Rsyslog app name

I’ve configured RHEL 7 to send /var/log/messages and /var/log/secure to Graylog.
How do i configure specific fields in Graylog to show the log origin?
i’d like to distinguish between those logs, and have a separate graph for them. each log should have a different application name.

this is my configuratoin file for /var/log/messages
$ModLoad imfile
$InputFileName /var/log/messages
$InputFileTag messages
$InputFileStateFile stat-messages
$InputFileSeverity Info

if $programname == ‘messages’ then
if $programname == ‘messages’ then stop

not sure how to tag with with rsyslog -

From what I read it is restrictive in comparison to Beats or Nxlog (Where it’s easy to tag) . They are pretty small clients and easy to install… I can post my default filebeat configuration if you decide to go that route.

please share. maybe i will be able to apply it on my use case

This is just the auth collector configuration you can add multiple log files into one collector - if you need more help with setting up filebeats, start a new thread… :smiley:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

- type: filestream
  id: id-linux-auth
  enabled: true
    - /var/log/auth.log
    - linux
  logging.metrics.enabled: false
    os_ver: ubuntu

   - ${user.LinuxIn}

  data: /var/cache/graylog-sidecar/filebeat/data
  logs: /var/log/graylog-sidecar
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.