Hello all. I have a bunch of *nix machines which all mount the same shared file server location to write their logs (/mnt/logs for example). For various (mostly political) reasons, it will be very difficult for me to run a UF on the back-end fileserver, so I need to run a forwarder on each server, and only grab the logs for that one server. All the machines have a directory under the common share which matches the hostname of the machine (/mnt/logs/shorthostname). I could, of course, script the creation of inputs.conf on every machine, but it would be difficult to manage - I don't see how I could push a new inputs.conf from the DS.
Two questions:
1.) Is there any way to use a variable inside a monitor stanza that will contain the short hostname?
2.) Is there something similar to host_segment that I could use to set the sourcetype from the log path?
thank you,
-S
Hello sbridge,
For managing inputs.conf, you can install an UF on the one server where logs from all your other servers are stored (/mnt/logs/shorthostname) and then manage it with DS.
Your other two questions:
Yes. You can use host_segement
to in your monitor stanza to capture hostnames from file path.
Sourcetypes can be defined freely in inputs.conf with whatever name you want. You don't need a configuration setting to set sourcetype.
This is how your inputs.conf looks like:
[monitor:///mnt/logs/shorthostname1]
host_segment = 3
sourcetype = any_sourcetype_name_you_like
[monitor:///mnt/logs/shorthostname2]
host_segment = 3
sourcetype = any_sourcetype_name_you_like