As far as I know the source is not mandatory. You can create a proper
regex to pull in messages meeting the criteria from one of many sources.
Maybe setting up extractors and then using the exists clause from a
stream would give you want you want.
Using an extractor you can set a specific field as "true" or whatever
you want then use the stream to pull in logs having only that field set.
On 05/29/2015 04:06 PM, Henrik Johansen wrote:
Hi Aidan,
I am curious - why do you need a stream per source / keyword combination?
Could you outline what you want to achieve with that solution -
perhaps you're just approaching the problem the wrong way?
The only reason I can think of for doing what you have outlined is
permissions (ie strict delegation of access based on source / keyword
combinations) ... ?
---
HenrikJ
On 29. maj 2015 kl. 21.55.11 CEST, Aidan Venn <aidanv...@gmail.com> wrote:
Hi Jochemb,
They could be a thousand sources but I only want to Create and EDIT
one set of related streams that are applied to the sources when
edited. A one to many approach. ONE set of streams MANY source ip
addresses.
Stream set:
stream 1-keyword:disconnect
steram 2-keyword:loss
stream 3-keyword:fail
stream 4-keyword:error
steram 5-keyword:connect
stream 6-keyword:deauthenticate
stream 7-keyword:reconnect
steram 8-keyword:failure
stream 9-keyword:crash
These would then be applied to 1000+ sources. If I then need to make
a change I only have to do it once.
Thanks for taking an interest.
Kind Regards
Aidan Venn
On Friday, May 29, 2015 at 1:27:01 PM UTC+1, Jochemb wrote:
Make three streams:
stream 1-keyword:disconnect
steram 2-keyword:loss
stream 3-keyword:fail
Without a source?
Op donderdag 28 mei 2015 10:40:20 UTC+2 schreef Aidan Venn:
<https://lh3.googleusercontent.com/-VXS0tYSBx3Y/VWYbA0x3z0I/AAAAAAAADg8/7ZikVzm-U_U/s1600/Untitled.png>
Hi,
Garylog Newbie
Please see picture attached.
I have three streams matching a single source IP and warning
keywords from logs:
source IP: 192.168.0.1
stream 1-keyword:disconnect
steram 2-keyword:loss
stream 3-keyword:fail
I want to "group" these streams and apply to multiple (1000
+) source IP addresses to benefit future scalability and
large scale administration. Basically for each source IP they
will be three or more streams but I only have to
configure/edit the group once.
I don`t want to have 1000 devices then have to copy each
stream and then change the source IP address match. 10
keyword stream x 1000 devices would then equal 10000 streams
in total to configure and edit. This would be very time
consuming. Especially if I had to make a change.
One change to the group would apply to all. A one to many
relationship. How can I do this?
Perhaps my approach/idaea is incorrect so any recommendations
would be great.
Kind Regards
Aidan Venn
--
You received this message because you are subscribed to the Google
Groups "graylog2" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to graylog2+unsubscr...@googlegroups.com
<mailto:graylog2+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to graylog2+unsubscr...@googlegroups.com
<mailto:graylog2+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.