scottwilkerson wrote:You can add as many inputs as you like, and change the 'type' field to reflect what you want them labeled as, only caveat would be they need to use different ports.
OR
You can add filters similar to the pre-defined apache filter to mutate the type to be named whatever you like, e.g.
Code: Select all
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
what defines this program variable?
Here is what I have in one of my rsyslog conf files
# Input for nnsjq_oc4j_out
$InputFileName /u01/app/oracle/product/10gr202/j2ee/nns_jq/log/nns_jq_default_island_1/oc4j.out
$InputFileTag nnsjq_oc4j_out:
$InputFileStateFile nls-state-u01_app_oracle_product_10gr202_j2ee_nns_jq_log_nns_jq_default_island_1_oc4j.out # Must be unique for each file being polled
# Uncomment the folowing line to override the default severity for messages
# from this file.
#$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'nnsjq_oc4j_out' then @xx.xx.x.246:5544
if $programname == 'nnsjq_oc4j_out' then ~
So based on what you are saying, would it be something like this?
if [program] == 'nnsjq_oc4j_out' {
mutate {
replace => [ 'type', 'nnsjq'_log ]
}
}
Will this be correct?