|
I have setup a forwarder on a syslog-ng server to an indexer which is my webhead. I have setup an index (host-syslog) and my data input is /var/log/messages tied to that index and either the default app or unix.(The platform is linux). I have also setup a light forwarder on another syslog-ng server forwarding the events to my indexer. Somehow I can't search the webhead for events from a fowarder unless I am missing something. So on the indexer I use: host="syslog-server-host1" source ="/var/log/messages" and sourcetype = syslog. When this runs I do not get any current events and I get very few events at that. I have over 10 million lines of syslog-ng entries before the log rotates on average. Any suggestions on setup or searching? In is there a way to make forwarded events goto a specific index on the index server? I'm using the current version 4.1.3 for linux. Thanks any help is appreciated. |
|
it should be easy to achieve by the following (or similar input stanza) It would be beneficial to show us what the current configuration is so that we can take a peak and if needed, edit the necessary bits. Cheers! |
|
Are you sure that you are actually searching in your dedicated syslog-index? You didn't specifically mention it. index=host-syslog sourcetype=syslog host=syslog-server-host1 etc etc. BR, Kristian |
