rsyslog

Error

if /dev/log disappears:

systemctl restart systemd-journald.socket

Debug

create file /etc/rsyslog.d/00-debug.conf :

$DebugFile /var/log/rsyslog.debug
$DebugLevel 2

ElasticSearch

create file /etc/rsyslog.d/100-docker.conf :

module(load="omelasticsearch")


template(name="plain-syslog" type="list") {
    constant(value="{")
    constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"host\":\"")        property(name="hostname")
    constant(value="\",\"severity\":\"")      property(name="syslogseverity-text")
    constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
    constant(value="\",\"app\":\"")   property(name="programname")
    constant(value="\",\"message\":\"")     property(name="$!cmsg")
    constant(value="\"}")
}

template(name="logstash-index" type="string" string="logstash-%$YEAR%.%$MONTH%.%$DAY%")

if ( $syslogfacility-text == "local0" )
then {

  set $!amsg = replace($msg, "\\", "\\\\");
  set $!bmsg = replace($!amsg, "\"", "\\\"");
  set $!cmsg = replace($!bmsg,"|","\\n");

  action(type="omelasticsearch"
    server="vpc-logging-clc66dqtnsfgmr6fccqvtqhm5e.eu-central-1.es.amazonaws.com"
    serverport="443"
    usehttps="on"
    template="plain-syslog"
    searchIndex="logstash-index"
    dynSearchIndex="on"
    bulkmode="on"
    errorfile="/var/log/omelasticsearch.log")

  stop
}