Input for logtype

stecino · Post by **stecino** » Tue Feb 03, 2015 8:56 pm

Currently out of the box, I have the following input

syslog {
type => 'syslog'
port => 5544
}

how can I define an input, where I can separate general server logs from application specific logs, so that i have syslog vs applog. They are all using same UDP port 5544

scottwilkerson · Post by **scottwilkerson** » Wed Feb 04, 2015 1:11 pm

You can add as many inputs as you like, and change the 'type' field to reflect what you want them labeled as, only caveat would be they need to use different ports.

OR

You can add filters similar to the pre-defined apache filter to mutate the type to be named whatever you like, e.g.

Code: Select all

if [program] == 'apache_access' {
    grok {
        match => [ 'message', '%{COMBINEDAPACHELOG}']
    }
    date {
        match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
    }
    mutate {
        replace => [ 'type', 'apache_access' ]
         convert => [ 'bytes', 'integer' ]
         convert => [ 'response', 'integer' ]
    }
}

stecino · Post by **stecino** » Wed Feb 04, 2015 2:18 pm

scottwilkerson wrote:You can add as many inputs as you like, and change the 'type' field to reflect what you want them labeled as, only caveat would be they need to use different ports.

OR

You can add filters similar to the pre-defined apache filter to mutate the type to be named whatever you like, e.g.
Code: Select all
if [program] == 'apache_access' {
    grok {
        match => [ 'message', '%{COMBINEDAPACHELOG}']
    }
    date {
        match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
    }
    mutate {
        replace => [ 'type', 'apache_access' ]
         convert => [ 'bytes', 'integer' ]
         convert => [ 'response', 'integer' ]
    }
}

what defines this program variable?

Here is what I have in one of my rsyslog conf files

# Input for nnsjq_oc4j_out
$InputFileName /u01/app/oracle/product/10gr202/j2ee/nns_jq/log/nns_jq_default_island_1/oc4j.out
$InputFileTag nnsjq_oc4j_out:
$InputFileStateFile nls-state-u01_app_oracle_product_10gr202_j2ee_nns_jq_log_nns_jq_default_island_1_oc4j.out # Must be unique for each file being polled
# Uncomment the folowing line to override the default severity for messages
# from this file.
#$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'nnsjq_oc4j_out' then @xx.xx.x.246:5544
if $programname == 'nnsjq_oc4j_out' then ~

So based on what you are saying, would it be something like this?

if [program] == 'nnsjq_oc4j_out' {
mutate {
replace => [ 'type', 'nnsjq'_log ]
}
}

Will this be correct?

stecino · Post by **stecino** » Wed Feb 04, 2015 2:42 pm

I implemented this, and it's working.

scottwilkerson · Post by **scottwilkerson** » Wed Feb 04, 2015 5:01 pm

stecino wrote:what defines this program variable?

For item running through syslog program is set with

Code: Select all

$InputFileTag

However, you use the " if [xxxxxx] == 'xxxxxx' " logic for any field...

stecino · Post by **stecino** » Thu Feb 05, 2015 8:08 pm

scottwilkerson wrote:
stecino wrote:what defines this program variable?
For item running through syslog program is set with
Code: Select all
$InputFileTag
However, you use the " if [xxxxxx] == 'xxxxxx' " logic for any field...

Got it Thanks. Please close this topic

Nagios Support Forum

Input for logtype

Input for logtype

Re: Input for logtype

Re: Input for logtype

Re: Input for logtype

Re: Input for logtype

Re: Input for logtype