Massive web log from a rproxy server

rvenne · 2017-02-22 09:26:32 UTC

Hi all, we have installed a graylog server and it supposed to collect massive web log from a rproxy server. rproxy server has lots of separated upstream servers in different log files. so, if I send all web logs into a single “input” on grayserver, so I’ll get all different web logs within on single view right? How do you deal with a mutualized web server?
thanks for your answers

jochen · 2017-02-22 10:09:51 UTC

That’s what streams are for.

See http://docs.graylog.org/en/2.2/pages/streams.html for details.

jan · 2017-02-22 10:41:30 UTC

Input an view of the messages does not correlate.

You can have multiple inputs but one view (stream as @jochen already wrote) - or the other way around. Split the data to have different views.

rvenne · 2017-02-22 15:38:54 UTC

ok. I think, spliting collected datas on different views would be what I’m looking for. so, may do it with extractor? or, is there a better way to do that?

jochen · 2017-02-22 17:15:09 UTC

You can simply use Streams (and stream rules) for that, if there’s already a message field (like source) which you can use to categorize different messages.

rvenne · 2017-02-23 08:55:17 UTC

ok thanks. I’ll try to tell to nginx writing something withing logs to distinguish upstream server or request DNS.