Sending changing log (name) to ELK

Yzord · February 1, 2017, 3:01pm

I have a little problem. I want to send a logfile with the name "firewall-01-02-2017.log" to my ELK server, but this file is changing every month to for instance "firewall-01-03-2017.log" etc.

So i thought it would be better to use another format in my logstash-forwarder config and i thought this one would be ok:

firewall-[0-3][0-9]-[0-1][0-9]-2[0-1][1-2][0-9].log

But it isn't doing much. My logstash-forwarder error log shows me this:

2017/02/01 15:44:33.166923 Waiting for 1 prospectors to initialise
2017/02/01 15:44:33.167089 All prospectors initialised with 0 states to persist
2017/02/01 15:44:33.167195 Setting trusted CA from file: /etc/pki/tls/certs/logstash-forwarder.crt
2017/02/01 15:44:33.176126 Connecting to [145...]:5043 (145...)
2017/02/01 15:44:33.273000 Connected to 145...*

So, it is connected, but apparently it isn't liking the format i used, but i would not know what format it wants to have. Anyone played with this?

Yzord · February 1, 2017, 5:16pm

Hmm, i just read that LSF isn't supported anymore, but my ELK stack is configured with it. Hopefully someone wants to help me with this issue

magnusbaeck · February 1, 2017, 5:36pm

That kind of pattern isn't supported. Only basic shell wildcards like ? and * are allowed, so try firewall-??-??-????.log or just firewall-*.log.

Yzord · February 1, 2017, 5:58pm

Thank you very much for your reply. Will test it out tomorrow when i'm at work.

system · March 1, 2017, 5:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.