I just got graylog 2.3 up and running and so far I have only one input (SYSLOG UDP). I’ve started to play around with extractors and I’ve noticed some things that I would like advice on.
I’ve noticed that because extractors are applied to a stream, every message in that stream is evaluated by an extractor. The one extractor that I have configured so far grabs HTTP response codes from haproxy messages. I’ve noticed that other messages that have nothing to do with haproxy also have this extractor present in their stream.
If I wanted to keep extractors separate from message types they don’t apply to, would I have to create separate inputs for each application/service? I really don’t want to start opening a bunch of ports in my firewall for each service that I want an input for. Is there another way to do this that I am not thinking of? I would appreciate your input/advice.