Hi all, we have installed a graylog server and it supposed to collect massive web log from a rproxy server. rproxy server has lots of separated upstream servers in different log files. so, if I send all web logs into a single “input” on grayserver, so I’ll get all different web logs within on single view right? How do you deal with a mutualized web server?
thanks for your answers
Input an view of the messages does not correlate.
You can have multiple inputs but one view (stream as @jochen already wrote) - or the other way around. Split the data to have different views.
ok. I think, spliting collected datas on different views would be what I’m looking for. so, may do it with extractor? or, is there a better way to do that?
You can simply use Streams (and stream rules) for that, if there’s already a message field (like source) which you can use to categorize different messages.
ok thanks. I’ll try to tell to nginx writing something withing logs to distinguish upstream server or request DNS.