Hello everybody! I have graylog 4.2.1 CentOS 7.9.2009.
I have 2 questions, both are about streams.
I have a stream with 2 rules based on source and based on log file path. Problem is when I’m adding the third rule (another log file path) nothing really happens. Logs keep going into the all messages and my new rule seems to be ignored by the graylog. Do I need to create another stream or is there a workaround?
Is it proper to create a steam for every source? How will it affect graylog performance wise?
It would help immensely if you posted your rules (using the </> forum tool to make the look nice) and an example message that is passing through them.
Rules in the same pipeline stage essentially run in parallel. So if RULE TWO depends on a change that happened in RULE ONE, then you need to make sure RULE TWO is in a following stage in the pipeline.
Offhand it would seem very inefficient to have a separate stream for every source. Streams pull messages from an input based on rules, pipelines are attached to streams and process items based on a when section being TRUE
Everyone uses streams differently. I would suggest you read up on them and then simply configure some to see what works for you. Keep in mind that you can send messages into streams using rules in the GUI or in Pipelines that are associated with the inputs. There is more power in the pipeline versions because you can be more granular, but starting out, the GUI rules are perfectly fine.
Streams per input are ok and probably the most basic type of stream. Once you get the hang of the concept, you’ll probably move away from the stream per input.
If you think about it, you may want to have a stream for all login failures. Not one stream per input for login failures.