Two GELF udp inputs for two different apps on one graylog docker implementation

Ok, so I’m bumping my head over this for a day or two and can’t figure out if I can use more than one app which has GELF UDP driver to send their logs into the Graylog server.

I have two different apps that I want to collect logs into Graylog and they have GELF driver implemented as a logging service and I want their logs to send them to two different Graylog Inputs in order to separate them into different streams and indices.

Docker graylog listens to only one port Gelf UDP port 12201 and it doesn’t make sense if I create two different inputs with the same address and port.

Is there any way to separate them to different ports EX: 12202-second app 12203 third app etc. Or I need to have different graylog in order to achieve this.

Or am I missing something in the configuration documentation that I don’t understand?

Please help me out

Hello,
I think you have more options and one Geft input will be enough:

  1. Send different GELF host field from your app if you can change it, so every application will have different field to distinguish
    https://docs.graylog.org/en/3.1/pages/gelf.html
  2. Or sent another field from your app, for example _app_name
  3. Create new stream for every app (for example app1, app2…)
  4. If you want separate index for stream, update Index Set parameter. Check “Remove matches from ‘All messages’ stream” if you don’t want to include in default index. Or use parameter remove_from_default: true if you use pipeline rule.
  5. Either use stream rules (Streams - Manage Rules - Add stream rule): Field: _app_name, Type: match exactly, Value: app1
  6. Or create new pipeline with rules to separate apps to streams:

rule “send-to-app1-stream”
when
has_field("_app_name") AND to_string($message._app_name) == “app1”
then
route_to_stream(“app1”);
route_to_stream(name: “app1”, remove_from_default: true);
end

  1. If you have more apps you can create CSV file with lookup table and only one pipeline rule like this:

rule “assign stream from lookup”
when
is_not_null(lookup_value(“parsers”, to_string($message._app_name)))
then
let parser = lookup_value(“parsers”, to_string($message._app_name));
route_to_stream(parser);
// route_to_stream(name: parser, remove_from_default: true);
end

1 Like

Hey, good work.

i just tried this and it is a good solution.

I created new separate stream and a rule to just parse my logs according to the host field.

Thanks allot