We have an app that is used by hundreds of users. Each user runs the app on his/her company computer , which is connected to the company’s internal network. We would like this app to generate logs whenever it does something significant. We would like these logs to go into Elasticsearch/graylog. What is the best way to do this? Should the app send the logs directly to Elasticsearch? What kind of tool would you use for that? Am I correct in assuming that the logs would be sent via UDP to our Elasticsearch server?
The app is written in an extremely old programming language. We are very limited in what we can do. But I think it should be possible to send UDP packets to our Elasticsearch server.
If the app wrote the logs to a local file, how would you collect the logs from each user’s computer? Perhaps we could write the logs to a file on a network share, and then collect the logs from there?
I am wondering what is best practice/what others do.
We also had an app/software in our environment called “GitLab” this app was abled to be configured to send log directly to Graylog Server. I created a separt INPUT for this so deep searches can be performed and create ( i.e. regex, and GROK ) patterns just for this INPUT.
Not sure how big your envirment is but some software we are also using called “Veeam” which runs on windows OS’s creates a unique EventID that gets generated in event Viewer. I had to configure our GPO’s to make this avavilable so our log shipper (NXlog) could grab the messages and send them to graylog.
So as you can see it could be multiple ways to collect and send logs to Graylog-Server. I guess it is what ever is best for you.
It’s an app that my company created and maintains. So we can make it do whatever we want. As the app runs on each user’s computer, would we have to install a log collector on each user’s computer? Seems a bit too much. Hence my question.
It seems like you are suggesting that the app send the logs directly to graylog rather than using a collector. So I may go down that route then.
If the app is able to send the logs directly to Graylog server ( depending on format) sure.
And yes you can send log/s directly to graylog from that app. If the format of the messages needs to be adjusted you may need a log shipper (nxlog, filebeat, etc…).
I dont know what app your talking about but if you say
Then is it able to send log/s straight to graylog and use one of its INPUT formats? If the answer is no, then you may need a log shipper.
You could have your application log via syslog over TCP or UDP to the Graylog server. Syslog is very standard and should be easy to incorporate into your application.
Alternatively if you don’t mind it being Graylog specific could log in GELF format (again TCP or UDP). A GELF message is just a JSON object. GELF would allow you to have more structure in your message than syslog which is mostly text that you would have to parse in Graylog if you need to extract particular fields. GELF — Graylog 3.3.8 documentation
