Hi, I'm looking to use Graylog 1.3 to find and display potential error states across our Windows server estate.
The technique I had hoped to use is "throw out all logs that are evidence of normal behaviour; everything that remains must be interesting". Initial attempts at this suggest it will be very effective - I've already learned of a number of error conditions that it simply would never have occurred to me to search for. The problem is, I don't see how to make this work long-term because it requires a rather longer search than Graylog allows for. Let me elaborate: I have put together a search that eliminates normal behaviour thus: 1. source:(SERVER NAME) 2. AND ( NOT ( EventID:[4768 TO 4770] AND _exists_:SourceBlock)) 3. AND ( NOT ( EventID:4672 AND _exists_:SourceBlock)) 4. AND NOT (EventID:4933 AND EventType:AUDIT_SUCCESS) 5. AND NOT (EventID:14544 AND SMBShare:Shares AND Severity:INFO) 6. AND NOT (EventID:5312 AND Severity:INFO) This is a highly cut-down version of the search - the real thing is about ten times as long! AFAICT, I can't express syntax like this in a stream or an extractor (because neither can work on compound expressions based on two or more fields). So I've got to do it as a search. The problem is, the search is sent as an HTTP GET request, and starts to fall over once it exceeds a certain length. I run out of space some time before I run out of routine things that I want to exclude from my results! The most elegant solution I can think of is to write a set of Drools rules that encompass all these constraints, then set a field for every message that meets this set of rules. This would allow me to make the search as simple as "source:(SERVER NAME) AND NOT _exists_:RoutineMessage" Have I missed something, or is this my best option? James -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/85ae2c58-6163-431f-8b7e-150e9d5c6f28%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
