Graylog - System and applicatif log same input

Hi everybody,
Thanks to them whom will try to help me !
I’m starting a new graylog project and I want to receive two different kind of log on this server : applicatif and system logs.
I have read on this forum that I can use and configure only one input to do it (I don’t have so much server) but my problem is that I need to use logstash to make my applicatif logs more understandable by graylog.
So the question is, with one input, how can i configure logstash to work only on my specif applicatif log ? Because my basic system log are already understandable by graylog.
Sorry for my english and thank you for your help !

You can easily create multiple inputs, e. g. a dedicated input for each category of log (system logs, application logs, network appliances logs), so you can use custom extractors for each category of log message.

Oh thank you for your quick answer !
So the easiest solution is to create two different input for each kind of log and using another port for the second one ? 5140 and 5141 for example ?
Thank you again !

Yes, exactly. There’s no limit on the number of inputs you can create (as long as they don’t listen on the same network socket).

Additionally, you can use streams to further categorize your data.

Perfect, thank you, i will try to do it soon
Last question, can I send system logs directly to my graylog input on the port 5140 or should I send them to the port 514 of my server and then, the rsyslog service will send it to “itself” on the port 5140 ?
I tried to send it directly to the 5140 input but it didn’t work

If you mean syslog and you’re running a syslog input on port 5140/udp or 5140/tcp, then this should work.

See GitHub - Graylog2/graylog-guide-syslog-linux: How to send syslog from Linux systems into Graylog for details.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.