SlideShare a Scribd company logo

rsyslog v8: more than just syslog!

Y
Yury Bushmelev

rsyslog v8 provides more capabilities than just basic syslog functionality. It can parse, modify, and convert log messages to JSON before sending them to ElasticSearch for storage and analysis. It supports reliable delivery with RELP, metrics collection, lookup tables, and runtime control through a control socket. Rsyslog provides powerful configuration options through RainerScript for flexible parsing, modification, and routing of log messages.

Technology
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
rsyslog v8:
 more than just syslog! Yury Bushmelev Lazada
what people usually think rsyslog is /dev/log udp:514 some magic /var/log/some.log remote udp:514
what rsyslog says it is
"some magic" queue input pre- processor action queue parser
 & filter action processor output input input action queue action queue action processor action processor output output ruleset
rulesets input(...) input(...) if ($syslogtag == "prog1") then { action(...) } else { action(...) } input(... ruleset="rules1") input(... ruleset="rules2") ruleset(name="rules1") { action(...) } ruleset(name="rules2") { action(...) }
configuration formats • basic AKA sysklogd (*.* /var/log/file.log) – still OK in simple cases • obsolete legacy ($UglyScaryThings everywhere) – Do not use it at all! "It will make your life miserable" © Rainer Gerhards • advanced AKA RainerScript – new (2010) readable configuration language
queues • most confusing part of rsyslog configuration
queues • most confusing part of rsyslog configuration • 2 places • ruleset queue • action queue
queues • most confusing part of rsyslog configuration • 2 places • ruleset queue • action queue • 4 modes • direct (AKA no queue, sync) • in-memory • on-disk • disk-assisted (DA, in-memory + on-disk)
queues and performance • try to increase ruleset queue workers number first • action queue is mostly about string building • for fast action (omfile) thread syncing overhead may be significant • for single-action ruleset everything is complicated... • read more details in Rainer's blog: http:// blog.gerhards.net/2013/06/rsyslog-performance-main- and-action.html
– ELK? • read log messages from file/network • parse • modify • convert to JSON • send to ElasticSearch
– ERK! • read log messages from file/network (inputs) • parse (builtin parser/RainerScript/mm* modules) • modify (RainerScript/mm* modules/templates) • convert to JSON (templates) • send to ElasticSearch (omelasticsearch)
parse (mmnormalize) • "mmnormalize" is unique feature of rsyslog based on liblognorm library which... • ... is amazingly fast • ... because it's using parse tree (not regexp/grok) • ... may try multiple rules for same message (first win) • ... have some documentation:
 http://www.liblognorm.com/files/manual/index.html
liblognorm rules version=2 rule=v0:MyAuthAPI: Invalid user %user:word% from %src-ip:ipv4% rule=v1:MyAuthAPI[%pid:number%]: Invalid user %user:word% from %src-ip:ipv4%
modify/send as JSON v1 template(name="tmpl_to_json_v1" type="string" string="%$!all-json%") template(name="timereported_rfc3339" type="string" string="%timereported:::date-rfc3339%") ruleset(name="test") { action(type="mmjsonparse") set $!_log_time = exec_template("timereported_rfc3339"); set $!_log_tag = $!tag; unset $!tag; ... action(type="omelasticsearch" server="es.example.com" template="tmpl_to_json_v1" ...) }
