Setup Route module based on log Source | Log collection solutions

#1 mflati 3 years ago

Hello,

I am fairly new to NXlog and we are trying to understand if It's possible to route/forward logs based on the Source when only one input module for 514 traffic is definied. I understand that the Host directive in the Input module is actually related to the host itself where Nxlog is installed. Would adding some kind of Exec instructions in there help?? Perhaps using a processor in the route module? Since this is a new deployment, we'd like to set it up by following best practices from the get go. I appreciate your help.

Permalink

#2 manuel.munozDeactivated Nxlog ✓ 3 years ago

#1 mflati

Hello, I am fairly new to NXlog and we are trying to understand if It's possible to route/forward logs based on the Source when only one input module for 514 traffic is definied. I understand that the Host directive in the Input module is actually related to the host itself where Nxlog is installed. Would adding some kind of Exec instructions in there help?? Perhaps using a processor in the route module? Since this is a new deployment, we'd like to set it up by following best practices from the get go. I appreciate your help.

Hey Massimo,

Sure, you can filter events by the content of any field using regular expressions, usually after calling the relevant parse function. So your input module could collect all of them on port 514, and then call parse_syslog(). Then you can create several output modules, each one of them dropping all events but the ones you want to send for that case.