Hi all,
Setting up a new install of Graylog (loving it btw) to ingest syslog from (mostly) infrastructure equipment (Switches / SANs / iLO / Blade chassis / routers) etc etc.
Main aim is to have a central log of everything, mainly to back track on issues to do a RCA after the fact. Once we get through that,I want to pivot it to proactive alerting.
I haven’t done syslog in a long time, last time it was all rsyslog, so this is a bit of a new world to me.
I was hoping for a sanity check of my thoughts after an afternoon of RTFM:
1 Stream per device type would be a good idea.
Eg, 1 for routers, 1 for switches, 1 for iLO etc etc
I’m not sure how I should do the rules for this, hostname would probably be logical, but is there any benefit to doing a separate collector port and doing it against that? (eg adding a static tag to the collector)
1 index per device type to get granularity
Also so that i can set different retention periods. So say keep network auth logs forever, but purge iLO logs in 3 months.
Are there any performance drawbacks from doing this.
Our searches will almost always be:
- Show me what happened on this host, this switch and this SAN at this point in time
OR - Show me everything so i can backtrack it.
Appreciate the sanity check, i think i understood the documentation correctly.
Happy to take any advice if you are willing to offer it
TIA