modify/send as JSON v2 template(name="tmpl_to_json_v2" type="list" option.json="on") { constant(value="{") property(outname="_log_time" name="timereported" dateFormat="rfc3339" format="jsonf") constant(value=",") property(outname="_log_tag" name="tag" format="jsonf") constant(value=",") property(outname="message" name="msg" dropLastLF="on" format="jsonf") constant(value="}") } ruleset(name="test") { action(type="omelasticsearch" server="es.example.com" template="tmpl_to_json_v2" ...) }
reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery
reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery • ... so there is RELP (imrelp/omrelp) • ... it may do TLS with compression easy as well
reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery • ... so there is RELP (imrelp/omrelp) • ... it may do TLS with compression easy as well • ... but it's single-threaded :(
metrics (impstats) { "name": "global", "origin": "dynstats", "values": { } } { "name": "imuxsock", "origin": "imuxsock", "submitted": 3612711, "ratelimit.discarded": 0, "ratelimit.numratelimiters": 0 } { "name": "action 0", "origin": "core.action", "processed": 33429, "failed": 0, "suspended": 0, "suspended.duration": 0, "resumed": 0 } { "name": "resource-usage", "origin": "impstats", "utime": 290424444, "stime": 314385112, "maxrss": 3176, "minflt": 509, "majflt": 105, "inblock": 5920, "oublock": 11030360, "nvcsw": 7281385, "nivcsw": 7506 } { "name": "main Q", "origin": "core.queue", "size": 0, "enqueued": 3612765, "full": 0, "discarded.full": 0, "discarded.nf": 0, "maxqsize": 30 } • read more here: https://www.rsyslog.com/doc/v8-stable/configuration/ rsyslog_statistic_counter.html
metrics (dyn_stats) dyn_stats(name="msg_per_host" resettable="on" maxCardinality="3000" unusedMetricLife="600") set $.inc = dyn_inc("msg_per_host", $hostname); # impstats output # { "name": "msg_per_host", "origin": "dynstats.bucket", "values": { "lab3.sgdc": 1002540, "lab4.sgdc": 1318551, "lab7.sgdc": 1788136} }
lookup tables { "version" : 1, "nomatch" : "unknown", "type" : "string", "table" : [ {"index" : "10.0.1.1", "value" : "A" }, {"index" : "10.0.1.2", "value" : "A" }, {"index" : "10.0.1.3", "value" : "A" }, {"index" : "10.0.2.1", "value" : "B" }, {"index" : "10.0.2.2", "value" : "B" }, {"index" : "10.0.2.3", "value" : "B" }]}
lookup tables lookup_table(name="host_bu" file="/var/lib/host_billing_unit_mapping.json" reloadOnHUP="on" ) set $.bu = lookup("host_bu", $hostname); if ($.bu != "unknown") then { ... } # Go to "bu_A"/"bu_B"/"bu_unknown" ruleset: # call_indirect "bu_" & $.bu;
lookup tables if ($.do_reload == "y") then { reload_lookup_table("host_bu", "unknown") }
runtime control input(type="imuxsock" socket="/run/rsyslog-control.sock" ruleset="control") ruleset(name="control") { if ($msg == "reload bu") then { reload_lookup_table("host_bu", "unknown") } else if ($msg == "run cmd") then { action(type="omprog" binary="/path/to/script.sh") } else { action(type="omfile" file="/var/log/rsyslog-control.log") } }
any questions? • Yury Bushmelev • https://twitter.com/Jay7t • https://github.com/jay7x

