If you have been watching the last videos, the last two videos actually from the greylock playlist, you have seen how you can delete the inputs and how you can send data to your greylock system from different devices using different log format and how you can see those received messages well in this video i’m going to talk to you about indices streams and how to make different messages, go into particular streams or two particular indices. So if you’re gonna go to screams, you’re gonna see that the default stream is called all messages and in this stream all the messages are coming to it. And, for example, here we have some kind of logs from our cisco asa firewall. Let’s see what’s next, okay, most of them are from the cisco device. But let’s do this, let’s filter by this force, and we can see this is from the cisco asa firewall, and this is from the great log one server and you can check the so on. But the problem is that, if you would be interested to look, for example, only for your line of syslog messages, you will need to select the source, as you have seen before from the sources. You would need to do different things to find your messages and more than is the default stream all messages it we’re going to send all the messages into the default index set? So if we were gonna go to indices system, then indices, you will see here the default index, how many documents it has the size of it and so on the shards, the replicas. What i would recommend you to do here is that you should create an index set when you mean deck set. Let’s name this one cisco a sa and the description would be something like a s, a syslog, the index prefix. We can name it cisco. The analyzer would keep we’re gonna, keep it to standard the shard and i, wouldn’t advise it to go more than four, which is the default? The number of replicas in case you’d have a cluster like we have in this environment.
You can put a replica of one that means that you’re gonna have some backup in case your first leprechaun we’re gonna suffer some damages or something like that? We’re gonna happen and you’re going to have data repeater replica one which might have the health information, and you can recover your cluster or your information much easier, but depending on on your environment, you can go for a replica, 0 or 1 or 2 or 3, or it depends on what you want to achieve for this test. I’m going to keep it work for this demo, i’m going to keep it to the default, which is 0. The index rotation usually i, do it by the size for the size!
I, wouldn’t recommend you to go more than [music] tea, gigs or 30 gigs of data.
Considering that this is a demo, we can keep it to something like 70 megabyte.
Then we will have the index rotation. You can do like closed index, do nothing or, for example, delete in break, so i will put delete index and the maximum number of indices. In my case, i will i will save you up to two and in this index, i would like to send all my asac shlock.
So for that one i’m gonna go to streams. All messages go for the sources source, quick values! So this is our nsa syslog device. Let’s do this, let’s hit search and let’s take this source and then i will go to streams.
I will create another stream. I will call it a cisco sa stream. What kind of messages are routed? they say syslog and then index it here? You will like to if you would like to send it to a different thing: decks like i am i’m gonna, select, cisco si and i’m gonna.
Remove all the matches from the a say messages stream doesn’t make any sense to duplicate your data. Okay and right now the the stream is created! Let’s create a rule for it and i’m going to select this input as a firewall locks and i will click here! A message must match at least one of the following rooms? Ok and right now we will add the stream road, i will say source match exactly, and this is the value for the field that it should have i’m going to click on save and right! Now, let’s go to the streams and start our stream! Let’s see if we are receiving some kind of messages here and we do and our si 506 lot messages. They are not going to the default one and they are going. They are not going to the default index.
They are going to this index. So let’s check the indices and, as you can see, it has 20 documents and seventy six point: two kilobytes: let’s do the same for a greylock server, i’m gonna call this one greylock one string line looks syslog and the defaulting days are right! Now it’s set to the default index: let’s create another index for greylock one. Let’s call it gray log one index then description liner, syslog index prefix.
Let us put it as minus and then we were gonna. Do the same thing index size around 70 meg’s deleting this is the number of indices to and click on, save! Let’s go back to the streams. Let’s go back to gray lot, one stream, editor stream and let’s set it to great log one index and remove the mattresses from whole messages. Yeah. Let’s go back to the messages, all messages, streams and, let’s select it by the source, values yeah. We have it here and right now we will copy this value from the source field. Go to the streams, wrote a grill at one stream manage role? We will select the input for align access, log and then click the radio button with a message must match at least one of these following rules.
Add a stream rule source match exact, and this is our value hit, save we are done and start the stream! Let’s create another index for the window, server i’m going to call this one windows event index description window events in this prefix x collect windows index eyes again around 70 meg’s. Deleting this give you the index, then maximum number of indices to bring back to the streams. Let’s create a stream called windows event stream, windows events and we will route all the messages to this index and remove the matches from all messages stream, and in this case none of our messages will gonna go to the old messages. In this case, let’s go to input. Let’s select, windows events?
Okay, let’s copy now the value from the source field copy then go back to the streams manage rules. We will select this input again. The message must match at least one of these following rules as a fuel source? This is our pal view and click on save okay. So now we are done serve the stream okay. So let’s go and check the windows event messages and we can see then coming here? Okay, so they are getting in a correct way. Here, let’s check our grille out one o’clock: you can see them here and our cisco is a stream and right now there should be nothing in all messages stream and there you go? You have seen how you can create an index, how you can create a stream and how you can route your messages to a particular stream. Using rules and from that stream how to send it to an index and in that index you have also seen what you can do to adjust it. Based on the memory port storage space that you have on your server and if you’d like to use a backup or you don’t want to use the backup thanks for watching and don’t forget to subscribe! .