Configure Rsyslog to send our logs to ELK

Introduction

We have seen before how to add filters and indexes for Filebeat and Topbeat. But in some cases, we won’t be able to install additional software to manage our logs. That’s when Rsyslog is our best option. In this post we will configure an external log from Apache that is not manage by default for Rsyslog.

Configuring Rsyslog (client side)

We are going to create a new file on /etc/rsyslog.d that will contain our new input log configuration.

$InputFileName /var/log/apache2/access.log #can NOT use wildcards – this is where logstash-forwarder would be nice
$InputFileTag apache-access-rs:  #Logstash throws grok errors if the “:” is anywhere besides at the end; shows up as “Program” in Logstash
$InputFileStateFile apache-access-rs  #can be anything; unique id used by rsyslog
$InputFileSeverity info
$InputFileFacility apacheaccess
$InputRunFileMonitor
$InputFilePollInterval 10
$InputFilePersistStateInterval 1000

apacheaccess.* @@ELK_server_private_IP:5544  #the 2 “@” signs tells rsyslog to use TCP; 1 “@” sign tells rsyslog to use UDP

Facility and Severity is what we are going to use on this last line to send all the content of that file to our ELK.

By default, Rsyslog writes on messages/syslog files most of the facilities. Now we have to exclude our new file from there.

To do that we have to edit the /etc/rsyslog.conf file and let this 2 blocks:

*.*;  auth,authpriv.none              -/var/log/syslog

*.=info;*.=notice;*.=warn;\
 auth,authpriv.none;\
 cron,daemon.none;\
 mail,news.none          -/var/log/messages

… like this :

*.*;\
 apacheaccess.none;\
 auth,authpriv.none              -/var/log/syslog

*.=info;*.=notice;*.=warn;\
 auth,authpriv.none;\
 cron,daemon.none;\
 apacheaccess.none;\
 mail,news.none          -/var/log/messages

Configuring Logstash

Input

We will create a new INPUT for our syslog. We called it 01-rsyslog-input.conf and it has to open a new port:

input {
  syslog {
    type => rsyslog
    port => 5544
  }
}

Here we specify the TYPE of the logs we’ll receive on that port.

Filter

I created a new file called 15-apache-rsyslog.conf with this content:

filter {
  if [program] == "apache-access-rs" {
    grok {
          match => [ "message", "%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response} " ]
    }
  }
}

Output

We have to define now what to do with the matching logs. I created a new file called 31-elasticsearch-rsyslog-output.conf with this content:

output {
  if [type] == "rsyslog" {
    elasticsearch {
      hosts => [ "localhost:9200" ]
      index => 'rsyslog-%{+YYYY.MM.dd}'
      document_type => "rsyslog"
    }
  }
}

Here we define the “type” and the “document_type” of our INPUT and the “index” to write on Elasticsearch. That “index” will be the same we will add on Kibana.

Now we must restart rsyslog (client side) and logstash (server side).

Configuring Kibana

We will add the new Index to Kibana using the “index” format of our OUTPUT:

Kibana_Drsyslog_index

 

Reference Links:

Print Friendly, PDF & Email

Pablo Javier Furnari

Linux System Administrator at La Plata Linux
I'm a Linux Sysadmin with 8 years of experience. I work with several clients as a consulter here in Argentina and oversea (I have clients in the United States, Mexico, Pakistan and Germany).

I know my strengths and weaknesses. I'm a quick learner, I know how to work with small and big teams. I'm hard worker, proactive and I achieve everything I propose.

Leave a Reply

Your email address will not be published. Required fields are marked *


CAPTCHA Image
Reload Image