How to receive logs by application name in graylog

Hello everyone,
I have a doubt. If I have several tomcat with several applications and I would like them to reach graylog by name of each of the applications in order to be identified, how do I do it? . I now use filebeat but it sends me everything mixed up. how can I solve it ?

I’m sorry to make a nuisance.

Many many thanks,

That’s an interesting use case. Is the application name a field in your log message? If so, then it seems like a saved search where you search for the application name as a part of your message would meet your need.

not a filebeat expert, but if it can send separate application log files to separate syslog destinations, then the easiest thing would be to send Application 1 to syslog port x, application 2 to syslog port y, etc. Then you can just handle each application as its own input and go from there.

If not, but the message has an indicator of the application (field), you can have a single input that either separates the messages per application in a pipeline or via extractors, then you can route them into their own streams and possibly indices.

hi everyone,

Thanks for the help. I am directly using filebeat, not syslog. The question is: how can I use my filebeat configuration to send tomcat log files? Each log is from an application and when they reach graylog I would like to be able to receive them by application name, not all the messages together. how can I do it ? Using some configuration in filebeat or graylog?

my conf.:


  • input_type: log
    • /opt/tomcat/apliacion.log
  • input_type: log
    • /opt/tomcat/apliacion2.log

path: ${path.config}/modules.d/*.yml

hosts: [“”]

the big question is if filebeat can send logs through different ports, I mean 1 different port for each log, to receive them in graylog each with its port, is this possible?

thank you very much for helping me…


On the Graylog side that is absolutely possible… on the filebeat side… I’m not sure you’d need to check on the Elastic documentation or ask on their forums.

Filebeat Reference [7.10] | Elastic

But, depending on the format and contents of the log, you may be able to have everything sent to a single port and just handled on the Graylog side via extractors or pipelines and Streams.

You can simple add custom field per log file:

    input_type: log
       my_field: app1

Hello everyone,
It’s a good idea but checking everything. I have verified that a field called aplication_name can be added and the question is. How can I configure my filebeat.conf so that for each app in my tomcat I can see it in graylog?

to explain myself better;

How to configure filebeat so that graylog collects logs by application_name?

Another question is how to put the field of application_name? why i say that. because when you reload the input the application_name field disappears…

Many many many thanks,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.