Collections

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

A collection is a shareable container (or "bucket") that holds multiple related entities. Rather than sharing each entity individually, you can group them into a collection and share everything in a single action.

Collections support configurable access levels, just like individual entity sharing. You can also assign default collections to teams so that new entities created by team members are automatically included.

Hint: Collections are the preferred method of sharing entities in Graylog. You can still share individual entities, and you can use both methods of sharing together in your organization when required.

This topic explains how collections work in Graylog and highlights key considerations for using this feature to simplify permissions management.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must be a Graylog administrator to manage collections.

  • Ensure you understand the Graylog permission model, specifically roles and sharing.

Highlights

The following highlights provide a summary of the key takeaways from this article:

  • Collections are the preferred method of sharing entities compared to sharing each entity individually.

  • You can share the same collection to different users at different access levels.

  • You can add most shareable entities to collections, such as dashboards, event definitions, reports, and streams, so that you can gather all entities for specific tasks into collections for easy sharing.

  • You can set default collections for teams so that all entities created by team members are added automatically to the default collections.

Collection Essentials

Collections are ideal for organizing entities around specific purposes such as investigations, alerts, or reporting. Entities in Graylog are the various resources and components you create and manage, such as dashboards, streams, and event definitions. With Graylog's permissions model, entities must be shared with collaborators to grant access to view or interact with them, and collections allow you to share related groups of entities easily.

Each collection is like a bucket that contains all the entities users need to perform the actions for specific use cases. Just like sharing entities individually, sharing via collections allows you to set an access level:

  • Viewer: Can view the entity but not make any changes to it.

  • Manager: Can edit any aspect of the entity. For some entities, this access level allows the user to delete the entity.

  • Owner: Has the same permissions as Manager but adds the ability to share the entity with other users.

When you share entities via a collection, the access level you set applies to all the entities in the collection. And, you can share a collection to different users at different access levels. For example, one set of users could receive a collection as Viewer so that they could see the entities but not change them. The same collection could be shared to a team lead as Manager so that individual could edit the entities as needed.

Hint: Using collections can simplify how you share entities in your environment. However, it is important to note that users still need appropriate roles assigned to create and edit most entity types, regardless of how an entity is shared. Make sure you are familiar with the Graylog Permission Management model.

Collections vs. Collection Content

When you create a collection, you can think of it as a container to hold entities you want to share together. The entities you add to the collection are the collection content. When you share the collection content, users can interact with those entities at the access level you set.

The collection itself is also a shareable entity. When you share the collection itself (that is, the container), you either allow users to see the collection on the Collections page, or you give access to view or edit the details of the collection, depending on the access level at which you share it. Sharing the collection does not share the collection content!

Graylog Entities for Collections

In Graylog, an entity refers to any distinct resource or component within the system that you can manage and interact with. The specific entities you can add to a collection are:

Entities can be added to one or more collections either during creation or afterward. See the specific documentation for each entity type for more details.

Hint: Illuminate packs themselves cannot be added to collections. However, if an Illuminate Spotlight pack creates shareable entities, such as streams, dashboards, or event definitions, those individual entities can be included in collections. Content created by Illuminate Processing packs or Illuminate Spotlight packs is added to any default collections associated with teams of which a user is a member.

Default Collections for Teams

For organizations that use the Teams feature, you can set a default collection or collections for each team. When members of the team create new entities, they are added automatically to the default collection.

Hint: When you create an entity, the Add to collections section shows any default collections set via team membership as automatically added. You cannot remove default collections, although you can add additional collections or individual collaborators.

You can also share collections directly with teams. For example, you could share a team’s default collection with that team so that all team members automatically have access to what everyone is working on. This ability simplifies collaboration and ensures consistent access.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: