Hello there,
I’m trying to send Oracle logs (log.xml) to graylog via collector-sidecar without success.
Does anybody has an idea how to configure that?
Thanks a log
Max
Hej Max,
some more information would be nice. What OS is your Oracle running on? What documentation/how-to did you follow? What are the problems you are facing?
Hi Jan,
Graylog 2.2 OS :SLES12
Oracle 11 OS: SLES12
The collector (Filebeat) is running well and if I go to Graylog console -->Collectors and click on the server where the collector is running, I can see the Oracle Log file (log.xml), but i’m not getting any messages on the search view.
The collector was installed according to the installation guidelines from Graylog Documentation and is also implemented to get logs from Apache2 (which is working very well), but not when the logs to transfer are in an xml file (oracle case)
So, my questions are:
- how can I read the oracle log.xml file in graylog, or
- how can I transfer the logs entries from this log.xml file to Graylog
How-To documentation about transfer oracle logs to Graylog I did not found
I have setup Graylog to get all Syslogs (Linux), Eventlogs (Windows) and logs from apache (linux) and everything works fine, except for oracle log.xml
Do you have an idea?
Thanks a lot in advance
BR
Max
Hej Max,
I have written this blog post about how to get a file into Graylog (multiline). Maybe this gives you an Idea.
Without knowing how you had configured the Sidecar, I did not have any Idea.
Thanks . Yeah your blog is interesting and actually I followed but still not working. So here are the configurations i have for Sidecar and filebeat:
– SIDECAR
server_url: http://:9000/api/
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
- /oracle/v01/diag/rdbms/ksj/KSJ/alert
node_id:
collector_id: file:/etc/graylog/collector-sidecar/collector-id
cache_path: /var/cache/graylog/collector-sidecar
log_path: /var/log/graylog/collector-sidecar
log_rotation_time: 86400
log_max_age: 604800
tags:
- oracle
backends:
- name: nxlog
enabled: false
binary_path: /usr/bin/nxlog
configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf
- name: filebeat
enabled: true
binary_path: /usr/bin/filebeat
configuration_path: /etc/graylog/collector-sidecar/generated/filebeat.yml
– FILEBEAT
filebeat:
prospectors:
- document_type: oracle
encoding: plain
fields:
collector_node_id: kdcora002
gl2_source_collector: acb88517-cf06-47ae-90c6-e88d6a554ff1
logtype: alert
ignore_older: 0
input_type: log
multiline:
match: after
negate: false
pattern: ^<msg|$
paths:- /oracle/v01/diag/rdbms/ksj/KSJ/alertlog.xml
scan_frequency: 10s
tail_files: true
output:
logstash:
hosts: - :5044
path:
data: /var/cache/graylog/collector-sidecar/filebeat/data
logs: /var/log/graylog/collector-sidecar
tags:
- /oracle/v01/diag/rdbms/ksj/KSJ/alertlog.xml
- oracle
So, the file is an xml log and contains multi-lines like this:
Completed checkpoint up to RBA [0x595.2.10], SCN: 3394482
Now, I’m getting the logs in but the parsing for multiline does not really work. I got only one part of it:
<msg time=‘2017-06-09T14:02:47.134+02:00’ org_id=‘oracle’ comp_id=‘rdbms’
The rest is not being interpreted
Any hint?
Hey Jan,
Did you have a chance to see my reply?
BR
Max
This is not a personal support channel.
If you need individual support, consider buying Graylog Enterprise: https://www.graylog.org/enterprise
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.