Hello to all
I want to monitor with Graylog + Elasticsearch and entire folder and subfolders. Additionaly, this folder will contain new folders created automatically daily with “month/day” format and, creates a file xxxxxx.log inside.
I know that with Filebeat + Sidecar I can monitorice them but, I didn´t know what will be the way or sintax to use.
¿Can anyone help me please?
Regards
Hi @Redytel
by “Monitor” you mean, something working as a “watchdog” in this folder and then send a notification to graylog everytime a new file was created?
OR
You want filebeat to send logs from a folder no matter what the name or age is?
If you asking for the second one, you just have to add something like this in your filebeat.yml
paths:
- /var/log/*
Subfolders need to go deeper some levels like /var/log/*/*/*
If you asking for the first one (I guess not), you’ll need to write this watchdog script and then send log in gelf format.
Hello Reimlima
Sorry for the “bad question”, you are right, I wnat send los from a folder and subfolders.
I have test the syntax that you say me like this in filebeat on Windows collector.
I have put this path cause, I want to send logs for the folder EMC and subfolders
¿Is this correct?
Many thanks for the help
It should work,
give it a try.
I have configured this way 3 hours ago and it doesn´t work.
Possible I am configuring something wrong but have no idea if I can try something else
I’m sorry,
tottaly forgot to ask, are you using filebeat or winlogbeat?
I am using Filebeat and Sidecar.
If I put path this way, it works
If I put the way you say me, doesn´t do nothing
Maybe this helps you:
Hello reimlima
Thanks your for the links but, I can´t take the logs for that I need.
I can´t see the logs in Graylog for all the folders and subfolders.
I have test with “.log", ".log*.log” “**” and didn´t work.
¿Can you say me something else that can help me?
Many thanks
Hi,
Can you paste your configuration here?
Sure
My configuration is very easy at this moment, is default changing only this patch
this configuration came from your Graylog UI or from the server you’re trying to send those logs?
This is the Filebeat on Windows collector configuration that I have active to send logs from the desired server to Graylog.
ok, so…
these fields:
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
You see it this way only in your Graylog UI in the path system/sidecars/configuration/edit
Once those values are “internal variables” controled by graylog, in the server the fields ${sidecar.nodeName} and ${sidecar.nodeId} are replaced by the server name and the uniq ID graylog add to it.
If you can see this in your server, it’s wrong. The best way is to leave graylog handle this config file instead of do it manually.
Hello reimlima
Sorry for the late response but I was out of work some days
If it helps you, I will let you know some probes that I have made.
Configuring this way, I can send logs from one subfolders of C: or two subfolders of C: to Graylog or more…
But in any case, I can´t send logs of subfolders taking this syntax and applying it to path if I take the Folder “EMC” and want to send logs for subfolders.
¿It will help us to know what is wrong in the path configuration?
The internal variabes that you are saying, I see in the UI (connecting to Graylog management IP) and, taking collector configuration.
Hi,
does your logs in EMC folder have the extension “.log”?
Hi
Yes, I will copy an image of the path
Inside the repository folder, there is one file with .log extension, same that are in the EMC root folder
@Redytel just saw in your picture that you logfiles have 1KB of size.
They are, probably, empty.
Your filebeat isn’t sending data to graylog because there’s not to be sent.
Have you ever consider make a double-check to ensure that you Storage is able to write in those files?
Or if log messages are been supressed in the source by some configuration or so?
Hello Reimlima
I have solved at this time this “mistake”, the logs are not empty but, after you say this, we have write more in the logs to grow up space to 6KB and now, the logs are read with Graylog.
I leave the solution here cause, maybe it will be helpful for anyone.
Many thanks for your help, regards
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
