Last articles we looked at how to install and set static IP address on graylog server. Here we will overview all graylog functionality. Search menu you can find required logs by syntax which is very close to the Lucene syntax. By default all message fields are included in the search if you don’t specify a message field to search in.
For example:
to find messages that include the word password type just
password
to find messages that include the word user or password type
user password
to find messages that include the word user and password type
"user password"
You can also you regular expression to find a logs:
/ethernet[0-9]+/
By default all terms or phrases are OR connected so all messages that have at least one hit are returned. You can use Boolean operators and groups for control over this:
"ssh login" AND source:thehackertips.com
Note that AND, OR, and NOT are case sensitive and must be typed in all upper-case.
Use ? to replace a single character or * to replace zero or more characters:
source:*.com source: thehacke?tips.com
You can also use Save button to save search configuration and Click to Load button to use that later. Also there have option to export search results as well.
The Graylog streams are a mechanism to route messages into categories in real time while they are processed. You define rules that instruct Graylog which message to route into which streams.
Alerts are always based on streams. You can define conditions that trigger alerts and get notification with email.
Using dashboards allows you to build pre-defined views on your data to always have everything important just one click away.
On the Sources you can look at a list of all sources that sent in messages to Graylog server.
Graylog Enterprise, built on top of the Graylog open source platform, offers additional features that enable users to deploy Graylog at enterprise scale and apply Graylog to processes and workflows across the whole organization.
Graylog Enterprise free up to 5 GB/DAY. To use that required that to find your Cluster ID (located in System / Overview) and complete the form on the graylog.org. Then You will receive email for your Enterprise under 5 GB/day license. Enter that license from Enterprise/archives -> Licenses menu. This licenses require to check their validity on a regular basis. Graylog Enterprise periodically sends the following information to ‘api.graylog.com’ via HTTPS on TCP port 443 for each installed license:
- A nonce to avoid modified reports
- The ID of the license
- The ID of the Graylog cluster
- A flag indicating if the license is violated
- A flag indicating if the license has expired
- A flag indicating if Graylog detected that the traffic measuring mechanisms have been modified
- A list of how much traffic was received and written by Graylog in the recent days, in bytes
Graylog archiving enables you to configure a retention period to automatically delete older messages – this is to help you control the costs of storage in Elasticsearch.
Audit Log keeps track of changes made by users to a Graylog system.
The Reporting feature enables you to create and customize your own reports by using dashboard widgets, schedule reports to be automatically delivered to the people who require them, and manually send or download reports as PDF files at any time.
On the System menu have many important setting which required to configured like as inputs, outputs, graylog nodes, sidecars and etc. which we will look at later.
That’s all. I hope, this article was helpful for you and You can look at other articles about graylog from here Graylog log management
