Collect SYSLOG from Network Devices

Graylog Central (peer support)
1

I’m doing a POC of Graylod and studying how it works. The idea is to centralize and collect information from all network devices on the environment.

I’ve managed to deploy and start collecting information from the devices using SYSLOG from devices to the port 514 of Graylog. I’m now thinking how to handle these information that is being collected. To do a kind of “separation” I’ve created on Graylog many SYSLOG INPUTS and to redirect the traffic I’m using IPTABLES rules as follows:

UDP/514 - Default INPUT
UDP/11514 - SWITCHS management network
UDP/11515 - Wireless Controller
UDP/11516 - Identity Managers

IF SOURCE is 172.18.x.x/24, redirect to UDP/11514
IF SOURCE is 172.21.1.1 redirect to UDP/11515
IF SOURCE is 192.168.10.1 or 192.168.10.2 redirect to UDP/11516

In this way each input is represent a kind of devices. I have some concerns if this is the correct approach to do this or if there are other ways to organize the received data. I’ve create only these but I will need much more INPUTs for other kinds of devices like FIREWALLs, ROUTERs, APs, OPTIMIZERs and go on…

Thanks in advance for any input regarding this

2

he @Irmoktran

welcome to Graylog - the good is that you can customize the setup to your needs. Read, if that is the way it is working for you do it. Should that not work for you we have different ways in Graylog to handle such.

Personal I would send everything to ONE input in Graylog and route the messages (based on the source) to different streams with the processing pipelines and process the messages after that in dedicated streams. BUT if that is working for you to I can’t tell. Mostly because that needs clear hostname conventions in your network and the ability to fix that fast if it does not match.

The question is, what feels more natural for you? Having one port for each device type an manage this way how processing is done or would you like to just ingest and configure Graylog that this separation and work is done inside of Graylog.

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.