Specific logging with rsyslog and ELK

Question

I have an rsyslog server and ELK stack running on the same server.

Our application is forwarding logs to rsyslog and is forwarding it to localhost.

We now want to split up our logging (frontend and backend logging).

Our frontend dev has added a tag [frontend] that will be added to the message. Is it possible to filter this out in rsyslog and forward this to another logstash while keeping the backend logging?

i have this in my configuration at the moment but it keeps forwarding all messages to that logstash:

*.* @@localhost:5555
:msg, contains, "\[frontend\]" stop

*.* @@localhost:5544
:programname, contains, "backend" ~

We are sending the frontend logs through the backend so program name 'backend' is in every message we receive

score 0 · Answer 1 · answered Apr 13 '16 at 08:29

0

did some more research and found a working solution:

*.*     {
        :msg, contains, "\[frontend\]"
        @@localhost:5555
        }

*.*     {:programname, contains, "backend"
        @@localhost:5544
        stop
        }

answered Apr 13 '16 at 08:29

Wesley Smekens

1
2

Specific logging with rsyslog and ELK

1 Answers1