I am new to Graylog and need some help on configuring the Graylog from scratch. I am using Graylog v4.1.0 using docker compose.
There are multiple log sources including Linux servers, Juniper routers, switches and firewalls, Windows servers and some other application server. All the log sources are configured to send syslogs on default port 514 and there is only one input 514 UDP where all the messages are coming. So my question is - what is the best practice, receiving everything on default syslog port or creating a separate input for each device type using different port numbers?
Thanks
It really depends on what you want to do. How much logs are you ingesting and the size of environment.
Our INPUTS are based on OS and types of devices. INPUTs consist of windows, Linux, Firewall, Switches, etc… That way when we need an extractor/s, and/or executing deep searches this makes it a lot easier. We have a list of ports that are reserved for Graylog, i.e., 5140, 5141, 5142,5143 then each one of these ports will go to a specific INPUT. For Windows and LInux we use GELF TCP/TLS. By organizing it this way helps us to expanded our environment or add new devices to graylog down the road much easier.
This works for us and I know it may not work for others as well. Hope this helps.
@gsmith thanks for your reply. In our environment all the logs are coming on a single input via port 514 UDP. Perhaps I would have to filter them via streams
This is a posibility, but if you decide later on you would like to add fields you may run into problems as for it will search ALL you messages in the input rather then just a select input for certain devices. It also may put the wrong data in the created field.
I would highly suggest you at least separate your network device from you windows/linux devices.
