I am interested in configuring a universal forwarder on a syslog server, and have a question regarding how the log data is currently being written.
There are multiple sources which forward log data to the syslog server. Each source is written to a directory structure similar to the following. As the date changes, a new directory is created beneath the logsrc directory.
/logs/logsrc1/2016.05.09
messages
/logs/logsrc1/2016.05.10
messages
/logs/logsrc1/2016.05.11
messages
/logs/logsrc2/2016.05.09
messages
/logs/logsrc2/2016.05.10
messages
/logs/logsrc2/2016.05.11
messages
If each of the log sources is a similar data type, would the following inputs.conf entry correctly forward the data?
[monitor:///logs/]
index=sn_syslog
sourcetype=sn_syslog
recursive=true
↧