有没有办法设置 fluentd/td-agent,使其配置模块化?我知道有 @include 指令,但这只有在每次添加新内容时我都会修改主 td-agent.conf 文件,添加新规则来替换标签规则(就像下面的代码一样)时才有效。我想要实现的是设置通用的主 td-agent.conf 文件,它将自动包含特定目录中的所有配置文件。
问题是当我想从一个来源获得多个规则链时,例如:
syslog->dhcpd_logs->elasticsearch (ident dhcp, tag dhcp)
syslog->sudo_logs->elasticsearch (ident sudo, tag sudo)
现在我的配置是可扩展的但不是模块化的
<source>
type syslog
port 42185
tag syslog
</source>
<match syslog.**>
type rewrite_tag_filter
rewriterule1 ident ^sudo sudo
rewriterule2 ident ^sshd sshd
rewriterule3 ident ^dhcpd dhcpd
</match>
<match sshd>
# type stdout
type rewrite_tag_filter
rewriterule1 message pam_unix\(sshd:auth\).*$ sshd.auth
rewriterule2 message pam_unix\(sshd:session\).*$ sshd.session
rewritetule3 message .* null
</match>
# pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
<match sshd.auth>
# type stdout
type parser
key_name message
format /pam_unix\(sshd:(?<sshd_log_type>[^ ]*)\): authentication (?<sshd_status>[^ ]*); logname=(?<sshd_auth_logname>[^ ]*) * uid=(?<sshd_auth_uid>[^ ]*) *euid=(?<sshd_auth_euid>[^ ]*) *tty=(?<sshd_auth_tty>[^ ]*) *ruser=(?<sshd_auth_ruser>[^ ]*) *rhost=(?<sshd_rhost>[^ ]*) *user=(?<sshd_user>[^ ]*).*$/
tag sshd.auth.parsed
reserve_data yes
</match>
# pam_unix(sshd:session): session opened for user user by (uid=0)
<match sshd.session>
type parser
key_name message
format /pam_unix\(sshd:(?<sshd_log_type>[^ ]*)\): session (?<sshd_status>[^ ]*) for user (?<sshd_user>[^ ]*)( by \(uid=(?<sshd_session_uid>[^ ]*)\))?.*$/
tag sshd.session.parsed
reserve_data yes
</match>
<match sshd.auth.parsed sshd.session.parsed>
# type stdout
type elasticsearch
logstash_format true
include_tag_key true
tag_key tag
flush_interval 10s
</match>
<match sudo>
type rewrite_tag_filter
rewriterule1 message PWD=[^ ]+ ; USER=[^ ]+ ; COMMAND=.*$ sudo.parse
rewriterule2 message .* null
</match>
<match sudo.parse>
type parser
key_name message # this is the field to be parsed
format /(?<sudo_user>.*) : TTY=(?<sudo_tty>[^ ]+) ; PWD=(?<sudo_path>[^ ]+) ; USER=(?<sudo_executed-as>[^ ]+) ; COMMAND=(?<sudo_comamnd>.*)$/
tag sudo.parsed
reserve_data yes
</match>
<match sudo.parsed>
type elasticsearch
logstash_format true
include_tag_key true
tag_key tag
flush_interval 10s
</match>
<match dhcpd>
type rewrite_tag_filter
rewriterule1 message DHCPDISCOVER.*$ dhcpd.discover
rewriterule2 message DHCPOFFER.*$ dhcpd.offer
rewriterule3 message DHCPREQUEST.*$ dhcpd.request
rewriterule3 message DHCPACK.*$ dhcpd.ack
rewriterule4 message DHCPNACK.*$ dhcp.nack
rewriterule5 message .* null
</match>
<match dhcpd.discover>
type parser
key_name message
format /(?<dhcp_packet_type>.*) from (?<dhcp_client_mac_address>[^ ]+).*$/
tag dhcpd.parsed
reserve_data yes
</match>
# DHCPOFFER on 192.168.1.3 to 08:00:27:e1:c9:ef (devbox) via eth1"
# DHCPACK on 192.168.1.3 to 08:00:27:e1:c9:ef (devbox) via eth1"
<match dhcpd.offer dhcpd.ack dhcpd.nack>
type parser
key_name message
format /(?<dhcp_packet_type>[^ ]+) on (?<dhcp_assigned_ip>[^ ]+) to (?<dhcp_client_mac_address>[^ ]+).*$/
tag dhcpd.parsed
reserve_data yes
</match>
<match dhcpd.parsed>
type elasticsearch
logstash_format true
include_tag_key true
tag_key tag
flush_interval 10s
</match>
<match null>
type null
</match>
# debug
#<match **>
# type stdout
#</match>
<match syslog.**>
type elasticsearch
logstash_format true
flush_interval 10s # for testing
</match>
我只想在 td-agent.conf 中拥有单一不可变的骨架,并只需添加新的 *.conf 文件即可自动包含和使用。