Forward some logs without storing

I haven’t tried yet so I’m just hitting up the community to gather inputs for research

I have a need to keep my graylog index relatively small compared to what our security team needs to see which will be a dump of all logs at informational level syslog from all networking devices and servers. Graylog will mostly be used for ops troubleshooting whereas their commercial SIEM would be used for incident response. My question is, should I just go ahead and learn logstash for this purpose or can I make it work with processing pipelines within graylog? It looks as though, with just a quick search of the functions available, that I could pipe things based on grok or regex to a specific stream but it also looks like there is no way to make a stream just a forwarder to another service so it would still be going into my elasticsearch cluster.

I’m currently using rsyslog on linux and beats with the sidecar on windows

  • just forwarding is not possible with Graylog
  • you could set a short living index for those forwarded messages (store it for a few hours max)
  • draw a picture of your current setup and check how complexe you want to have it

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.