I use a different input for each type of log, platform, eventlog, iis, etc.. My thinking was mainly I want to see everything from something specific without noise from another and without the need for a stream.
- On Wednesday, September 7, 2016 at 4:01:08 AM UTC-6, Michael Anthon wrote: > > While our system currently isn't that large I'm trying to determine the > best way to configure Graylog to make future updates and extensions simple > to manage. > > Where I'm struggling with this is with the impact in terms of performance > of configuring things certain ways. > > So, for example, we have data being sourced from several different types > of logs > > - IIS Logs > - nginx logs > - Windows event logs > - PHP Error logs > - Custom application logs > - syslogs from various devices and servers > - tomcat/java logs > > Each of these different types has various requirements in terms of > extractors and processing that we do to provide us with useful fields for > searching. > > The options as I see them are > > 1. create a small number of inputs that handle all the messages and > have a large set of extractors to deal with all the different message > types > that come through the input. > 2. create an input for each type of message source with the extractors > for that type of message as needed > > To me, option 2 seems the more sensible in terms of future management and > even initial setup but I'm unsure of the impact of having more inputs > versus less inputs with more extractors. > > I'd appreciate any insight/advice on this (or pointers to documentation > that I may have missed) > > Cheers, > Michael > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/b9c3ab9d-070a-49dc-b75f-e7673d24833e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
