First time syslog forwarder, long time logger Graylog looks absolutely terrific, and the most recent release has all kinds of useful, new capabilities!
Question 1: Configure before syslog or extract after?
Is there a rule of thumb that could be said: Let the application spit out whatever log and format it wants out of the box, and let the log analysis tool parse and chunk it per-application? This, as opposed to excessive customization of each application’s log to the extent to which we are given that control and with the likelihood that still some custom extractors will be required.
Question 2: Default time has no year-- assume this year?
And with syslog: On Centos, rsyslog by default puts a timestamp -of the log message- as:
Oct 20 13:54:33
There is no year in it…? From my reading on Extractors, I gather Graylog converts this timestamp into a date in this current year. Is this correct?
Question 3: Importance of Log timestamp vs Event timestamp
How important is the syslog timestamp when we are most likely to include an event timestamp in our log files themselves? Does much of Graylog depend on this timestamp as being assumed to be about the same time as the event, or?..