I am new in the community, sorry if I make some mistakes and ask some boring questions.
I have Linux Graylog server and I am trying to add some windows logs to Graylog server from multiple Windows servers. I am trying to use sidecar and NXlog.
NXlog service is controlled by sidecar service, and it’s working, I am receiving all logs from server.
Now I want to add more servers, but I want to filter some logs, I don’t want to show all windows logs. So I have created other sidecar/nxlog configuration (for example to take only DHCP/DNS related messages) and that is working also. What is the issue? I want to collect different logs on different servers (domain controllers - dhcp/dns logs, nps logs etc, and from some other machines I want to receive some other logs).
To be more precise, on port 11101 I want to receive logs from dhcp, on port 11102 i want to receive logs from NPS, on port 11103 i want to receive only security windows logs. How can I make, if it is possible, a combination to use SERVER A to send DHCP logs and security logs (port 11103 and 11101), and server B to send security logs and NPS logs (port 11103 and 11102)? Or I should use only one port for Inputs but make different collector configurations?
Also, I dont understand the purpose of TAGS. I can’t mixed them on one collector (if I have multiple configurations)?
Is there another reason why you’d want to have multiple inputs other than for categorizing logs? If not, I believe there is a better way.
A single input (or multiple if needed)
One collector configuration per machine sending logs to Graylog, configured to forward logs to the Graylog input
In each collector configuration, a collector input (note: this is different from a Graylog input) per log category you want to send in Graylog (e.g. DHCP, DNS)
In each collector input, a static field log_category=xxx for every log category
And regarding your question about collector tags: tags allow collectors on the machines to know what configuration they should apply. If you have one collector configuration per machine as I suggest, you’d have a single tag on every collector configuration with the tag being the hostname, for instance.
Once you have this set up, you can easily create streams based on the log_category field of your messages.
Does that make sense to you? I purposely didn’t go into a lot of detail, just ask if you need a specific point cleared up!
Yes it makes sense to use multiple input per machine. I though that tags should be in a relation with some unique service or group of service, but if I can use tag as a computer name I was wrong.
I will try with computer name as tag, and use multiple inputs.
I didn’t find static field log_category, so if you can point me on the right place if the image bellow is wrong.
What I called static fields is what the Graylog UI calls additional fields. These are essentially fields which will be added for every message coming from this specific (collector) input configuration.
For instance, if your log file /var/log/firewall.log contains firewall logs, you might want to add an additional field log_category: firewall