Rsyslog and RELP

From MyWiki

Jump to: navigation, search

We need to configure Syslog to send messages out to Logstash through Redis in RELP format on Ubuntu 12.04 server. 

root@server:~# apt-get update

root@server:~# apt-get install python-software-properties

root@server:~# add-apt-repository ppa:adiscon/v8-stable
You are about to add the following PPA to your system:
 Contains the latest RSyslog V8-Stable packages and dependencies.
 More info: https://launchpad.net/~adiscon/+archive/ubuntu/v8-stable
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmpLRDNaP/secring.gpg' created
gpg: keyring `/tmp/tmpLRDNaP/pubring.gpg' created
gpg: requesting key 5234BF2B from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpLRDNaP/trustdb.gpg: trustdb created
gpg: key 5234BF2B: public key "Launchpad PPA for Adiscon" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
OK

Another apt-get update 

root@server:~# apt-get update

Install RELP library and rsyslog 

root@server:~# apt-get install librelp0 rsyslog rsyslog-relp

Create configuration file to send messages to Redis in RELP format 

root@server:~# vi /etc/rsyslog.d/sendsyslog2logstash.conf

Add this line into the file, save and exit. 

action(type="omrelp" target="redis-server-name" port="2514")

Add RELP configuration to /etc/rsyslog.conf file (add the below lines into Modules section): 

#RELP Output
module(load="omrelp")

Turn off repeated message reduction, so you have every message instead of those pesky "message repeated N times" lines. 

# Filter duplicated messages
$RepeatedMsgReduction off

Restart Syslog 

root@server:~# service rsyslog restart
Retrieved from "http://markelov.org/wiki/index.php?title=Rsyslog_and_RELP"
Personal tools