First question: would this be the best site for general configuration and troubleshooting questions, or is there a dedicated Slack channel for that somewhere?
Second question, I have a use-case were a single macOS host with no connectivity to the internet needs to have its logs aggregated and stored for an entire year. I believe this can be done using Graylog but I am not sure how much engineering effort would go into designing a solution for a single host, and what backend I would need, example, a full Elastic cluster backend, or Mongo DB.
Also, its not clear to me which log shipper i would use on the Mac to support Apple’s UL framework, if that would be Filebeat and if so, would I use Logstash to get into Graylog?
This is the place to be for general info and help with troubleshooting. If its beyond that you can go here but I would start here first.
You might want to look at this → documentation first and any question arise from that come back here and we can help.
To be honest if you have a all-in-one node GL server would do it.
As for your log shipper FileBeat installation would do good.
Just a side note: Here is my FileBeat configuration on a remote client sending logs to Graylog. Don’t be confused with the name Logstash
filebeat.inputs:
- type: filestream
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
output.logstash:
# The Logstash hosts
hosts: ["graylog-server.com:5044"]
logging.level: debug
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat.log
Thank you. That is exactly the info I was looking for. Do you know if Filebeats is able to grab all of the logging available under Apple’s UL framework? Thats where all of the good stuff is generated.
Since I am outputting LogStash, I presume the server will be a single node Elastic node, is that correct?
Any idea how long it might take to standup a simple solution like this for a reasonably competent Linunx admin?
Unfortunately I do not have apply device, but someone here might. I would assume that when you configure FileBeat paths: - /path/to/some/logs/*.log it should work. Just make sure Filebeat can access those logs (i.e. permissions).
Yes, your single node would have Graylog, Elasticsearch and MongoDb. In the documentation would have all you answers for this.
My first time after reading the documentation ( Copy & Pasting) about an hour.
It is highly recommended to go over what installation your using and how to install it. This will prevent those " Gotcha’s" later on.
Well… I did some research on Unified Logging and Activity Tracing with Apple. All I can say is wow.
There are tools out there that can read .tracev3 format and maybe they can create a text file for FileBeat to send those logs to Graylog. This was something I came across
Good call. I came across that same Github project but did not take a close look at it. Potentially that could output plain text files that could in turn be shipped by LogStash to Greylog?