I've been doing a trial run through this with an aim to supplement a zabbix monitoring environment with better log file handling and alerts.
I have it running, pulling data from a variety of sources, have managed to hook up streams and simple extractors and have a general feel for the basics. There are two things I feel I am missing, or maybe two and a half... The first is data retention policies. By that I mean being able to keep some types of data longer than others. It just doesn't seem to be part of the product, or am I missing it? I see archiving in Enterprise (but didn't see that even it was metadata driven). The second is easy integration to generalized actions on alerts. But there seem to be lots of places such hooks may be placed, and lots of 3rd party tools, just nothing that quite seems to be simple. What I want is at some point in the process (alert callback? Or in a (not yet documented well) pipeline condition?) to see "I want this message passed out to another system". ideally I'd like the context of a message, maybe ability to do a search even, and be able to get that context arbitrarily into another system. I really do not need another alerting system with email, I want alerts to become triggers in zabbix, and have graylog be a place for people to then do a deep dive for log review (whether routinely or in response to such a specific alert). It looks like people have written such tools for specific systems (like jira). There are two for shell access, one no longer has the package posted (it appears to call java), and one that calls bash. The latter is a good bet, but it seems to simply and only execute a bash command -- I see no signs of any parameters, or context so one can act on a specific message from that callback. Does one have to program all the complexity of (for example) that jira plugin in order to make this happen? There's no more generalized, but simpler action hook? Or am I looking in the wrong place? The "half" question is how and if pipelines will change this -- is that really where such hooks should go as the product evolves? Thanks in advance for any insight. Or, if this is just the wrong tool, for alternatives (I'm reading through the ELK documentation now). Linwood -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/22fe29dd-9e9c-4737-b04c-fb5202944f0f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
