I’m new around ELK and Graylog world, and trying to understand the basics on this SIEM.
Actually i went into a manual install of :
- Elasticsearch for index
- Kibana for direct search and visualization on index datas
- Logstash for parsing / stashing (??)
- Graylog seems to be doing the same work as Kibana, with search, visualization …
- Collector-sidecar seems to contains all listeners for clients like NXlog and Filebeats.
- Failed install of NXlog for now, i’ll solve this later.
However i cannot point out about how to send extracted log files as Splunk does on Graylog, i must use NXlog and Filebeats ? I wish to send any log files (no matter the type of logs) and sort out by regex filter and standard delimiters myself. Isn’t there a easier method to add my own logs on elasticsearch or graylog ?
So i actually have installed the above parts, and graylog can connect to elasticsearch index / cluster named graylog2 or graylog. However Kibana can’t see the elasticsearch index while graylog can see it and is in green state … very strange.
Is Kibana needed ? Graylog seems to do the same kind of work.
Everything is installed on the same Debian server, since i wish to put as a one offline analysis platform for education/testing purposes.
Thanks for guidance and pointing out things.