I want to forward *.* to remote host via TCP/IP.
Also, I have local0 facility where messages are plain JSON messages and they has to be forwarded to same host, but other port (and uses same certificate for gTLS).
I've made a config:
# provides UDP syslog reception
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$template logFormat,"[1234] <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [type=syslog] %msg%\n"
$template logJSON,"{ \"token\": \"1234\", \"env\": \"testfield\" , %msg:2:$:%\n"
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
$DefaultNetstreamDriverCAFile /etc/ssl/certs/AddTrustExternalCARoot.crt
*.* action(type="omfwd" protocol="tcp" target="listener.example.com" port="5001" template="logFormat" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.example.com")
local0.info action(type="omfwd" protocol="tcp" target="listener.example.com" port="5005" template="logJSON" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.example.com")
local0.* /var/log/app.log
Unfortunately, rsyslog doesn't even try to make a connection.
There's no evidence in netstat -nt, nor tcpdump
I'm looking for a way of forwarding those logstreams to their destinations without hacking it deeper in ELK stack. Can You help?
