Hi there, simple question but I can't get my head around this.
I've got a hosts that manages it's logging with syslog. Files are been rotated regularly. The folder containing the files is been sent with local light forwarder to the indexer.
I've got files hierarchy like:
/var/log/system.log
/.../.../system.1
/.../.../system.2
/.../.../system.3
/var/log/named.log
/.../.../named.1.log.gz
/.../.../named.2.log.gz
...
You get the point. There is more than hundred files and some of those files will get removed after some time or X amount of file, or just over specific size.
/var/log/ is set as my source on that host and white listed *.log and *.log.*
Now it's kind of a mess in my indexer as there are so many files now.
Questions:
How can I clean this mess my kinda merging all the files named.*.log.gz under named.log?
How can I better configure my forwarder to streamline those sources in a more convenient way?
And last, would it make it different if I use a forwarder instead or a light forwarder?
Thanks,
cheers all.
... View more