I’m very new to Graylog and can see its huge potential, I want to ensure I’m starting off on the correct path
Running Graylog 5.2.7 on elasticsearch
I’ve got 6 Palo Alto firewalls, and I’m looking to centralize the logging with Graylog
I’m using pipelines and using extract to grok fields rule to get my data
The Palo’s have a range of log types
System, Traffic, Threat, GlobalProtect, Etc
Is it good practice to extract all the data from each log type with a single grok extraction rule, thus having 1 pipeline and rule (this would be a long and complex grok extraction)for each log type
Or should I just be extracting the fields I actually need for the reporting I am currently wanting, this would result in more (but simpler) pipelines and rules?
There may be a better way to extract, but I am familiar with pipelines and rules to extract to grok
If there would seem a better solution, I would appreciate some guidance
Finally does anyone have any grok patters for Palo logs that they would be willing to share
thanks
David