На твари делаем в консоли
esxcli system syslog config set --loghost=udp://10.9.3.210:514,tcp://10.9.3.210:514 esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true esxcli network firewall refresh esxcli system syslog reload nc -z 10.9.3.210 514
В syslog-ng принимаем и шлем в elasticsearch
##Прием логов vmware
source tcp_remote_log_host_vmware {
tcp(port(514) so_rcvbuf(67108864) log_iw_size(100000) log_fetch_limit(1000000) max-connections(200));
};
filter f_vmware { match('^Vpxa:') or match('^Hostd:') ; or match('^Rhttpproxt:') or match('^Fdm:') or match('^hostd-probe:') or match('^vmkernel:'); };
destination d_vmware_file {
file("/var/log/vmware/vmware_${HOST}_logs"); };
###Направляем nginx_acess с cdn в elasticsearch
destination d_elastic_vmware {
elasticsearch2(
#client-lib-dir("/usr/share/elasticsearch/lib/")
index("syslogvmware-${YEAR}.${MONTH}.${DAY}")
type("test")
time-zone("UTC")
client_mode("http")
flush-limit("10000")
cluster_url("http://elasticnode1:9200")
custom_id("${UNIQID}")
template("$(format_json --scope nv_pairs --key ISODATE @timestamp=${ISODATE})")
);
};
log { source(tcp_remote_log_host_vmware);filter(f_vmware); destination(d_vmware_file); };
log { source(tcp_remote_log_host_vmware); filter(f_vmware); destination(d_elastic_vmware); };