fluentd 模块化配置

fluentd 模块化配置

有没有办法设置 fluentd/td-agent,使其配置模块化?我知道有 @include 指令,但这只有在每次添加新内容时我都会修改主 td-agent.conf 文件,添加新规则来替换标签规则(就像下面的代码一样)时才有效。我想要实现的是设置通用的主 td-agent.conf 文件,它将自动包含特定目录中的所有配置文件。

问题是当我想从一个来源获得多个规则链时,例如:

syslog->dhcpd_logs->elasticsearch (ident dhcp, tag dhcp)
syslog->sudo_logs->elasticsearch (ident sudo, tag sudo)

现在我的配置是可扩展的但不是模块化的

<source>
    type syslog
    port 42185
    tag syslog
</source>

<match syslog.**>
    type rewrite_tag_filter
    rewriterule1 ident ^sudo sudo
    rewriterule2 ident ^sshd sshd
    rewriterule3 ident ^dhcpd dhcpd
</match>

<match sshd>
#   type stdout
    type rewrite_tag_filter
    rewriterule1 message pam_unix\(sshd:auth\).*$ sshd.auth
    rewriterule2 message pam_unix\(sshd:session\).*$ sshd.session
    rewritetule3 message .* null
</match>

# pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=root
<match sshd.auth>
#   type stdout
    type parser
    key_name message
    format /pam_unix\(sshd:(?<sshd_log_type>[^ ]*)\): authentication (?<sshd_status>[^ ]*); logname=(?<sshd_auth_logname>[^ ]*) * uid=(?<sshd_auth_uid>[^ ]*) *euid=(?<sshd_auth_euid>[^ ]*) *tty=(?<sshd_auth_tty>[^ ]*) *ruser=(?<sshd_auth_ruser>[^ ]*) *rhost=(?<sshd_rhost>[^ ]*) *user=(?<sshd_user>[^ ]*).*$/
    tag sshd.auth.parsed
    reserve_data yes
</match>

# pam_unix(sshd:session): session opened for user user by (uid=0)
<match sshd.session>
    type parser
    key_name message
    format /pam_unix\(sshd:(?<sshd_log_type>[^ ]*)\): session (?<sshd_status>[^ ]*) for user (?<sshd_user>[^ ]*)( by \(uid=(?<sshd_session_uid>[^ ]*)\))?.*$/
    tag sshd.session.parsed
    reserve_data yes
</match>

<match sshd.auth.parsed sshd.session.parsed>
#   type stdout
    type elasticsearch
    logstash_format true
    include_tag_key true
    tag_key tag
    flush_interval 10s
</match>

<match sudo>
    type rewrite_tag_filter
    rewriterule1 message PWD=[^ ]+ ; USER=[^ ]+ ; COMMAND=.*$ sudo.parse
    rewriterule2 message .* null
</match>

<match sudo.parse>
    type parser
    key_name message # this is the field to be parsed
    format /(?<sudo_user>.*) : TTY=(?<sudo_tty>[^ ]+) ; PWD=(?<sudo_path>[^ ]+) ; USER=(?<sudo_executed-as>[^ ]+) ; COMMAND=(?<sudo_comamnd>.*)$/
    tag sudo.parsed
    reserve_data yes
</match>

<match sudo.parsed>
    type elasticsearch
    logstash_format true
    include_tag_key true
    tag_key tag
    flush_interval 10s
</match>

<match dhcpd>
    type rewrite_tag_filter
    rewriterule1 message DHCPDISCOVER.*$ dhcpd.discover
    rewriterule2 message DHCPOFFER.*$ dhcpd.offer
    rewriterule3 message DHCPREQUEST.*$ dhcpd.request
    rewriterule3 message DHCPACK.*$ dhcpd.ack
    rewriterule4 message DHCPNACK.*$ dhcp.nack
    rewriterule5 message .* null
</match>

<match dhcpd.discover>
    type parser
    key_name message
    format /(?<dhcp_packet_type>.*) from (?<dhcp_client_mac_address>[^ ]+).*$/
    tag dhcpd.parsed
    reserve_data yes
</match>

# DHCPOFFER on 192.168.1.3 to 08:00:27:e1:c9:ef (devbox) via eth1"
# DHCPACK on 192.168.1.3 to 08:00:27:e1:c9:ef (devbox) via eth1"
<match dhcpd.offer dhcpd.ack dhcpd.nack>
    type parser
    key_name message
    format /(?<dhcp_packet_type>[^ ]+) on (?<dhcp_assigned_ip>[^ ]+) to (?<dhcp_client_mac_address>[^ ]+).*$/
    tag dhcpd.parsed
    reserve_data yes
</match>


<match dhcpd.parsed>
    type elasticsearch
    logstash_format true
    include_tag_key true
    tag_key tag
    flush_interval 10s
</match>

<match null>
  type null
</match>

# debug
#<match **>
#   type stdout
#</match>
<match syslog.**>
    type elasticsearch
    logstash_format true
    flush_interval 10s # for testing
</match>

我只想在 td-agent.conf 中拥有单一不可变的骨架,并只需添加新的 *.conf 文件即可自动包含和使用。

相关内容