0

I am trying to make log centralised system using logstash by gathering all logs from each server rsyslog.

However, the format are different between each basic tool like mail, cron, boot.log

Is there a way to make these kinds of log to all have the same format in rsyslog before sending it to logstash?

I understand that each tools might have some different data. At least, I hope I could make unique format and give "unknown" value for data which is not appeared in that tool.

For example.

Cron format

Feb  5 08:52:01 hostname CROND[19763]: (root) CMD (   test -x /usr/local/etc/snmp/statuscheck.pl && /usr/local/etc/snmp/statuscheck.pl)

messages format

Feb  5 07:55:27 hostname rsyslogd: the last error occured in /etc/rsyslog.conf, line 12:"$ModLoad omelasticsearch #^M"

It would be nice if they have the same format, so I can filter only once in logstash configuration.

Dominik Sandjaja
  • 6,326
  • 6
  • 52
  • 77
A-letubby
  • 8,474
  • 8
  • 38
  • 48
  • Why exactly would you want to unify the format on (r)syslog side? Logstash is made exactly for this purpose: make logs all the same for easier analyzing. So don't bother trying to work around the local logs, just put them into Logstash with two differenty types. – Dominik Sandjaja Feb 13 '14 at 13:56
  • Thanks! I was be able to get around with it already, actually as the way you said. – A-letubby Feb 14 '14 at 01:58

0 Answers0