Closed jprusch closed 6 years ago
Graylog differs in the stored data and selectable feature set quite a bit, think of stream IDs and so on. I wouldn't change/break something here just to have a specific Graylog profile, rather work on a dedicated module for it.
Well, the integration by using the plain Elasticsearch module is now working like a charm.
We also use filebeat / logstash to send data to Graylog, which does some additional stuff (filtering, streams,...). But for just displaying the plain elasticsearch results generated by a host it would be an easy fix. A Graylog module would be even better to get the most out of it... ;-)
Instead, create a new field for the time values and prefill it with @timestamp.
Why? We use Graylog with various add-ons for logging which uses ElasticSearch. Instead of '@timestamp' in our case just 'timestamp' is used by the ElasticSearch indexes. I fixed the hardcoded @timestamp replacing it with timestamp & it works like a charm. The suggestion will make the Elasticsearch module much more flexible.
As an example our Graylog eventtype: [Graylog] instance = "graylogsrv1" index = "graylog*" filter = "source={display_name}" fields = "input_type, source, message"
Hint: The host macros are not resolved when using the host.* notation. {host.display_name} is NOT resolved. Just display_name works.