Hi - i am in the process of configuring routing 3 sourcetypes from 2 different directories to 3x indexers.
i have an access.log, secure.log and a cisco_ironport_web.log ( i have renamed the sourcetypes)
the access and secure logs are being monitored from the same directory /opt/log/www*
the cisco log is in /opt/log/cisco_1/cisco_ironport_web.log
i have created the props.conf
[source::opt/log/cisco_router1/cisco_ironport_web.log]
TRANSFORMS-sourcetype = ciscoweblog
[web_log]
TRANSFORMS-a = access_log
TRANSFORMS-b = secure_log
TRANSFORMS
[access_log]
SOURCE_KEY = MetaData:Sourcetype
REGEX = "status=*"
DEST_KEY = MetaData:Index
FORMAT = web
[secure_log]
SOURCE_KEY = MetaData:Sourcetype
REGEX = "invalid user"
DEST_KEY = _MetaData:Index
FORMAT = security
[ciscoweblog]
SOURCE_KEY = MetaData:Sourcetype
REGEX =
DEST_KEY = _MetaData:Index
FORMAT = network
from with in the REGEX fields i believe you can specify a string or a phrase which contains within the log.
but i am not entirely sure whether if what i am doing here is correct and whether how you can generate correct Regex's for these sourcetypes...
This is the monitored file for the network log
[monitor:///opt/log/cisco_router1/cisco_ironport_web.log]
disabled = 0
host_segment = 3
sourcetype = ciscoweblog
index = network
i have specified a single stanza to monitor both the access/secure logs.
[monitor:///opt/log/www*/*.log]
disabled = 0
host_segment = 3
sourcetype = web_log
index = web
Can someone assist me to whether if i am in the right direction or completely wrong and how i can correct these conf files?
Thanks
made a slight change to props
[ciscoweblog]
TRANSFORMS-route = ironportlog
[web_log]
LINE_BREAKER = ([\r\n])
MAX_TIMESTAMP_LOOKAHEAD = 22
SHOULD_LINEMERGE = FALSE
TRANSFORMS-a = access_log
TRANSFORMS-b = secure_log
TRUNCATE = 256