant(value="{")
#              constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
#              constant(value="\",\"message\":\"")     property(name="msg")
#              constant(value="\",\"host\":\"")        property(name="hostname")
#              constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
#              constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
#              constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
#            constant(value="\"}")
#          }
# action(type="omelasticsearch"
#        server="myserver.local"
#        serverport="9200"
#        template="testTemplate"
#        searchIndex="test-index"
#        searchType="test-type"
#        bulkmode="on"
#        queue.type="linkedlist"
#        queue.size="5000"
#        queue.dequeuebatchsize="300"
#        action.resumeretrycount="-1")


$IncludeConfig /etc/rsyslog.d/*.conf


# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514
$template DynamicFile,"/var/log/hosts/%HOSTNAME%/%syslogfacility-text%.log"
*.*    -?DynamicFile
#
#
# Setup disk assisted queues# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog     # where to place spool files
$ActionQueueFileName fwdRule1         # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g           # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on         # save messages to disk on shutdown
$ActionQueueType LinkedList           # run asynchronously
$ActionResumeRetryCount -1            # infinite retries if host is down


# RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/digicert_ca.crt

template(name="SumoFormat" type="string" string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% <MY TOKEN FROM SYSLOG CLOUD COLLECTOR SOURCE> %msg%\n")

action(type="omfwd"
    protocol="tcp"
    target="syslog.collection.us2.sumologic.com"
    port="6514"
    template="SumoFormat"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="x509/name"
    StreamDriverPermittedPeers="syslog.collection.*.sumologic.com")

systemctl restart rsyslog

If using LXD 

lxc network attach lxdbr0 rsyslog eth0 eth0
lxc config device set rsyslog eth0 ipv4.address 172.x.x.x
lxc config device remove lxd-rsyslog proxyv4 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
lxc config device add lxd-rsyslog tcp514 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
Retrieved from "https://tech.uvoo.io/index.php?title=Sumologic_Rsyslog_Fowarder&oldid=2543"