Ok, so I’m bumping my head over this for a day or two and can’t figure out if I can use more than one app which has GELF UDP driver to send their logs into the Graylog server.
I have two different apps that I want to collect logs into Graylog and they have GELF driver implemented as a logging service and I want their logs to send them to two different Graylog Inputs in order to separate them into different streams and indices.
Docker graylog listens to only one port Gelf UDP port 12201 and it doesn’t make sense if I create two different inputs with the same address and port.
Is there any way to separate them to different ports EX: 12202-second app 12203 third app etc. Or I need to have different graylog in order to achieve this.
Or am I missing something in the configuration documentation that I don’t understand?
Or sent another field from your app, for example _app_name
Create new stream for every app (for example app1, app2…)
If you want separate index for stream, update Index Set parameter. Check “Remove matches from ‘All messages’ stream” if you don’t want to include in default index. Or use parameter remove_from_default: true if you use pipeline rule.
Either use stream rules (Streams - Manage Rules - Add stream rule): Field: _app_name, Type: match exactly, Value: app1
Or create new pipeline with rules to separate apps to streams:
rule “send-to-app1-stream”
when
has_field(“_app_name”) AND to_string($message._app_name) == “app1”
then
route_to_stream(“app1”);
route_to_stream(name: “app1”, remove_from_default: true);
end
If you have more apps you can create CSV file with lookup table and only one pipeline rule like this:
rule “assign stream from lookup”
when
is_not_null(lookup_value(“parsers”, to_string($message._app_name)))
then
let parser = lookup_value(“parsers”, to_string($message._app_name));
route_to_stream(parser);
// route_to_stream(name: parser, remove_from_default: true);
end
