We have seen before how to add filters and indexes for Filebeat and Topbeat. But in some cases, we won’t be able to install additional software to manage our logs. That’s when Rsyslog is our best option. In this post we will configure an external log from Apache that is not manage by default for Rsyslog.
Configuring Rsyslog (client side)
We are going to create a new file on /etc/rsyslog.d that will contain our new input log configuration.
$InputFileName /var/log/apache2/access.log #can NOT use wildcards – this is where logstash-forwarder would be nice $InputFileTag apache-access-rs: #Logstash throws grok errors if the “:” is anywhere besides at the end; shows up as “Program” in Logstash $InputFileStateFile apache-access-rs #can be anything; unique id used by rsyslog $InputFileSeverity info $InputFileFacility apacheaccess $InputRunFileMonitor $InputFilePollInterval 10 $InputFilePersistStateInterval 1000 apacheaccess.* @@… Continue Reading
ELK_server_private_IP:5544 #the 2 “@” signs tells rsyslog to use TCP; 1 “@” sign