Hi all, we have installed a graylog server and it supposed to collect massive web log from a rproxy server. rproxy server has lots of separated upstream servers in different log files. so, if I send all web logs into a single “input” on grayserver, so I’ll get all different web logs within on single view right? How do you deal with a mutualized web server?
thanks for your answers
Massive web log from a rproxy server
rvenne
(immanens)
#1
jochen
(Jochen)
#2
That’s what streams are for.
See http://docs.graylog.org/en/2.2/pages/streams.html for details.
jan
(Jan Doberstein)
#3
Input an view of the messages does not correlate.
You can have multiple inputs but one view (stream as @jochen already wrote) - or the other way around. Split the data to have different views.
rvenne
(immanens)
#4
ok. I think, spliting collected datas on different views would be what I’m looking for. so, may do it with extractor? or, is there a better way to do that?
jochen
(Jochen)
#5
You can simply use Streams (and stream rules) for that, if there’s already a message field (like source
) which you can use to categorize different messages.
rvenne
(immanens)
#6
ok thanks. I’ll try to tell to nginx writing something withing logs to distinguish upstream server or request DNS.