I have multiple sub folders within a base directory that I want to pull logs from. Do I need to setup multiple followers or can I do that under a single follower?

Modified on Wed, 21 Aug, 2024 at 10:55 AM

Both the Gravwell File Follower and Gravwell Windows File Follower Ingesters support tracking files in subdirectories under the configured "Base-Directory" using the "Resursive" option with a single instance.

Take the following directory structure for example

/basedir
    /sub1
        access.log
    /sub2
        access.log.1
        /sub4
            access.log
    /sub3
        linux_access.log
        /sub5
        /sub6
            edr_access.log
            edr_access.log.1

...with the following File Follower configuration stanza

[Follower "access"]
        Base-Directory="/basedir/"
        File-Filter="access.log"
        Tag-Name=access

or the following Windows File Follower configuration stanza

[Follower "syslog"]
        Base-Directory="c:\\basedir\\"
        File-Filter="access.log"
        Tag-Name=access

It will only find access.log in /basedir/ (C:\basedir\), but once the option

Recursive=true

is added now access.log will also be found in /basedir/sub2/sub4 (C:\basedir\sub2\sub4)