Using sidecar to read in multiple logs from one server but keeping them separate

1. Describe your incident:
I have a graylog server and I am going to use sidecar to read in (filebeat) logs from a remote (linux) server. I am already reading in files from this remote server. My boss wants me to read in more files from a different location in the remote server and make a dashboard on them. I have tried to make a new configuration and add it to the sidecar but it overwrites the previous on I had. Is there a way to read in logs from two different directories and give them a tag to identify which file/collector the logs came from? This way I can make a specific dashboard for each part of the logs in the server.

2. What steps have you already taken to try and solve the problem?
I have tried to make two configurations and give it to one sidecar. This results in one filebeat configuration being overwritten. Even if this did work I do not know if it would somehow tag the logs from one configuration so I can keep them separate from the rest of the logs from my remote server.

3. How can the community help?

How can I set up two configurations on the same sidecar to keep logs separate. I am logging to tag two different log locations somehow and use those tags to make specific dashboards. Is this possible? I am running the most current version of graylog.

Hello && welcome!!

One of my old posts here (my first post on the question) was related to ignoring messages at the filebeat side for windows so they wouldn’t be shipped to Graylog… but incidentally it also shows using filebeat for multiple files. The only difference really is changing the paths to be linux-ish.

Hope that helps!

The problem is I want multiple logs from different locations in the same server. I know i can get these logs pretty easily but then I run into the problem of somehow making a dashboard since the logs do not have anyway to distinguish where they came from other than the server name; which is the same. The way you do it, does it give some kind of tag to separate the logs in graylog?

Example:
/var/log/apache2/.log*
/var/log/apache2/newDirectory/.log*

I would get logs from these two locations and want a dashboard for each location. Problem is that the logs are virtual the same but created by different teams in the work force. Anyway to put a tag or identifier so I can keep these logs separate?

Sorry if this is confusing I am new to graylog and just a student worker at my university.

That’s in there… Creating a unique field in each message of that particular log… one looks like this:

  fields:
    unique_log_tag: rpc_http

You can make it like this if you like:

  fields:
    log_tag: apache_team_1
2 Likes

Is there a difference between unique and the second example you posted? Does unique just make it so the tag name is not used in other configurations and the second example is so you can group several logs together across multiple configurations?

No difference… is simply what you want. The following would be fine:

  fields:
    i_am__batman: gsmith
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.