Design question


I’ve a use case and I’m trying to see if how I can implement it with Graylog; but with my limited knowledge I think I’ve hit a wall. Can someone please help? I’m trying to implement a logs system for different groups of users to use, and each group of users should only be able to see its own type of message in a message table-like widget. The type of message is declared with the “_message_type” field and so users in group A should only be able to see messages with “_message_type”: “A”, and users in group B with “_message_type”: “B”, etc. We are using a proxy, and I’m happy to see the role header feature in SSO because I can make use of it to pass in a role with the group information. e.g., when userA1 logs in, the proxy will tell Graylog that userA1 has roleA and we just need to create roleA ahead of time. I’m also very happy to see that a dashboard can be associated with a role because that also means that we just need to have the dashboard (for groupA) created ahead of time as well. It’s great so far but then I realize that Dashboard doesn’t seem to support message table widget as View does. What can I do to move forward? How would you design it? Thanks very much!


you can assign different roles (users) to different streams. The user will only see the messages that are inside the stream he is allowed to use.

Please see the docs on this:

1 Like

Hi Jan, thanks very much for your help again. Per your suggestion, should one stream and thus a separate index set be created per group? What are the limits on the number of streams, index set, roles, and Elasticsearch indices? The number of groups may go up to thousands. Any performance concern?
In addition and in that case, I can use View for the purpose of using Message Table. Am I right?

he @skwokie

you can have one index for every stream, but streams can share indices without a problem.

The Number of indices might create problems at some point so you should not overuse that. See this blog for information

Groups can be as many as you need/want and each group can only see the data the permission is given for.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.