So I have latest Graylog installed (5.2). And I have one Linux client, which hosts 6 websites (apache2). So there are 6 apache access and 6 apache error logs. I need advice, what would be best practice to configure such client for apache log gathering? I understand that I could configure 12 inputs and add my custom fields in each input. But is it best configuration? I wonder is it possible to configure only two inputs - one for 6 access logs, another for the 6 errors logs? My answer would be yes, it is possible, but then goes my major question - if I would use such config - is it possible to somehow add one custom field for one log, another custom field for another, etc.
The short answer is that the Graylog recommendation is to have sources share the same input. If you have a need to have additional message tagging or other fields added you can have those fields added by your log shipper (e.g. filebeat) or use a pipeline rule to add that data.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.