Multi-tenant setup

I’m trying to setup a multi-tenant graylog in a secure way, and by tenant I mean customer.
We process logs from an application. Each customer has its own application instance, but the log format is the same. The customer_id is already a field in the log itself.
This is where I got so far:

A single UDP syslog listener for all customer, with its extractors. As I said, log format is the same, and customer_id is already in the log.

1 index set for each customer. Index prefix is the customer_id, and index name is the customer name.

1 stream for each customer, using the index set above. Stream rule is based on the customer_id field, and messages won’t stay in the All Messages.

1 dashboard for each customer.

2 roles for each customer, Customer Name admin (read/write), Customer Name user (read). The customer role has access only to the customer stream and the customer dashboard.

The problem I’m having is related to the dashboard. It sees that stream widgets are quite different from search widgets. I can’t turn a search widget to a stream widget. I can’t create a QUICKVALUES stream widget.

Is that correct?
Is there another approach to achieve what I need?


The multi-tenant setup is exactly what we are looking for.
How do you add the index prefix, do you use the IP adress to convert to a customer?

You can create one or more index sets per tenant (see for details) and use a combination of pipeline rules and custom lookup tables to route messages into streams backed by the tenant’s index set(s).