Rsyslog Template

Our environment has syslog collectors that use rsyslog to listen and write the events to disk in JSON format. The events are then picked up by Filebeats and shipped to Graylog. Just wanted to share my config, if it helps anyone!

NOTE: There are suppressions for several events, these can be removed if your do not require them.

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514" ruleset="remote_one")

template(name="json_template" type="list") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"@version\":\"1")
      constant(value="\",\"message\":\"")     property(name="msg")
      constant(value="\",\"source\":\"")  property(name="hostname")
      constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
      constant(value="\",\"programname\":\"") property(name="programname")
      constant(value="\",\"procid\":\"")      property(name="procid")
      constant(value="\",\"source\":\"")      property(name="hostname")
      constant(value="\",\"forwarder\":\"")      property(name="fromhost")
    constant(value="\"}\n")
}

#####
# %FTD-4-402119 = Anti-replay events
# %ASA-6-302014 = ICMP Teardowns
# %ASA-6-302021 = TCP Teardowns
#####

$template RemoteLogs, "/data/syslog/clients/%HOSTNAME%/%PROGRAMNAME%.log"
ruleset(name="remote_one"){
   if not (($programname == '%FTD-4-402119') or ($programname == '%ASA-6-302014') or ($programname == '%ASA-6-302021') or ($syslogseverity-text == 'debug')) then {
       action(type="omfile" dynafile="RemoteLogs" template="json_template")
   }
}

Very cool @brettjouw, thank you!