More Related Content

What's hot (20)

PPTX
The Art of JVM Profiling
Andrei Pangin
 
PDF
Oredev 2015 - Taming Java Agents
Anton Arhipov
 
PDF
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
tamtam180
 
KEY
Node.js - Best practices
Felix Geisendörfer
 
PDF
The Rule of 10,000 Spark Jobs: Learning From Exceptions and Serializing Your ...
Databricks
 
PPTX
The Rule of 10,000 Spark Jobs - Learning from Exceptions and Serializing Your...
Matthew Tovbin
 
PPTX
Do we need Unsafe in Java?
Andrei Pangin
 
PDF
Riga Dev Day 2016 - Having fun with Javassist
Anton Arhipov
 
PDF
Solr Anti-Patterns: Presented by Rafał Kuć, Sematext
Lucidworks
 
PDF
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 
PPTX
Mug17 gurgaon
Ankur Raina
 
PDF
Nodejs - A quick tour (v6)
Felix Geisendörfer
 
PPTX
What’s new in C# 6
Fiyaz Hasan
 
PDF
スローダウン、ハングを一発解決 スレッドダンプはトラブルシューティングの味方 #wlstudy
Yusuke Yamamoto
 
PDF
Real World Mocking In Swift
Veronica Lillie
 
PDF
Understanding Source Code Differences by Separating Refactoring Effects
Institute of Science Tokyo
 
PDF
Hacking Mac OSX Cocoa API from Perl
typester
 
PDF
ニコニコ動画を検索可能にしてみよう
genta kaneyama
 
PDF
Jenkins 2を使った究極のpipeline ~ 明日もう一度来てください、本物のpipelineをお見せしますよ ~
ikikko
 
PDF
MongoDB World 2016: Deciphering .explain() Output
MongoDB
 
The Art of JVM Profiling
Andrei Pangin
 
Oredev 2015 - Taming Java Agents
Anton Arhipov
 
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
tamtam180
 
Node.js - Best practices
Felix Geisendörfer
 
The Rule of 10,000 Spark Jobs: Learning From Exceptions and Serializing Your ...
Databricks
 
The Rule of 10,000 Spark Jobs - Learning from Exceptions and Serializing Your...
Matthew Tovbin
 
Do we need Unsafe in Java?
Andrei Pangin
 
Riga Dev Day 2016 - Having fun with Javassist
Anton Arhipov
 
Solr Anti-Patterns: Presented by Rafał Kuć, Sematext
Lucidworks
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 
Mug17 gurgaon
Ankur Raina
 
Nodejs - A quick tour (v6)
Felix Geisendörfer
 
What’s new in C# 6
Fiyaz Hasan
 
スローダウン、ハングを一発解決 スレッドダンプはトラブルシューティングの味方 #wlstudy
Yusuke Yamamoto
 
Real World Mocking In Swift
Veronica Lillie
 
Understanding Source Code Differences by Separating Refactoring Effects
Institute of Science Tokyo
 
Hacking Mac OSX Cocoa API from Perl
typester
 
ニコニコ動画を検索可能にしてみよう
genta kaneyama
 
Jenkins 2を使った究極のpipeline ~ 明日もう一度来てください、本物のpipelineをお見せしますよ ~
ikikko
 
MongoDB World 2016: Deciphering .explain() Output
MongoDB
 

Similar to rsyslog v8: more than just syslog! (20)

PDF
Large Scale Log Analytics with Solr: Presented by Rafał Kuć & Radu Gheorghe, ...
Lucidworks
 
PPT
ELK stack at weibo.com
琛琳 饶
 
PDF
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Sematext Group, Inc.
 
PPTX
Tuning Elasticsearch Indexing Pipeline for Logs
Sematext Group, Inc.
 
ODP
Fedora Developer's Conference 2014 Talk
Rainer Gerhards
 
PPT
Logstash
琛琳 饶
 
PDF
OpenStack Log Mining
John Stanford
 
KEY
Message:Passing - lpw 2012
Tomas Doran
 
ODP
RSYSLOG v8 improvements and how to write plugins in any language.
Rainer Gerhards
 
PDF
Brisbane DevOps Meetup - Logstash
pczarkowski
 
KEY
London devops logging
Tomas Doran
 
ODP
Rsyslog log normalization
Rainer Gerhards
 
ODP
rsyslog meets docker
Rainer Gerhards
 
PDF
Application Logging in the 21st century - 2014.key
Tim Bunce
 
ODP
Turbo charge your logs
Jeremy Cook
 
PDF
From logs to metrics
Leonardo Di Donato
 
PPTX
Syslog.pptx
ShanmugapriyaSenthil3
 
KEY
Messaging, interoperability and log aggregation - a new framework
Tomas Doran
 
PDF
Finding OOMS in Legacy Systems with the Syslog Telegraf Plugin
InfluxData
 
PPTX
MySQL Audit using Percona audit plugin and ELK
YoungHeon (Roy) Kim
 
Large Scale Log Analytics with Solr: Presented by Rafał Kuć & Radu Gheorghe, ...
Lucidworks
 
ELK stack at weibo.com
琛琳 饶
 
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
Sematext Group, Inc.
 
