I’ve been a Graylog user for some time now, however, admittedly I’ve been underutilizing it’s many awesome features.
I’m the solo IT person in an SMB who recognizes the importance of log collection. Some time ago, I setup a simple single server instance of Graylog to and started my collection journey. I’ve been sending all our network gear and Windows Server logs into Graylog, but my efforts pretty much landed there.
Fortunately, we’re not in a highly regulated industry, so we’ve never really had to rely on them for any significant need. However, with that said, I know that we live in a very adversarial world, so I worry that I could be missing important things in the slew of logs that I’m collecting.
I’ve done plenty of simple searches to get the root cause of some simple network issues, and even gone as far as to use a few of the Dashboards for AD data from the content marketplace.
With that, I don’t think I truly grasped the rhyme or reason for some of the various functions within Graylog, and I think I may have ended up with a small mess of inputs and streams. I’ve also noticed that some searches yield duplicate messages, so I think some of the streams I created caused that. After some reading on the forum here, I think I initially though a stream was sort of like a saved search, and I didn’t use the “remove from all messages stream” option.
I’ve made it a point and I’m going to spend the next week or two really trying to hone in my Graylog instance so that I can use it in a more proactive way, but I was hoping someone from here would be willing to ELI5 (explain like I’m 5) how one might properly setup inputs, streams and indexes in a small mixed Windows, Cisco and (a few) linux servers shop? I tried reading, and re-reading the documentation on the subjects, but I just can’t seem to get it to “stick”, it seems like it’s written for someone who’s in the know about all of this stuff already.
I can tell you what I have now:
I have the default Index Set, and somehow ended up with a “Cisco IOS” index. I think I was trying to do some parsing/extraction, and though I may have needed to have a separated index for Cisco IOS logs. Is that the case? I was trying to “decorate” the log messages so that it was searchable by fields, rather than just the raw messages.
Is there any reason to have multiple inputs of the same type, or would I only need one input for each? I have three different network vendors sending in syslog. I think I created an input for each vendor type. Again I think I was going with if I needed to parse the different types of messages from each. Is there a better way? Here are the inputs I have now:
- Cisco RAW Input (Raw/Plaintext UDP)
- I don’t think this one is being used
- Firewall (Raw/Plaintext UDP)
- I have a Cisco firewall sending logs here
- Syslog Input (Syslog UDP)
- Syslog IOS UDP (Syslog UDP)
Finally, I created a bunch of streams of like devices. So I have one that has my firewall logs, another that has SiteA’s Switches logs, another with SiteB’s Router’s logs