[graylog2] Best practice for extractors/inputs.

[Patrick Brennan]

Hi all,

We have just stood up a Proof-of-Concept Graylog cluster and we are 
ingesting log data from around 50 nodes.  The Graylog cluster itself is 
working fine and is stable ingesting at something like 8000 msgs/sec.  Now 
it's time to try to do something useful with that data.  And herein lies 
the crux of my question.

At the moment I have a single input configured of type "GELF TCP" listening 
on port TCP/12201.  This is behind a load balancer and all logs are being 
forwarded with graylog collector.  A subset of the collector configuration 
is below:

inputs {
  syslog {
    type = "file"
    path-glob-root = "/var/log"
    path-glob-pattern = "{syslog,auth.log,dpkg.log,kern.log}"
  }
  nginx-logs {
    type = "file"
    path-glob-root = "/var/log/nginx"
    path-glob-pattern = "*log"
  }
  app-logs [
    type = "file"
    path = "/var/log/application.json"
  }
}

outputs {
  gelf-tcp {
    type = "gelf"
    host = "server"
    port = 12201
    [ ... SNIP ... ]
  }
}


Obviously we are sending logs of many different formats to the same graylog 
input.  Some are JSON, some are syslog, some are http combined, and there 
are many others as well).

I am curious what others do in this situation.  I imported the nginx 
content pack and it created an input (on a different port) for nginx access 
logs and another (again on a different port) for nginx error logs.  Is this 
best practice?  It doesn't seem overly desirable to me as it pushes the 
classification of logs into the collector which I was trying to avoid.  The 
alternative would seem to be to have all extractors running on my single 
input, but I can't see any easy way to keep this under control.  Both from 
a number of extractors perspective, but also to constrain particular 
extractors to particular message types (for example based on a regex 
against source_file).

I would appreciate anyone else's thoughts or experiences.

Thanks!
Patrick

BTW, having used an ELK based stack previously, I am really like Graylog 
thus far.  Kudos to the developers for actually starting out by designing 
an architecture.  :)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0dcadaef-2251-4a44-86f0-63a7c4d73f27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.