module(load="imuxsock") # will listen to your local syslog
module(load="omkafka") # lets you send to Kafka
template(name="json_lines" type="list" option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"message\":\"")
property(name="msg")
constant(value="\",\"host\":\"")
property(name="hostname")
constant(value="\",\"severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"syslog-tag\":\"")
property(name="syslogtag")
constant(value="\"}")
}
main_queue(
queue.workerthreads="1" # threads to work on the queue
queue.dequeueBatchSize="100" # max number of messages to process at once
queue.size="10000" # max queue size
)
if $hostname != $$myhostname then {
action(
broker=["kafka.server:9092"]
type="omkafka"
topic="syslog.inbound"
template="json_lines"
)
stop
}
这是似乎有效的开始:
它当然需要完善,但它似乎确实将外部/内部系统日志消息分开。