I looked into the indices what fields are getting created and they are all legit. Windows logs are working fine because they use the same format most of the time, but some service and application logs are really bad and create 50 fields because they look like that:
"SynchronousReadIoCountsBucket1" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket10" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket11" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket12" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket2" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket3" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket4" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket5" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket6" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket7" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket8" : {
"type" : "keyword"
},
"SynchronousReadIoCountsBucket9" : {
"type" : "keyword"
},
"SynchronousReadIoMaxLatency" : {
"type" : "keyword"
},
"SynchronousReadIoNonBlockingMaxLatency" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket1" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket10" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket11" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket12" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket2" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket3" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket4" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket5" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket6" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket7" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket8" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingIoCountsBucket9" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket1" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket10" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket11" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket12" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket2" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket3" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket4" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket5" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket6" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket7" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket8" : {
"type" : "keyword"
},
"SynchronousReadNonBlockingTotalLatencyBucket9" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket1" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket10" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket11" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket12" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket2" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket3" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket4" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket5" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket6" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket7" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket8" : {
"type" : "keyword"
},
"SynchronousReadTotalLatencyBucket9" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket1" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket10" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket11" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket12" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket2" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket3" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket4" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket5" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket6" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket7" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket8" : {
"type" : "keyword"
},
"SynchronousWriteIoCountsBucket9" : {
"type" : "keyword"
},
"SynchronousWriteIoMaxLatency" : {
"type" : "keyword"
},
"SynchronousWriteIoNonBlockingMaxLatency" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket1" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket10" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket11" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket12" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket2" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket3" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket4" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket5" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket6" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket7" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket8" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingIoCountsBucket9" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket1" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket10" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket11" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket12" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket2" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket3" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket4" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket5" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket6" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket7" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket8" : {
"type" : "keyword"
},
"SynchronousWriteNonBlockingTotalLatencyBucket9" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket1" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket10" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket11" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket12" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket2" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket3" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket4" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket5" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket6" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket7" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket8" : {
"type" : "keyword"
},
"SynchronousWriteTotalLatencyBucket9" : {
"type" : "keyword"
},
If you’re a madman like me and want to collect all the logs, you end up with indices like that. Sure I could break up those logs in multiple indices or even better make a list of alle the logs I really need instead of collecting everything, but until now I had no problem, so I did not touch it.
I’m using my own NXLog configuration. Most of the time I have three inputs. One for the standard windows logfiles (system, sec, app, setup), One for the Service and Application logs and one or more for special outputs like logfile exports for nap, sccm, exchange and stuff like that.
I will try to switch to RAW to look if GELF processing is having problems, that s a good hint.
A switch to Filebeat is something on my list, because NXLog locks all their good features behind a paywall. Do you know if Filebeat supports local caching in case of unreachable Graylog Nodes?