On 03/12/15 07:17, Joi Owen wrote: > One benefit of having separated inputs is that you can isolate unique > extractors to only the input that provides the fields of interest, > reducing the load of having to parse for those fields on log data > arriving from unrelated sources. > The way I look at it is that you have two ways of massaging the data. One is to do it on the "client" end (eg via graylog-collector, pygelf, etc) and one is on the "server" end via extractors.
So what I have ended up with is all our syslog data goes in via the syslog connector and relies on extractors to create the fields, and all other forms of data input go via pygelf scripts - and I code into it how I want the fields to be defined - and they go in via a GELF/TLS connector The extractor method has the advantage that you can centralize all your massaging, but the client-based massaging has the advantage that you remove workload from the graylog-servers (and is way more powerful of course) Jason > > On Wed, Dec 2, 2015 at 10:40 AM, Sean McGurk <mymonkeyan...@gmail.com > <mailto:mymonkeyan...@gmail.com>> wrote: > > Thanks, Jochen, > > I perhaps didn't make myself clear in my question - I have a > number of Graylog collectors running on different instances and my > question was more whether I should create a separate input on a > distinct port for each of these collectors or just create one > input and have all the collectors send to that one input. > > In the end, I went with the second approach, so I have one GELF > TCP input started on port 12201, which aggregates the data from > all the collectors. > > I then have created a number of streams to route the incoming > data, where they can be separated by log (and application) type. > > I preferred this approach as it meant from a security point of > view, I only had to open one more port and the 'Streams' concept > allowed me to segment my log messages. > > Seán > > On Tuesday, 1 December 2015 16:41:40 UTC, Sean McGurk wrote: > > Hi there, > > I have set up a Graylog server with a number (7) of input sources. > > My question is, when configuring Graylog, is it better to open > a number of ports on the Graylog server and have each port > receive messages from a particular source or is it better to > only open 1 port and receive all inputs via this 1 port? > > Thanks, > > Seán > > > -- > You received this message because you are subscribed to the Google > Groups "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to graylog2+unsubscr...@googlegroups.com > <mailto:graylog2+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > > https://groups.google.com/d/msgid/graylog2/7c662b78-65ee-4eb0-8186-551b63147d5f%40googlegroups.com > > <https://groups.google.com/d/msgid/graylog2/7c662b78-65ee-4eb0-8186-551b63147d5f%40googlegroups.com?utm_medium=email&utm_source=footer>. > > > For more options, visit https://groups.google.com/d/optout. > > > > > -- > > No matter what we think of Linux versus FreeBSD, etc., the one thing I > really like about Linux is that it has Microsoft worried. Anything > that kicks a monopoly in the pants has got to be good for something. > - Chris Johnson > > -- > You received this message because you are subscribed to the Google > Groups "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to graylog2+unsubscr...@googlegroups.com > <mailto:graylog2+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/CAL5rfGViaTCAQw4iCOgYH96Ghpq_sDoo7uVBzCb49LaSxmU9xA%40mail.gmail.com > <https://groups.google.com/d/msgid/graylog2/CAL5rfGViaTCAQw4iCOgYH96Ghpq_sDoo7uVBzCb49LaSxmU9xA%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/565F3F92.2010707%40trimble.com. For more options, visit https://groups.google.com/d/optout.
