I'm diving into OpenObserve and have a question for anyone with more experience using it. I've got multiple sources sending their log messages to a syslog server, which organizes them by IP and then forwards them to OpenObserve. The reason I'm doing this is to have a user-friendly web interface for viewing these syslog messages, so that users don't have to log directly into the syslog server.
What I'm hoping to achieve is the ability to view these logs in a dashboard based on their source. In Graylog, this is straightforward because you can forward logs to different ports and set up separate input streams for each source. However, it seems like OpenObserve only listens on one port. Is there another way to achieve something similar in OpenObserve, or would it require complex SQL filtering? If there's documentation on this, I'd love to see it. Thanks!
2 Answers
The syslog protocol actually includes a hostname from the originating system, so you could potentially sort logs that way instead of by the source IP. You might need to look into how OpenObserve can process logs this way. Just search for 'hostname' when you're checking it out!
You might be able to route logs from different hosts to separate streams. For instance, you could try AxoSyslog, which is a syslog-ng fork. What syslog server are you using?
I'm using Rsyslog, which seems to be part of the RockyLinux distro now. The configuration file syntax is a bit of a nightmare with its mix of legacy and more recent scripts. I’ll definitely check out AxoSyslog since it sounds like it might be easier to work with!
I tried researching, but I hit a wall. I thought using pipelines would help, but it looks like there's a limit of one pipeline per stream. This makes it tough to extract multiple sources from a single stream unless I’m misunderstanding. Looks like I might just have to stick with Graylog since it can differentiate based on hostname/IP.