I am new to Graylog, have a question like, do we need to open separate port for each server to get different types of logs to Graylog.
For example I need to get event logs, IIS logs and .net application logs from “n” number of servers. So how I need to open ports from my application servers to graylog server? is it based on input type(im_msvistalog, im_file)?? or else I need to open each separate port from each application server?
Scenario1:
AppServer1 to GrayLogserver port 12201- Eventlogs, IIS logs and .net application logs
AppServer2 to GrayLogserver port 12202- Eventlogs, IIS logs and .net application logs
AppServer3 to GrayLogserver port 12203- Eventlogs, IIS logs and .net application logs
or
Scenario2:
AppServer1 to GrayLogserver ports 12201(Eventlogs), 12202(IIS logs) and 12203(.net application logs)
AppServer2 to GrayLogserver ports 12201(Eventlogs), 12202(IIS logs) and 12203(.net application logs)
AppServer3 to GrayLogserver ports 12201(Eventlogs), 12202(IIS logs) and 12203(.net application logs)
In above two scenarios which one is correct one to follow? I tried 2nd scenario and getting only one input messages on Graylog(Eventlogs).
Please suggest me correct method to get all types of logs to graylog successfully.
personal I would create one port for beats, one for syslog, one for GELF and one for RAW Logs - if you have more different types move on.
What type of messages you ingest depends on the collector or the way you ingest them - with filebeat or winlogbeat you would use the beats input. When you forward syslog messages, use the syslog input and so on.
Thank you for the response Jan!
currently I created GELF TCP input to get logs from my application server and installed nxlog on my application server. My application server is windows.
If I mention different port for each log source, i am getting only one type of logs(event logs) to graylog
can you please tell me which input i need to use for IIS logs(txt file) and .net application logs(txt file)
As i installed nxlog only on my application server, is it enough to get these 3 types of logs(eventlogs, iis logs and .net application logs) from my application server with nxlog? or do need to install filebeats or winlogbeat?
@dheeraj9
I’m still new at this, but this is some what @jan was describing.
In my environment we have couple different inputs/ports " Windows, Uses GELF TCP, Port 5100", “Firewalls RawPlainText TCP, Port 5200”. “Switches RawPlainText UDP, Port 5300”, and “Linux Gelf TCP, Port 5400”. I use NXlog for the linux and windows servers. When i need a specific file on one or two machine to get logs, I only configure that server/s nxlog client to do so by using the modules/input “im_file”.
Example:
