• State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 21 subscribers
  • Views 1410 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Using Rsyslog sending to Loggly and scrub mongodb log data

arbitrary
I am trying to send information to loggly via rsyslog with data from mongodb 4.4.2. However I cannot get the data in a way that I can manipulate it and scrub out certain information. When I follow the guide on the Loggly site it works for non mongodb information. If I leave %$!msg% as %msg% I get the mongodb data but I am not able to manipulate it. Loggly gets a log back but the raw message is empty and all that is passed is the other fields inside of the $template

config file for reading mongo logs

<script>

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-bundle.crt

# Input for FILE1
input(type="imfile" tag="mongo_lou_qa" ruleset="filelog" file="/var/log/mongodb/mongod.log") #wildcard is allowed at file level only

$template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [token@41058  tag=\"tag1\" tag=\"tag2\" ] %$!msg%" 

set $!msg = $msg;

if re_match($!msg,'([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9])')    
then 
{
  set $!ext = re_extract($!msg,'([0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9])',0,1,"");
  set $!msg= replace($!msg, $!ext, "xxxxxxxxx");
}
  
ruleset(name="filelog"){
action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="6514" template="LogglyFormat" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.loggly.com")
}
</script>

Mongodb sample log

{"t":{"$date":"2021-01-01T00:00:00.000-00:00"},"s":"I",  "c":"ACCESS",   "id":20000,   "ctx":"conn79","msg":"Successful authentication from 000000000","attr":{"mechanism":"ABC","principalName":"__system","authenticationDatabase":"local","client":"0.0.0.0:00000"}}


SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.