Configuration of tags collector-sidecar


(Tom) #1

Currently im running a graylog instance with a couple of collectors for gathering the logdata.
I thougth I could use the tags to create different configurations for gathering the logdata.

I wanted it to use it as follows.

Setup the linux tag for gathering syslog messages and send it the to global beats input.
Setup the apache tag for gathering syslog messages and send it the to same global input.

This is not possible however. I would need an extra input for every tag on a seperate port. This would also mean I would have to punch more holes in the firewall for every configuration.

Is there an solution for this kind of use-case.

Furthermore It would be nice once you got a collector running, you could change some general configuration from the graylog web-interface like the tags etc


(Jan Doberstein) #2

you can have as many sources that are configured with the same input on graylog as you want.

Setup the linux tag for gathering syslog messages and send it the to global beats input.
Setup the apache tag for gathering syslog messages and send it the to same global input.

Tag: Syslog
Source: /var/log/syslog
Output: graylog:5044 (beats input of Graylog)

Tag: apache2
Source: /var/log/apache2/*.log
Output: graylog:5044 (beats input of Graylog)

If you have a feature request, please check the github issues if that feature is requested by someone else or create a new one.


(Tom) #3

thx for quick reply
If I do that than no messages are arriving on the input. No errors appear but no messages either

In Collector Sidecar Configurations
I have two configs one with linux tag the other with apache tag

In de config for linux tag i have
beats-output filebeat -> to global beats input
system-logs-input

and the config for the apache tag
beats-output-apache filebeat -> to global beats input
apache-logs -input


(Tom) #4

i could still use some input on this, dont seem to get it working


(Jan Doberstein) #5

hej @f1cyber

from your last message it wasn’t clear that this is not working for you.

Without any more detailed information it is not possible to give general help - because everything is said.

Maybe your question is hidden between the lines, but then you should reword your question and describe the goal and what is not working again.

regards
Jan


(Tom) #6

Will try to clarify, when I set up the collectors configuration like you mentioned.
Tag: Syslog
Source: /var/log/syslog
Output: graylog:5044 (beats input of Graylog)

Tag: apache2
Source: /var/log/apache2/*.log
Output: graylog:5044 (beats input of Graylog)

The collectors are then still active, but no message is coming in. There is no error in the log of the server or in the log of the collector.


(Jan Doberstein) #7

hej,

you leave out if you have configured a Graylog Input (Beats) on Port 5044 that is listening. And if your configuration is synced to the collector-sidecar and those are started without any errors.


(Tom) #8

Problem has been solved.

Yes the global beats input is configured on 5044 and the beats outputs are configured to use graylog on port 5044.
Configuration is and had been synced.

I did not see any errors in de logfiles as mentioned until I noticed there was a log file for filebeat I noticed some connection errors.

Turned out there was one beats output with a typo, so once you combine them on the collector side the correct url got overwritten with the bad url.


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.