search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.37k stars 1.06k forks source link

Decouple Outputs from Streams #6695

Open ChristopherKB opened 4 years ago

ChristopherKB commented 4 years ago

Can we provide a method of sending to an output that does not depend on membership in a stream, or allows for Stream membership without index routing?

Expected Behavior

A pipeline rule that allows messages to be sent via an Output directly, based on the when conditions. Or a stream definition that allows you to bypass index routing when the original index was not the Default.

Current Behavior

Currently, if you have two streams (A &B), both going into their own indices, you can not then use a single stream to forward a subset of events from each to an output without ingesting them twice. You cannot remove them from the All Messages stream, since that has been done already. Currently, you have to define a third index and ingest that subset of messages twice.

Possible Solution

Pipeline rule that sends directly to an output.

Context

Customer needs to send/output a subset of events to a SIEM. They want to define one stream to do this. Currently, they have to create an "output" stream for each stream they wish to draw from.

Your Environment

jalogisch commented 4 years ago

You could try to solve that with the alerting. Create an event of "error" messages and notify/forward them to the SIEM.