Rsyslog app name

Graylog Central (peer support)
, , , ,
1

Hello,
I’ve configured RHEL 7 to send /var/log/messages and /var/log/secure to Graylog.
How do i configure specific fields in Graylog to show the log origin?
i’d like to distinguish between those logs, and have a separate graph for them. each log should have a different application name.

this is my configuratoin file for /var/log/messages
$ModLoad imfile
$InputFileName /var/log/messages
$InputFileTag messages
$InputFileStateFile stat-messages
$InputFileSeverity Info
$InputRunFileMonitor

if $programname == ‘messages’ then @@graylog-input-tcp.domain.com:12345
if $programname == ‘messages’ then stop

2

not sure how to tag with with rsyslog -

From what I read it is restrictive in comparison to Beats or Nxlog (Where it’s easy to tag) . They are pretty small clients and easy to install… I can post my default filebeat configuration if you decide to go that route.

3

please share. maybe i will be able to apply it on my use case

4

This is just the auth collector configuration you can add multiple log files into one collector - if you need more help with setting up filebeats, start a new thread… :smiley:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:
- type: filestream
  id: id-linux-auth
  enabled: true
   paths:
    - /var/log/auth.log
  tags:
    - linux
  logging.metrics.enabled: false
  fields:
    os_ver: ubuntu

output.logstash:
   hosts: 
   - ${user.LinuxIn}

path:
  data: /var/cache/graylog-sidecar/filebeat/data
  logs: /var/log/graylog-sidecar
1 Like
5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.