Nxlog config with index

sateesh · April 24, 2018, 6:29am

Hi,

I am trying to push my client server logs with nxlog to graylog as a index not with default index.

Is there any config issue with nxlog

User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules                              #
########################################
<Extension gelf>
    Module      xm_gelf
</Extension>

<Input in>
        Module  im_file
        File    "/var/log/test/test.log"
</Input>

<Output out>
    Module      om_tcp
    Host        x.x.x.x
    Port        12201
    OutputType  GELF_TCP
    index => "test-%{+YYYY.MM.dd}"
</Output>

########################################
# Routes                               #
########################################
<Route r>
    Path        in => out
</Route>

jochen · April 24, 2018, 7:01am

Please elaborate on what you’re trying to achieve and post the complete configuration of all relevant components such as the configuration of the inputs in Graylog.

sateesh · April 24, 2018, 7:13am

I am trying create index in nxlog.conf, want to push my logs to defined index not with default index,
we have multiple clients depends on index we are going to push logs based on index will search the logs.

jochen · April 24, 2018, 7:49am

Neither NXLOG nor Graylog do support that in the way you intend it to work.

If you want to store messages in a different index (or index set), you’ll have to do this in Graylog using stream rules or pipeline rules:

sateesh · April 24, 2018, 9:03am

Is there any possibility with filebeat with graylog

jochen · April 24, 2018, 9:08am

Yes, Filebeat (or any log shipper supporting the Beats protocol) can be used with Graylog.

You could manually build the functionality to specify the target index in Filebeat, e. g. by using a custom message field which a pipeline rule in Graylog is using to identify the stream in which a message should be placed.

sateesh · April 24, 2018, 9:10am

what is the syntax to configure in filebeat either nxlog as a stream input.
if you have any conf file, please share

jochen · April 24, 2018, 9:39am

I won’t give you a copy & paste ready solution, but the general procedure would be the following:

Create a dedicated index set for the messages you want to store separately:
http://docs.graylog.org/en/2.4/pages/configuration/index_model.html#index-set-configuration
Create a stream based on the previously created index set:
http://docs.graylog.org/en/2.4/pages/streams.html#index-sets
Add a custom field to Filebeat which contains the name or the ID of the previously created stream:
https://www.elastic.co/guide/en/beats/filebeat/6.2/configuration-filebeat-options.html#configuration-fields
Create a pipeline rule or a stream rule (for the previously created stream) which sends the log message into the desired stream if the custom field you’ve created in Filebeat contains the pre-configured value:
http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#route-to-stream
http://docs.graylog.org/en/2.4/pages/streams.html

system · May 8, 2018, 9:39am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Linux RedHat - NXLog Graylog Central (peer support) sidecar , filebeat-linux	9	4636	February 1, 2018
Multiple log format adding Graylog Central (peer support)	4	398	April 23, 2018
Send logs to many indexes Graylog Central (peer support)	2	2240	December 15, 2017
NXLOG failing to send GELF to graylog New to Graylog Community? READ-ME FIRST Guides	4	1023	November 11, 2022
Rules for routing messages to different indexes Graylog Central (peer support) route-to-streampl	9	582	March 22, 2024

Nxlog config with index

Related topics