Best way to structure logs.

Hi there,

I’m new to Graylog and trying to get my first logs formatted correctly.

What would be the best way to structure incoming logs?

I’ve seen tutorials using extractor for this, but I’ve also seen tutorials saying that pipeline rules are the way going forward and extractors might be on its way out?

Hey @MikeLundahl

Most of the time its a preference on how/what your trying to achieve. FileBeat/Winlogbeat works good but does create a lot of fields plus with them you can use Graylog sidecar with them :+1: Then you can use the Beats Input.

If these are switch/firewall logs then a pipeline would work good. Most of my log/s I modify them through a pipeline. I either drop unwanted logs or add a new field to make a widget for the dashboard, etc… The fields are key in creating your own SIEM solution.

Pipelines are definitly the future so I would heavily recommend you go in that direction.

When you say structure, do you mean you are creating the log messages yourself, or do you mean how to break them apart into fields?

Sorry for the late reply.

Pipeline was what I went for.

I also went for vector for serving the logs from files our systems are outputting.

Meant more how to break them apart into different fields and the flow of serving logs. The logs itself is coming from multiple services. A few of them using NodeJS with winston to handle logging.