@tmacgbay YAY!!! It is working and flowing into the stream now… I had a typo, Printer_reports_stream vs your Printing_reports_stream, fixed it and they are now at least flowing into the stream correctly and everything is working as far as renaming and removing the fields. UGH… It was a pebkac / typo. By fixed I mean I renamed my stream to match what you were using just in case that would cause other problems later with the dashboard or something.
So… Now what RE: dashboard?
A little background, if you care to advise on best practices. We had a graylog server back in the version ~2 days that was over 5 years ago if memory serves. It worked pretty well but had quite a few issues after running after several years so much so we were better off starting over and setting things up “correctly” from scratch with lessons learned. I understand what you mean RE: not a stream / index per server. We have quite a few Domain Controllers(5+) & FPS servers(again 5+) which will eventually flow into the system. We thought it prudent to break down the streams & indexes to system types. Granted, we only have one Exchange server but mail servers are “chatty” so felt we should separate it. We plan to set up separate streams and indexes for Firewalls(which we have 6 currently) & similar breakdowns. Again, we are trying to set it up “correctly” this time with different streams & indexes based on the types of systems we plan to feed into this server. Previously we fed everything into a single stream and index and it was a nightmare in many ways.
For the streams we have rules set up. Currently at the most basic level we have
4 indexes: default, exchange, dc, fps
7 streams but only using 4,
The three default “All” streams(events/messages/system events)
4 Streams we were using before this project: DC, Exchange, FPS AND the new stream: Print reports stream(created for this we wanted to see some real world return from this before setting up and pointing everything to the system) not a separate index for this stream…
The three main Streams we are using each have a source rule set to match and have it set to at least one of the following rules(i.e. so I can base it on source and route each DC/FPS/Exchange into the correct streams). For the “rule” we have the name of the server “source” to direct each to the correct Stream & corresponding Index. We also have the streams set to remove matches from the “All messages” stream for each of these streams. So, eventually we hopefully have nothing showing up in the All Messages stream/default index.
We only have 2 inputs, one syslog & beats(for winlogbeats).
Currently only one pipeline and 1 stage(stage 0) with 1 rule in the stage Print_Tracking
Does that all sound good? Anything we should be doing differently as far as best practices you can tell so far?