Feed everything from one or more syslog pipes to a logstash server.
Installation
It's a gem:
gem install syslogstash
There's also the wonders of the Gemfile:
gem 'syslogstash'
If you're the sturdy type that likes to run from git:
rake install
Or, if you've eschewed the convenience of Rubygems entirely, then you presumably know what to do already.
Usage
Write a configuration file, then start syslogstash
giving the name of the
config file as an argument:
syslogstash /etc/syslogstash.conf
Config File Format
The file which describes how syslogstash
will operate is a fairly simple
YAML file. It consists of two sections, sockets
and servers
, which list
the UNIX sockets to listen for syslog messages on, and the URLs of logstash
servers to send the resulting log entries to. Optionally, you can specify
additional fields to insert into every message received from each syslog
socket.
It looks like this:
sockets:
# These sockets have no additional fields
/tmp/sock1:
/tmp/sock2:
# This socket will have some fields added to its messages, and will
# send all messages to a couple of other sockets, too
/tmp/supersock:
add_fields:
foo: bar
baz: wombat
relay_to:
- /tmp/relaysock1
- /tmp/relaysock2
# Every log entry received will be sent to *exactly* one of these
# servers. This provides high availability for your log messages.
# NOTE: Only tcp:// URLs are supported.
servers:
- tcp://10.0.0.1:5151
- tcp://10.0.0.2:5151
Socket configuration
Each socket has a configuration associated with it. Using this configuration, you can add logstash fields to each entry, and configure socket relaying.
The following keys are available under each socket's path:
add_fields
-- A hash of additional fields to add to every log entry that is received on this socket, before it is passed on to logstash.relay_to
-- A list of sockets to send all received messages to. This is useful in a very limited range of circumstances, when (for instance) you have another syslog socket consumer that wants to get in on the act, like a legacy syslogd.
Logstash server configuration
You'll need to setup a TCP input, with the json_lines
codec, for
syslogstash
to send log entries to. It can look as simple as this:
tcp {
port => 5151
codec => "json_lines"
}
Contributing
Bug reports should be sent to the Github issue tracker. Patches can be sent as a [Github pull request](https://github.com/discourse/syslogstash/pulls].
Licence
Unless otherwise stated, everything in this repo is covered by the following copyright notice:
Copyright (C) 2015 Civilized Discourse Construction Kit Inc.
This program is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.