Heap of different inputs sources and 1 graylog

joshg · May 25, 2021, 1:47pm

We have 1 graylog instance running in our company. We are currently sending IIS and Windows Event Logs logs to graylog.

But I want to start sending our custom applications logs’ to graylog. The way I plan on doing it is using TCP to send a GELF log to graylog. I like the idea of the _[additional field] (GELF — Graylog 4.0.0 documentation) because it opens up the possibility for powerful analytics of our application.

But I have some doubts about it.

My understanding is that Elasticsearch will create an index for each additional field. What if the number of additional fields being indexed grows large? Will that cause graylog to stop working properly?
What if there is a name clash between two additional fields?

To remedy the two problems above, should I try to minimise the number of additional fields? I could just shove them all into the full_messgae field, rather than each being its own field?

I should also mention that the way I have designed the logging in our application is that a programmer can log whatever key value pair he wants to as part of a log message. But this encourages the 2 problems mentioned above. Perhaps this is a bad idea? I am curious as to what other people do…

shoothub · May 26, 2021, 11:01am

ElasticSearch won’t create index for addition field, but only field in existing index. You can create new index with own retention in graylog.
Index model — Graylog 4.0.0 documentation
If you use same field more than once it will work fine. But you can’t use different filetype like string and number. ElasticSearch try to guest best filetype for field on first create. You can still create own mapping if you want:
Elasticsearch — Graylog 4.0.0 documentation

joshg · May 26, 2021, 12:04pm

So If I don’t explicitly create an index for an additional fields, what will I be able to do with the additional field?

shoothub · May 26, 2021, 12:11pm

The same as before, or if you use default index. Creating new index for every type of information (not mixing e.g windows, network devices, apps and so on) is best practice, otherwise you will end up will log of list fields from different type of sources, and also you will be able to setup separate retention (e.g remove older data after 1 month) for new index for apps.

To route data to separate index, use streams with function route to index:
https://docs.graylog.org/en/4.0/pages/getting_started/explore.html?highlight=route#streams

system · June 9, 2021, 12:12pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Do I need to define my additional GELF fields first? Graylog Central (peer support)	5	1178	September 1, 2021
Too many fields Graylog Central (peer support)	12	1106	August 28, 2023
Stop creating Graylog Indices Graylog Central (peer support)	4	876	September 20, 2018
Error [Elasticsearch exception...reason=Limit of total fields [1000] has been exceeded]] Graylog Central (peer support)	5	302	April 1, 2024
New request for custom index template Graylog Central (peer support) basic-configuration	11	2041	June 28, 2022

Heap of different inputs sources and 1 graylog

Related topics