Where save log files?

HI all, where graylog save (on server) logs which sent him nginx?

All data sent to Graylog is stored in ElasticSearch.

i know this, but i need default path or name file

No. You don’t.

There is no path of filename.

The logs are INSIDE ElasticSearch.

Okay, but can i see any ip address which send nginx in log?

To summarize: Graylog centrally collects, stores and queries log data. Your systems will be configured to send their logging to Graylog, which will parse it and store it inside ElasticSearch. From the Graylog GUI you can query all the logs that have been stored, searching on specific fields and values.

If your NginX logs are sent to Graylog and if they contain the data that you want to see, then yes you can see this data in Graylog.

Okay, but can i see any ip address which send nginx in log?

I am having trouble understanding what you are asking for. Do you want:

  • IP addresses that are part of NginX log files?
  • IP addresses of the NginX hosts that have sent log files?
  • IP addresses of hosts, where the word “nginx” was part of the log message?

EDIT : removed some bluntless from my post, sorry.

i want to see where elastic save logs which send nginx, and find in log any ip address without web interface
P.S- sorry for stupid explanation but english is not my native language

You CANNOT just grep in the Elastic files. ElasticSearch is a database. The log messages that are received and stored are thrown in a big data lake. If you’re running an ElasticSearch cluster, you will even see that the data is spread across nodes and not present on all hosts!

So you HAVE TO go through Graylog, or through ElasticSearch’s own search engine.

Go look for yourself.

/var/lib/elasticsearch/nodes/*/ and move downwards from there. That’s where the running ElasticSearch stores it’s indices. Run an ls -lRrt /var/lib/elasticsearch/nodes/* for all I care :slight_smile: You won’t find files that you can grep against.

Okay, thanks for the help

You can use Elasticsearch or Graylog api to search in logs. So you can avoid to use web interface.
Or you can use elasticdump, but in this case I suggest use rsyslog insterd of Graylog.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.