I’m setting up centralized log collection using Graylog 5.3 and Filebeat, and I wanted to check if I’m following best practices when configuring it on a Windows laptop. My current goal is to ship application and system logs from multiple laptops to our Graylog server over Beats input.
I’m particularly interested in recommendations for filtering or enriching logs before they reach Graylog. Should these tasks be handled upstream in Logstash, or within Graylog pipelines for better performance and maintainability?
Graylog 5.3 is fairly old at this point so it would be worth upgrading to the latest release.
Most filtering such as forwarding only specific events, can be handled by the winlogbeat/filebeat configuration, it might be Logstash is not required. Enriching data can be handled within pipelines/rules on Graylog - assuming you have sized the Graylog cluster base on estimated ingestion and retention then performance should not be an issue.
Before starting the process I would recommend mapping out some use cases you want to achieve by ingesting Windows logs.
