topic Re: Capture Forwarded syslog events from a syslog server in Getting Data In

Capture Forwarded syslog events from a syslog server

ngcgoon — Fri, 30 Jul 2010 00:52:02 GMT

I have setup a forwarder on a syslog-ng server to an indexer which is my webhead. I have setup an index (host-syslog) and my data input is /var/log/messages tied to that index and either the default app or unix.(The platform is linux). I have also setup a light forwarder on another syslog-ng server forwarding the events to my indexer. Somehow I can't search the webhead for events from a fowarder unless I am missing something. So on the indexer I use: host="syslog-server-host1" source ="/var/log/messages" and sourcetype = syslog. When this runs I do not get any current events and I get very few events at that. I have over 10 million lines of syslog-ng entries before the log rotates on average. Any suggestions on setup or searching?

In is there a way to make forwarded events goto a specific index on the index server? I'm using the current version 4.1.3 for linux.

Thanks any help is appreciated.

Re: Capture Forwarded syslog events from a syslog server

Genti — Fri, 30 Jul 2010 07:38:21 GMT

it should be easy to achieve by the following (or similar input stanza)
[monitor:///var/log/messages/]
sourcetype = syslog
index = chosen-one

It would be beneficial to show us what the current configuration is so that we can take a peak and if needed, edit the necessary bits.

Cheers!

Re: Capture Forwarded syslog events from a syslog server

kristian_kolb — Tue, 14 Jun 2011 17:59:14 GMT

Are you sure that you are actually searching in your dedicated syslog-index? You didn't specifically mention it.

index=host-syslog sourcetype=syslog host=syslog-server-host1 etc etc.

BR,

Kristian