Can we configure input.conf define port with multi...

ManojNegi · ‎09-02-2022

Can we configure input.conf define port with multiple sourcetype?

For ex.

[tcp://6134]
index = top
sourcetype = mac_log

sourcetype= tac_log
disabled = 0

Or

Is there any way to segregate logs coming in one port with different sourcetypes?

gcusello · ‎09-02-2022

you have two ways:

if you have a list of the hosts for each sourcetype, you can create some stanzas for each of them, indicating the related sourcetype,
if you can define a regex to identify the logs for each sourcetype, you can override your sourcetype.

1)

if the hosts with IP =10.10.10.x muste have sourcetype 1 and the ones with ip=10.10.20.* have sourcetype2 you could use:

[tcp://10.10.10.*:6134]
index = top
disabled = 0
sourcetype = mac_log

[tcp://10.10.20.*:6134]
index = top
sourcetype= tac_log
disabled = 0

2)

Ciao.

Giuseppe

Can we configure input.conf define port with multiple sourcetype?