We need collectd-sysevent plugin to be available out of the box.
=head2 Plugin C<sysevent> + +The I<sysevent> plugin monitors rsyslog messages. + +B<Synopsis:> + + <Plugin sysevent> + Listen "192.168.0.2" "6666" + BufferSize 1024 + BufferLength 10 + RegexFilter "regex" + </Plugin> + + rsyslog should be configured such that it sends data to the IP and port you + include in the plugin configuration. For example, given the configuration + above, something like this would be set in /etc/rsyslog.conf: + + if $programname != 'collectd' then + *.* @192.168.0.2:6666 + + This plugin is designed to consume JSON rsyslog data, so a more complete + rsyslog configuration would look like so (where we define a JSON template + and use it when sending data to our IP and port): + + $template ls_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%, \ + %source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\", \ + \"@message\":\"%timestamp% %app-name%:%msg:::json%\",\"@fields\": \ + {%syslogfacility-text:::jsonf:facility%,%syslogseverity:::jsonf:severity-num%, \ + %syslogseverity-text:::jsonf:severity%,%programname:::jsonf:program%, \ + %procid:::jsonf:processid%}}" + + if $programname != 'collectd' then + *.* @192.168.0.2:6666;ls_json + + Please note that these rsyslog.conf examples are *not* complete, as rsyslog + requires more than these options in the configuration file. These examples + are meant to demonstration the proper remote logging and JSON format syntax. + +B<Options:> + +=over 4 + +=item B<Listen> I<host> I<port> + +Listen on this IP on this port for incoming rsyslog messages. + +=item B<BufferSize> I<length> + +Maximum allowed size for incoming rsyslog messages. Messages that exceed +this number will be truncated to this size. Default is 4096 bytes. + +=item B<BufferLength> I<length> + +Maximum number of rsyslog events that can be stored in plugin's ring buffer. +By default, this is set to 10. Once an event has been read, its location +becomes available for storing a new event. + +=item B<RegexFilter> I<regex> + +Enumerate a regex filter to apply to all incoming rsyslog messages. If a +message matches this filter, it will be published. +
Hey,Andrew ! You can provide a conf file for this plugin along with the test instructions as a comment to this RFE. Thanks, Leonid.
The first thing to note is the actual rsyslog conf that Martin referenced in his sysevent documentation paste above: ------------------------------ $template ls_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%, \ %source:::jsonf:@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\", \ \"@message\":\"%timestamp% %app-name%:%msg:::json%\",\"@fields\": \ {%syslogfacility-text:::jsonf:facility%,%syslogseverity:::jsonf:severity-num%, \ %syslogseverity-text:::jsonf:severity%,%programname:::jsonf:program%, \ %procid:::jsonf:processid%}}" if $programname != 'collectd' then *.* @192.168.0.2:6666;ls_json ------------------------------ This conf would go in /etc/rsyslog.conf on any node that is running rsyslog. You at least need... if $programname != 'collectd' then *.* @192.0.2.33:6666;ls_json ...in order to tell rsyslog where to send its data. Without this it won't matter what you put in the sysevent plugin conf, as rsyslog won't be sending any data anyhow. The "$template" piece defines a JSON structure that will be used when sending each message to the plugin. You can leave this out, but it will limit what the sysevent plugin is able to then dispatch to any configured Collectd write plugins (sysevent publishes a VES-formatted event notification based on the data acquired from the rsyslog message, and needs the JSON mapping to find information to fill certain VES fields). Given the above, an example conf file for Collectd that uses this plugin would look like so: ------------------------------ BaseDir "/var/lib/collectd" PIDFile "/run/collectd.pid" Interval 0.005 LoadPlugin sysevent <Plugin "sysevent"> Listen "192.0.2.33" "6666" BufferSize 4096 BufferLength 100 RegexFilter "^.*kernel.*$" </Plugin> ----------------------------- This would tell the plugin to listen on 192.0.2.33:6666, and to only dispatch event notifications for rsyslog messages that contain the keyword "kernel" in the message body. You will also want to configure a write plugin to receive the sysevent plugin's dispatched event notifications. It's up to you which you choose, and will depend on what you have available to ultimately receive the messages. I will attach an example collectd.conf from one of NFVPE SA's test environments to further provide an example.
Created attachment 1453006 [details] Collectd conf file using sysevent
I guess I didn't really say how to test this plugin. So let me explain that now. On any node where you have configured rsyslog to send syslog data to the target address and port, simply do something that generates syslog activity. If you put a RegexFilter in the Collectd conf for sysevent, then make sure to generate activity that matches the filter. If you have no filters, everything in syslog should be sent to the sysevent plugin. Then, assuming you have Collectd write plugins configured, check the endpoints associated with those plugins to see that the data came through.
Sorry, a correction. The RegexFilter option needs "/" delimiters, like so: RegexFilter "/^.*kernel.*$/"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:0047