I haven’t tried yet so I’m just hitting up the community to gather inputs for research
I have a need to keep my graylog index relatively small compared to what our security team needs to see which will be a dump of all logs at informational level syslog from all networking devices and servers. Graylog will mostly be used for ops troubleshooting whereas their commercial SIEM would be used for incident response. My question is, should I just go ahead and learn logstash for this purpose or can I make it work with processing pipelines within graylog? It looks as though, with just a quick search of the functions available, that I could pipe things based on grok or regex to a specific stream but it also looks like there is no way to make a stream just a forwarder to another service so it would still be going into my elasticsearch cluster.
I’m currently using rsyslog on linux and beats with the sidecar on windows