Change sidecar config from Graylog server?

(T J Yang) #1


I followed R1 URL was able to have remote filebeat send in all manageiq logs (R2) under /var/www/miq/vmdb/log directory.

Is there a way to configure filebeat to just send in evm.log file, from graylog server side ?


R2: List of log files under /var/www/miq/vmdb/log

-rw-r--r-- 1 root root     2067 Nov 27 16:47 appliance_console.log
-rw-r--r-- 1 root root      286 Nov 27 16:48 websocket.log
-rw-r--r-- 1 root root      785 Nov 27 17:01 audit.log
-rw-r--r-- 1 root root     8420 Nov 27 17:02 policy.log
-rw-r--r-- 1 root root   131089 Nov 27 17:02 automation.log
-rw-r--r-- 1 root root    17552 Nov 27 17:14 fog.log
-rw-r--r-- 1 root root     2626 Nov 27 17:16 vmstat_output.log
-rw-r--r-- 1 root root    58850 Nov 27 17:16 production.log
-rw-r--r-- 1 root root    48485 Nov 27 17:16 api.log
-rw-r--r-- 1 root root   672349 Nov 27 17:16 top_output.log
-rw-r--r-- 1 root root 82374960 Nov 27 17:17 evm.log

(Tess) #2

Yes and no.

  • You define collector configurations (and their tags) on the Graylog side.
  • The sidecar_collector.yml file tells the Sidecar which collector configs it subscribes to.
  • So you can adjust the list of subscribed tags in the client-side YML file and you can adjust the tracked files on the Graylog side.

Unfortunately I don’t think there is a way to adjust the subscription tags in the YML file through Graylog itself. But you can always do that in other ways (like Ansible, Puppet, SSH, Powershell Remoting, etc).

In your case you can define a collector configuration, with its own tag. “evm” for example. To achieve what you want, you’d only put that tag into Sidecar config file on the agent-side.

(Ben van Staveren) #3

Nope - I had the same issue when testing the sidecar, and we solved it in production by using Ansible to write the YML config out. All servers receive a set of tags based on which groups in our Ansible inventory they live in, and based on that I created the collector configs to tailor each group’s config to it’s particular needs.

(Tess) #4

And technically speaking, that’s really not a bad way to handle things.

  • Use Graylog to define the collection rules
  • Use Ansible to manage each of your existing/new hosts.

(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.