Tuning Elasticsearch Indexing Pipeline for Logs
Sematext Group, Inc.
 
Fedora Developer's Conference 2014 Talk
Rainer Gerhards
 
Logstash
琛琳 饶
 
OpenStack Log Mining
John Stanford
 
Message:Passing - lpw 2012
Tomas Doran
 
RSYSLOG v8 improvements and how to write plugins in any language.
Rainer Gerhards
 
Brisbane DevOps Meetup - Logstash
pczarkowski
 
London devops logging
Tomas Doran
 
Rsyslog log normalization
Rainer Gerhards
 
rsyslog meets docker
Rainer Gerhards
 
Application Logging in the 21st century - 2014.key
Tim Bunce
 
Turbo charge your logs
Jeremy Cook
 
From logs to metrics
Leonardo Di Donato
 
Syslog.pptx
ShanmugapriyaSenthil3
 
Messaging, interoperability and log aggregation - a new framework
Tomas Doran
 
Finding OOMS in Legacy Systems with the Syslog Telegraf Plugin
InfluxData
 
MySQL Audit using Percona audit plugin and ELK
YoungHeon (Roy) Kim
 
Ad

Recently uploaded (20)

PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
Python basic programing language for automation
DanialHabibi2
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
Python basic programing language for automation
DanialHabibi2
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Ad

rsyslog v8: more than just syslog!

