Need help undertsanding the flow

kitkat0981 · June 3, 2025, 1:32pm

so please correct me if i’m wrong as i dont seem to be either grasping the flow of configuring my graylog properly.
Running 6.0.14
opensearch

inputs via specific port (example, i have all syslogs from any linux machines comming in)
stream is to categorize the entries?

the reason i ask is I have my input setup

then my index (this example is PowerDNS)

then my stream with a rule:

I know and have confirmed there are logs comming in for this device, yet when i go to search page and select the stream and click the search button, i dont see any logs:

what am i missing or not understanding?

kitkat0981 · June 3, 2025, 7:25pm

can anyone provide some guidance? what im looking for is if I have an input (example avaya switches) that all log to 1 specific input since you cannot change the port (all go to 514) so I want to containerize the logs for each individual switches. How can I do this? Thanks

patrickmann · June 4, 2025, 7:52am

Your search is limited to PowerDNS stream. Try just using the default stream first to keep things simple. Once that works you can route to different streams.

kitkat0981 · June 4, 2025, 1:48pm

and just to be clear, i see the data in the input. how do you send those to indexes? is it using the gl2_input_source and the # ?

patrickmann · June 5, 2025, 7:21am

Streams are used to route messages to indices.
The default stream automatically goes to the default index. If you create additional indices, you need to also define corresponding streams.

kitkat0981 · June 5, 2025, 11:50am

Ok so if you have multiple servers logging to one input, how do you then seperate each server to it’s one index?

patrickmann · June 6, 2025, 7:29am

Use a pipeline rule on the default stream to route each to its own stream, which is associated with its own index.

kitkat0981 · June 6, 2025, 11:43am

Ah ! Now I think I understand. I’ll try that thanks a lot !

kitkat0981 · June 6, 2025, 12:51pm

hmmm. maybe i don’t understand…

My input works thats a fact as i can see the messages.
i dont have any indeces so its using the default index set.
i have a pipeline setup named “redirecting NPS” connected to the default stream.

but then what? I need to apply rules but this is all coding..?!?

kitkat0981 · June 6, 2025, 1:43pm

i see a lot of useless (to me) logs coming from the domain controller (windows). how can I NOT include theses in the streams?

patrickmann · June 6, 2025, 2:49pm

Please review the related docs. These are very basic scenarios and all covered in the docs.

Topic		Replies	Views
Trouble with Relationship between Indexes, Streams and Inputs Graylog Central (peer support)	3	1190	October 13, 2022
Best practice for syslog streaming Graylog Central (peer support)	2	792	April 30, 2020
Create correct inputs Graylog Central (peer support)	6	2266	July 27, 2021
Getting started Graylog Central (peer support)	1	12	May 26, 2025
Appliance - See inputs, but nothing routed into feeds Graylog Central (peer support)	7	458	October 16, 2017

Need help undertsanding the flow

Related topics