Hi,
Which is better, as an example for logs (it will be Linux, windows, network devices, UPS, cameras, etc ...)
- Keep the message in one field and depend on full text search
- or grok them into multiple known fields such as program, id, ssh user, failed login , etc ...
Also, make each separate type in a different index like from /var/log/secure and others from /var/log/messages or network devices in another index or make index by day and put all syslog together?