Syslog input from multiple apps

lgee · May 8, 2017, 3:13pm

I'm looking to set up a logstash instance that receives syslog input from a number (~ 10) web apps.

What is the best solution for identifying the source of each log? Ultimately I'd like an application field that identifies the source of the log.

It looks as though this may need to be handled at the application level, e.g. the app including its name in the log data, and a grok rule that transforms that into the application field, rather than being able to configure a separate logstash input for each application.

paz · May 8, 2017, 4:37pm

If you can change the remote syslog target on the applications themselves instead of the default 514 port, you can have different syslog inputs in the same instance, and add arbitrary fields per input to differentiate them, like so:

input {
    udp {
        port => "10000"
        add_field => {
            "application" => "apache"
        }
    }
    udp {
        port => "10001"
        add_field => {
            "application" => "nginx"
        }
    }
}

And have different filtering logic based on the application field value.

magnusbaeck · May 8, 2017, 7:39pm

What is the best solution for identifying the source of each log? Ultimately I'd like an application field that identifies the source of the log.

Syslog payloads typically contain a program name field, highlighted in bold below.

May 8 21:17:01 bertie CRON[18039]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)

system · June 5, 2017, 7:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.