Hi
on my web server I have following configuration for access log
location : /var/log/customerA/access.log
So i think i need only one log stash agent(install) and config file like following ?
input {.log" .log".log" .log"
}
else if [path] == "/var/log/customerB/*.log"
else if [path] == "/var/log/customerC/*.log"
output {.log"http://localhost:9200 " .log"http://localhost:9200 "http://localhost:9200 "
}
paz
May 8, 2017, 2:33pm
2
It should work, without a problem. In order to maintain some parts easier if the different customers increase, you could use a template for the output, like so:
input {
file {
path => "/var/log/customerA/*.log"
start_position => "beginning"
add_field => {
"customer" => "customerA"
}
}
file {
path => "/var/log/customerB/*.log"
start_position => "beginning"
add_field => {
"customer" => "customerB"
}
}
file {
path => "/var/log/customerC/*.log"
start_position => "beginning"
add_field => {
"customer" => "customerC"
}
}
}
filter {
if [customer] == "customerA" {
my grok patterns
}
else if [customer] == "customerB" {
my grok patterns
}
else if [customer] == "customerC" {
my grok patterns
}
}
output {
elasticsearch {
hosts => "http://localhost:9200"
index => "%{customer}_index"
}
stdout {
codec => dots {}
}
}
if [path] == "/var/log/customerA/*.log"{
Well, this won't work since the path field will contain the actual path to the log file.
I suggest you set a separate field (called e.g. "customer") in each file input plugin and use that field here.
system
June 5, 2017, 3:20pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.