topic Re: Monitoring same logs for two different sourcetype in Getting Data In

Monitoring same logs for two different sourcetype

AKG1_old1 — Mon, 28 Jan 2019 10:26:59 GMT

Hello,

we are monitoring GC logs and logs could be in two different format.(Conventional GC and G1)
Requirement is that if logs are in GC format it goes to GC sourcetype and if G1 then G1 sourcetype.

One apporach is to upload these logs twice by setting up 2 different forwarders. but looking for some better approach.

GC logs are complex so redirecting the logs by identifying the type would be difficult.(using props and transform)

Thanks

Re: Monitoring same logs for two different sourcetype

lakshman239 — Mon, 28 Jan 2019 10:58:38 GMT

Would it be possible to add a change in the logging application to write the logs to 2 diff files [ one for GC and another for G1]?

If both the events can go to the same sourcetype [ assuming line breaking etc.. is possible], you could we tag them (using eventtypes/tags.conf) to help with your search? would that help?

Re: Monitoring same logs for two different sourcetype

AKG1_old1 — Mon, 28 Jan 2019 11:08:21 GMT

@lakshman239 : Thanks for reply. No we don't have control over logs so can't add anything to distinguish between sourcetype. Both sourcetype having different linebreaking approach, can go under the same sourcetype.