Hi there,
I’m new to Graylog and trying to get my first logs formatted correctly.
What would be the best way to structure incoming logs?
I’ve seen tutorials using extractor for this, but I’ve also seen tutorials saying that pipeline rules are the way going forward and extractors might be on its way out?
Hey @MikeLundahl
Most of the time its a preference on how/what your trying to achieve. FileBeat/Winlogbeat works good but does create a lot of fields plus with them you can use Graylog sidecar with them 
Then you can use the Beats Input.
If these are switch/firewall logs then a pipeline would work good. Most of my log/s I modify them through a pipeline. I either drop unwanted logs or add a new field to make a widget for the dashboard, etc… The fields are key in creating your own SIEM solution.
Pipelines are definitly the future so I would heavily recommend you go in that direction.
When you say structure, do you mean you are creating the log messages yourself, or do you mean how to break them apart into fields?
