Log forwarding with quattor

From T2B Wiki
Jump to navigation Jump to search
  • All the configurations pertaining to rsyslog are in sites/.../config/rsyslog
    • rsyslog.pan is handling the quattor filecopy of the conf files
    • configs/*.conf are the rsyslog conf file that indicate wich log file to forward


  • We use the Module imfile. It is automatically loaded inside base.conf. Also, all syslog locals are forwarded to the log server in this file.
$ModLoad imfile
*.* @@log10.wn.iihe.ac.be:5544


  • To add a specific file:
  1. You first need to create a conf file in configs/ , for instance myservice.conf:
$InputFileName /path/to/my/log.log        # Complete path to the log file on the machine. Regex are not possible (so no *.log)
$InputFileTag myservice:                  # service name: will be stored into 'program' inside elk, for an easy grep.
$InputFileStateFile myservice_accounting  # name of the state file (can be whatever). Just to store the file position for which rsyslog has already sent hte log lines.
$InputFileFacility local6                 # Faclility. Unless you know hwat you want, local6 is fine. Anyway all locals are forwarded (in base.conf)
$InputRunFileMonitor                      # Add the file to the monitored ones using the variables you just set before.
2. Then you need to make sure this myservice.conf will be copied to the machine(s) you want to inside its /etc/rsyslogd.d/ and the rsyslogd service is reloaded. For this, edit rsyslog.conf and add:
 variable CONTENTS = file_contents('config/rsyslog/configs/myservice.conf');                          # Loads the content of myservice.conf into CONTENTS
 "/software/components/filecopy/services" = if( match(FULL_HOSTNAME,'^mymachine.iihe') ) return(      # filecopy service + regex to match host name (optionnal)
     npush(escape("/etc/rsyslog.d/myservice.conf"),                                                   # filename where to copy what's in CONTENTS
           dict('config',CONTENTS , 'owner','root:root' , 'perms','0644' , 'restart','service rsyslog restart' ) ) ) else SELF;           # Nothing to change
3. You need to commit + runcheck, then the logs should appear on the kibana dashboard Logstash Search here. To see your logs, type in the Query bar program: myservice .