Limit Logs Consumed by Graylog

The free version of Graylog lets you capture up to 5GB of log per day. I only have one file server logging to Graylog but it appears to be consuming just over 5GB per day which is causing Graylog license to violate every week.

Is there a preferred method to only capture the logs I want in Graylog so I can whittle down my data consumption and be under the 5GB/day for logs?

My windows file server has the following advanced audit configuration parameters set:
Object Access

  • Audit Detailed File Share - Success
  • Audit File Share - Success
  • Audit File System - Success
  • Audit Handle Manipulation - Success

I had created streams to only show me specific logs of interest but it seems there’s a lot more logs being captured than I want.

You can use pipelines to drop the messages,what you don’t want to see, or decrease the log types what you send in.
(or just shutdown your sender server :smiley: )

he @DrVirus

The free version of Graylog lets you capture up to 5GB of log per day.

I like to clarify here:

Graylog is unlimited on a daily use level. The free Graylog Enterprise License - means the Enterprise features of Graylog - is limited to 5GB per day.

If you have more than 5GB of ingested logs, remove the Enterprise plugins and restart Graylog to have unlimited Graylog or contact Graylog Sales ( ) to get a license that fits to your needs when you have the need of the Enterprise features.

The other option is what @macko003 suggest. Manipulate the messages and reduce the amount you ingest by only store what you really need.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.