I'm also new to graylog (I've been using working with it for a few weeks, but I think I can answer a few of your questions)
1.I am not able to find message id and index to create rules in streams in the logs/events? The message ID and index appear at the top of any message you are viewing. Here is a copy/paste from the top of one of my messages: --- 409b6860-ef7b-11e4-9106-000c29d9b316 Received by syslogudp on f0db8b5a / graylog Timestamp: 2015-04-30 15:55:37.311 -05:00 Index: graylog_5 --- The first long string of numbers/letters is the message ID. You'll see the index also. In this case the index is: graylog_5 2.How to add stream rules, what is user id? "user_id" isn't really anything, just a placeholder for you to type the Field you wish to create a stream rule to match. For example: Type EventID in for the field. Leave "Type" on "match exactly". For Value, maybe try 4608 (Windows is starting up) 3.Is it possible to get only security logs using syslog from device? How to configure that. Because I am not interface up/down events also from switch. Do you have syslog input configured to accept logs from syslog? If so point a device to the graylog server and watch the events begin to appear in the Sources list of Graylog. 4.Where I can see sources that are sending logs to my servers and details like how many they are sending, and what are those events. You should be able to click the "Sources" tab at the top of the Graylog web interface. You'll see a list of all sources that have sent logs to Graylog. You can run queries on those messages and show almost any info you want. It will also show you how many messages over a period of time (such as Last Hour or Last Day) 5.What is content packs and GROK patterns? I can't help here. 6.Is it possible to get reports from the graylog server? You can run queries then export to CSV. You could also setup a stream to match certain rules then email you a sort of report based on your queries/rules. I agree with Pete, reading the docs will really help. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
