Getting Data In

monitor files in /var/log with different source types

New Member

I've seen variations of the question, but there must surely be a way to do this.

All our logs files are in /var/log/. We don't want all the logs to be classified as the same source type, how can we split out files? Must we select them individually? Why doesnt this work?

[monitor:///var/log/app1/client.log]
    sourcetype = app1
[monitor:///var/log/apache2]
    sourcetype = apache
    index = main
    _whitelist = apache2/(access|error).log$
[monitor:///var/log/app2.log]
    sourcetype = app2
0 Karma

Communicator

I think may be you mistyping :

[monitor:///var/log/apache2]
    sourcetype = apache
    index = main
    whitelist = (access|error)\.log$  # there is only one backslash before dot 

and you can try another way :
in inputs.conf

[monitor:///var/log]
    whitelist = /client\.log|/apache2/access\.log$|/apache2/error\.log$|/app2\.log # there is only one backslash before dot
    index = main

in props.conf

[source::/var/log/app1/client.log]
   sourcetype = app1
[source::/var/log/apache2/*.log]
   sourcetype = apache
[source::/var/log/app2.log]
   sourcetype = app2
0 Karma

Contributor

Good answer. 🙂

0 Karma