Best practice for syslog streaming

Hi all,

Setting up a new install of Graylog (loving it btw) to ingest syslog from (mostly) infrastructure equipment (Switches / SANs / iLO / Blade chassis / routers) etc etc.

Main aim is to have a central log of everything, mainly to back track on issues to do a RCA after the fact. Once we get through that,I want to pivot it to proactive alerting.

I haven’t done syslog in a long time, last time it was all rsyslog, so this is a bit of a new world to me.

I was hoping for a sanity check of my thoughts after an afternoon of RTFM:
1 Stream per device type would be a good idea.
Eg, 1 for routers, 1 for switches, 1 for iLO etc etc
I’m not sure how I should do the rules for this, hostname would probably be logical, but is there any benefit to doing a separate collector port and doing it against that? (eg adding a static tag to the collector)

1 index per device type to get granularity
Also so that i can set different retention periods. So say keep network auth logs forever, but purge iLO logs in 3 months.
Are there any performance drawbacks from doing this.

Our searches will almost always be:

  1. Show me what happened on this host, this switch and this SAN at this point in time
  2. Show me everything so i can backtrack it.

Appreciate the sanity check, i think i understood the documentation correctly.
Happy to take any advice if you are willing to offer it


I use different port for different device types. In this case I don’t need to check/change anything on the graylog side when we install a new device.
And the stream rule is the simplest. If gl2_source_input (?) match ABC123DEF456…

I think you are on a good way.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.