Hello to everyone.
I know that there is an entire documentation, but it seems to get right down to business and I feel I am missing some basic information. If this information is in the documentation- I apologize for missing it, and will appreciate if someone can post links to the correct pages.
as I hinted in the title- I am completely new to Graylog. I’m in fact completely new to the whole log collection\siem field.
I began reading the documentation and realized that I had too many questions to continue on with installation:
- Sizing and scaling options: obviously for the first time I should use the appliance to test and see if I like the system at all, but it seems to me that after installing and configuring everything it will be a waste of time, to scrap everything and start from the beginning with the right architecture. How do I know if the appliance will be enough for our organization or if I should use a Graylog cluster (and of how many nodes)?
- Elasticsearch what is this? is it required? if not what added value will it have for my setup? and similar to my previous question what size should I have it?
- Storage - I read in the documentation that the database saves only the metadata of the logs, however I couldn’t find where the logs themselves are saved and how and where I can configure them to be saved (SMB, NFS and etc).
- windows servers - I read that Graylog is unable to collect logs from windows servers directly and require an agent to be installed. is there any plans to implement an agent-less solution in the future? to be honest I am not a fan of installing an agent on every server I want to monitor. I am actually wondering if I can configure all windows servers to forward their logs to a dedicated windows server with the Graylog agent installed and collect them from there. will this work? are there other or better solutions for this?
these are the questions I have so far. Thanks in advance for the help.