Graylog in layman's terms

Hi everyone,

I’m new to the computer science world and am working with Graylog. All the sources I have looked at use too many technical terms for me to understand. Can someone explain 1) what kind of “messages” Graylog collects (what are they about), 2) from my understanding, streams filter the incoming data to go to a specific index with a set of rules. Is this correct? 3) Are dashboards this customizable page where you can control what kind of visualizations of your data you are shown? 4) What are inputs and outputs relative to Graylog? 5) What are nodes in Graylog?

I would greatly appreciate a layman’s explanation to these questions! (I know nearly nothing about the computing world.)

Hello && Welcome

Look here

Yes, Your default is ALL Messages which can not be configured, to re-route messages to a different stream unique rules need to be configured and then attach it to a Index set of your choice.

Dashboard are a collection of widgets that contain different search’s, within those widgets you can configure them as need be.

Input’s are the configuration made to collect a specific type of logs, for different devices (i.e. firewalls, switches, etc…) this is where Graylog get the data.

Output are the opposite of INPUT,s basically sending those logs some where else, i.e Graylog cloud or maybe another Graylog server. Some functions need the enterprise license.

There little people that run around in the dark stealing one sock :laughing:

BUT seriously its any system or device connected to a network is also called a node. For example, if a network connects a file server, five computers, and two printers, there are eight nodes on the network. Each device on the network has a network address, such as a MAC address, which uniquely identifies each device. This helps keep track of where data is being transferred to and from on the network.

That being said, Each Graylog server is a node.

1 Like

Great, thank you - that really helped!!

1 Like

Helpful. I know this is solved but I’d also like to contribute shortly. I also am learning Graylog as well and since it has so many components I’ve considered making an overall diagram for those who wish to understand it all. A picture says 1000 words so to speak. I understand how the sidecar operates with different agents now and sends the logs. But the order in which it processes the data and how seems to be a bit confusing.

For example the agent (filebeat for example) can run on its own, or you can use sidecar to do the config from the webgui for you. It specifies which files to send. Though I don’t know if you can transform or specify indexes ahead of time. I’m still learning these agents.

Stop me if I’m wrong.

  • Next it hits the actual input of the Graylog server node you specified. You need to specify the “Inputs”. (udp 1514, linux/windows sidecar etc)
  • Create “Streams” to place logs into groups so it is easier to manage.
  • At this point you can choose to use a “Pipeline” to parse and transform the data to a format you want.
  • Next is “Indices” or Index Sets which are message stores. It is how you manage its retention and rotation.
  • From here you can use the main Search or you can create your own Dashboards with Widgets, Lookup Tables and translations.

You can also set up Alerts as well.

It is all so granular what you can do. But you do need to do a lot of it yourself. But I like this flexibility.

If any of this is wrong or if I’m missing some pieces can someone jump in? It would help clarify the process of ingesting information and producing into a format people can use.

Also another good newb question is WHEN are outputs sent? Are they processed at all or directly forwarded after input?

1 Like

Someone please fix this if I’m wrong - or add to it. This helps me as I’ll add links to docs about each part eventually for my own internal documentation. I didn’t make it look good yet just breaking it down into the major components. I did forget to add “Extractors” and none of the enterprise stuff as I’m starting from the beginning.

2 Likes

@WavedirectTel

Hello,

Wished you started you own post, this could be something for future search :wink:
Other then that , looks about right

Thanks. I have some corrections to make and to grasp all the components a bit better, get it working in practice then I’ll upload my final diagram.

If you do , think about the category here.

Thx :slight_smile:

1 Like

Link to updated diagram. Graylog in a Nutshell (Diagram)

2 Likes

Hello,

Thank you for adding this response! It has definitely helped :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.