  • 1. rsyslog v8:
 more than just syslog! Yury Bushmelev Lazada
  • 2. what people usually think rsyslog is /dev/log udp:514 some magic /var/log/some.log remote udp:514
  • 5. rulesets input(...) input(...) if ($syslogtag == "prog1") then { action(...) } else { action(...) } input(... ruleset="rules1") input(... ruleset="rules2") ruleset(name="rules1") { action(...) } ruleset(name="rules2") { action(...) }
  • 6. configuration formats • basic AKA sysklogd (*.* /var/log/file.log) – still OK in simple cases • obsolete legacy ($UglyScaryThings everywhere) – Do not use it at all! "It will make your life miserable" © Rainer Gerhards • advanced AKA RainerScript – new (2010) readable configuration language
  • 7. queues • most confusing part of rsyslog configuration
  • 8. queues • most confusing part of rsyslog configuration • 2 places • ruleset queue • action queue
  • 9. queues • most confusing part of rsyslog configuration • 2 places • ruleset queue • action queue • 4 modes • direct (AKA no queue, sync) • in-memory • on-disk • disk-assisted (DA, in-memory + on-disk)
  • 10. queues and performance • try to increase ruleset queue workers number first • action queue is mostly about string building • for fast action (omfile) thread syncing overhead may be significant • for single-action ruleset everything is complicated... • read more details in Rainer's blog: http:// blog.gerhards.net/2013/06/rsyslog-performance-main- and-action.html
  • 11. – ELK? • read log messages from file/network • parse • modify • convert to JSON • send to ElasticSearch
  • 12. – ERK! • read log messages from file/network (inputs) • parse (builtin parser/RainerScript/mm* modules) • modify (RainerScript/mm* modules/templates) • convert to JSON (templates) • send to ElasticSearch (omelasticsearch)
  • 13. parse (mmnormalize) • "mmnormalize" is unique feature of rsyslog based on liblognorm library which... • ... is amazingly fast • ... because it's using parse tree (not regexp/grok) • ... may try multiple rules for same message (first win) • ... have some documentation:
 http://www.liblognorm.com/files/manual/index.html
  • 14. liblognorm rules version=2 rule=v0:MyAuthAPI: Invalid user %user:word% from %src-ip:ipv4% rule=v1:MyAuthAPI[%pid:number%]: Invalid user %user:word% from %src-ip:ipv4%
  • 15. modify/send as JSON v1 template(name="tmpl_to_json_v1" type="string" string="%$!all-json%") template(name="timereported_rfc3339" type="string" string="%timereported:::date-rfc3339%") ruleset(name="test") { action(type="mmjsonparse") set $!_log_time = exec_template("timereported_rfc3339"); set $!_log_tag = $!tag; unset $!tag; ... action(type="omelasticsearch" server="es.example.com" template="tmpl_to_json_v1" ...) }
  • 16. modify/send as JSON v2 template(name="tmpl_to_json_v2" type="list" option.json="on") { constant(value="{") property(outname="_log_time" name="timereported" dateFormat="rfc3339" format="jsonf") constant(value=",") property(outname="_log_tag" name="tag" format="jsonf") constant(value=",") property(outname="message" name="msg" dropLastLF="on" format="jsonf") constant(value="}") } ruleset(name="test") { action(type="omelasticsearch" server="es.example.com" template="tmpl_to_json_v2" ...) }
  • 17. reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery
  • 18. reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery • ... so there is RELP (imrelp/omrelp) • ... it may do TLS with compression easy as well
  • 19. reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery • ... so there is RELP (imrelp/omrelp) • ... it may do TLS with compression easy as well • ... but it's single-threaded :(
  • 20. metrics (impstats) { "name": "global", "origin": "dynstats", "values": { } } { "name": "imuxsock", "origin": "imuxsock", "submitted": 3612711, "ratelimit.discarded": 0, "ratelimit.numratelimiters": 0 } { "name": "action 0", "origin": "core.action", "processed": 33429, "failed": 0, "suspended": 0, "suspended.duration": 0, "resumed": 0 } { "name": "resource-usage", "origin": "impstats", "utime": 290424444, "stime": 314385112, "maxrss": 3176, "minflt": 509, "majflt": 105, "inblock": 5920, "oublock": 11030360, "nvcsw": 7281385, "nivcsw": 7506 } { "name": "main Q", "origin": "core.queue", "size": 0, "enqueued": 3612765, "full": 0, "discarded.full": 0, "discarded.nf": 0, "maxqsize": 30 } • read more here: https://www.rsyslog.com/doc/v8-stable/configuration/ rsyslog_statistic_counter.html
  • 21. metrics (dyn_stats) dyn_stats(name="msg_per_host" resettable="on" maxCardinality="3000" unusedMetricLife="600") set $.inc = dyn_inc("msg_per_host", $hostname); # impstats output # { "name": "msg_per_host", "origin": "dynstats.bucket", "values": { "lab3.sgdc": 1002540, "lab4.sgdc": 1318551, "lab7.sgdc": 1788136} }
  • 22. lookup tables { "version" : 1, "nomatch" : "unknown", "type" : "string", "table" : [ {"index" : "10.0.1.1", "value" : "A" }, {"index" : "10.0.1.2", "value" : "A" }, {"index" : "10.0.1.3", "value" : "A" }, {"index" : "10.0.2.1", "value" : "B" }, {"index" : "10.0.2.2", "value" : "B" }, {"index" : "10.0.2.3", "value" : "B" }]}
  • 23. lookup tables lookup_table(name="host_bu" file="/var/lib/host_billing_unit_mapping.json" reloadOnHUP="on" ) set $.bu = lookup("host_bu", $hostname); if ($.bu != "unknown") then { ... } # Go to "bu_A"/"bu_B"/"bu_unknown" ruleset: # call_indirect "bu_" & $.bu;
  • 24. lookup tables if ($.do_reload == "y") then { reload_lookup_table("host_bu", "unknown") }
  • 25. runtime control input(type="imuxsock" socket="/run/rsyslog-control.sock" ruleset="control") ruleset(name="control") { if ($msg == "reload bu") then { reload_lookup_table("host_bu", "unknown") } else if ($msg == "run cmd") then { action(type="omprog" binary="/path/to/script.sh") } else { action(type="omfile" file="/var/log/rsyslog-control.log") } }
  • 26. any questions? • Yury Bushmelev • https://twitter.com/Jay7t • https://github.com/jay7x