Linux file monitoring - how to delete

[rhaig10695]

Hello,

I added a bunch of file monitors on a Linux server and i'd like to delete a few of them. How do I do this and is there a way to delete the data on the server as well?

Thanks!
Ryan

[sreinhardt]

You would need to modify the /etc/rsyslog.d/ config files. Depending on how you added those files, you may have lots of individual files or a single file. Deleting data from log server currently needs to be done from the command line and looks like:

Code: Select all

curl -XDELETE 'http://localhost:9200/logstash-*/_all/_query' -d '{
    "query" : {
        "term" : { "host" : "10.0.0.1" }
    }
}'

You would want to change the 10.0.0.1 to the host ip or name you wish to remove. This will output the number of successful and failed removals. One thing to note is that close indeces will not have data removed, they will need to be reopened first.

[eloyd]

Oh man, that's ugly. Any chance to add index/log management from the GUI? I mean, I love scripting curl requests all day, every day, but that's bound to introduce errors some day.

[tmcdonald]

I suppose that could be done. I suppose, even, that I could file a feature request for this. I suppose even further it could say something like:

Code: Select all

Feature Request:  Add logserver source removal scripts

Add ability to manage log entries per source, possibly with an auto-generated script that handles the syslog configs and phones home to alert NLS of the removal, similarly to how we offer setup scripts only in reverse.

and it would theoretically have the request ID 4434 in our internal feature requests queue.

Just a thought.

[eloyd]

Oh, perchance to dream that there existed such a magical place as that which you describe.

[tmcdonald]

What a world that would be.

rhaig10695, I have filed a feature request for this. Did the curl solution work for you?