How to recognize and separate different syslogs

annk · September 11, 2018, 5:19pm

Hi,

I have couple of applications sending logs on to logstash on same port using rsyslog.
Is it possible to identify them on logstash syslog input using $InputFileTag or any other tags that I can configure on rsyslog configs ?

example

ceph-rsyslog.conf

$InputFileName /var/log/ceph/ceph-osd.log
$InputFileTag cephlog
$InputRunFileMonitor
$InputFileFacility local0

ceph-logstash.conf

input {
syslog {
host => "10.1.1.2"
port => 1544
if [InputFileTag] =~ "cephlog"{
type => "ceph"
}
}
}
filter {
if [type] =~ "ceph" {
mutate {
add_field => { "environment" => "lab" }
}
}
}

any other way of doing it ?

magnusbaeck · September 17, 2018, 4:45pm

What happens with the $InputFileTag setting? How (if at all) is that value included in the payload sent over the wire to Logstash? I suggest you use a stdout { codec => rubydebug } output to dump the raw event received by Logstash. Once we know what's available we can talk about how to use that information.

system · October 15, 2018, 4:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.