Hi,
the first error is being caused by an invalid Lucene query. The colon
character (":") is a reserved character which must be escaped properly (see
https://www.elastic.co/guide/en/elasticsearch/reference/1.7/query-dsl-query-string-query.html#_reserved_characters).
Since the error is caused by the AlertScannerThread, there seems to be some
alert condition with an insufficiently escaped content ("PowerManager:
%PWRMGMT-4-INPUT_POWER_OK: PowerSupply2 has regained input power.").
The second message is simply a request by a client without proper
authorization, e. g. because the session has timed-out or the user logged
out of Graylog. The only way to get rid of this message is closing the
logged out client.
Cheers,
Jochen
On Friday, 18 March 2016 14:58:34 UTC+1, fanirama wrote:
>
> Hi,
> I'm running graylog2 v1.3.2 and I'm unable to determine what is causing
> these 2 alerts as follows. Any help is much appreciated -
>
> 1. in server.log -
>
> seeing -
>
> 2016-03-17T23:03:09.164-04:00 ERROR [AlertScannerThread] Skipping alert
> check that threw an exception.
> org.elasticsearch.action.search.SearchPhaseExecutionException: Failed to
> execute phase [query], all shards failed; shardFailures
> {[8yQnL_LOSwCNrm8-R7rz1A][graylog2_0][0]:
> RemoteTransportException[[graylog-es][inet[/10.30.20.52:9300]][indices:data/read/search[phase/query]]];
>
> nested:
> NotSerializableTransportException[[org.elasticsearch.search.SearchParseException]
>
> [graylog2_0][0]: from[0],size[1]: Parse Failure [Failed to parse source
> [{"from":0,"size":1,"query":{"filtered":{"query":{"query_string":{"query":"message:\"\"PowerManager:
>
> %PWRMGMT-4-INPUT_POWER_OK: PowerSupply2 has regained input power.
> \"\"","allow_leading_wildcard":false}},"filter":{"bool":{"must":[{"range":{"timestamp":{"from":"2016-03-18
>
> 03:02:09.160","to":"2016-03-18
> 03:03:09.160","include_lower":true,"include_upper":true}}},{"query":{"query_string":{"query":"streams:56dd5fefe4b0a612b3e8f460"}}}]}}}},"sort":[{"timestamp":{"order":"desc"}}]}]];
>
> [graylog2_0] Failed to parse query [message:""PowerManager:
> %PWRMGMT-4-INPUT_POWER_OK: PowerSupply2 has regained input power. ""];
> Cannot parse 'message:""PowerManager: %PWRMGMT-4-INPUT_POWER_OK:
> PowerSupply2 has regained input power. ""': Encountered " ":" ": "" at line
> 1, column 50.
> Was expecting one of:
> <EOF>
> <AND> ...
> <OR> ...
> <NOT> ...
> "+" ...
> "-" ...
> <BAREOPER> ...
> "(" ...
> "*" ...
> "^" ...
> <QUOTED> ...
> <TERM> ...
> <FUZZY_SLOP> ...
> <PREFIXTERM> ...
> <WILDTERM> ...
> <REGEXPTERM> ...
> "[" ...
> "{" ...
> <NUMBER> ...
> ; Encountered " ":" ": "" at line 1, column 50.
>
> The switch is sending that syslog message as seen so I'm not sure what is
> the proper resolution on this. Col 50 is the colon right after after the
> INPUT_POWER_OK in the message. Why would it complain about this colon?
>
>
> 2. in application.log seeing -
>
> 2016-03-18T09:51:49.902-04:00 - [ERROR] - from
> org.graylog2.restclient.models.UserService in
> play-akka.actor.default-dispatcher-4
> Unauthorized to load user XXXXXX
> org.graylog2.restclient.lib.APIException: API call failed GET
> http://@graylog-web:12900/users/XXXXX returned 401 Unauthorized body:
>
> at
> org.graylog2.restclient.lib.ApiClientImpl$ApiRequestBuilder.handleResponse(ApiClientImpl.java:511)
>
> ~[org.graylog2.graylog2-rest-client--1.3.2-1.3.2.jar:na]
> at
> org.graylog2.restclient.lib.ApiClientImpl$ApiRequestBuilder.execute(ApiClientImpl.java:441)
>
> ~[org.graylog2.graylog2-rest-client--1.3.2-1.3.2.jar:na]
> at
> org.graylog2.restclient.models.UserService.retrieveUserWithSessionId(UserService.java:162)
>
> ~[org.graylog2.graylog2-rest-client--1.3.2-1.3.2.jar:na]
> at
> lib.security.RedirectAuthenticator.authenticateSessionUser(RedirectAuthenticator.java:122)
>
> [graylog-web-interface.graylog-web-interface-1.3.2.jar:1.3.2]
> at
> lib.security.RedirectAuthenticator.getUsername(RedirectAuthenticator.java:55)
> [graylog-web-interface.graylog-web-interface-1.3.2.jar:1.3.2]
> at play.mvc.Security$AuthenticatedAction.call(Security.java:37)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at play.core.j.JavaAction$$anonfun$11.apply(JavaAction.scala:82)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at play.core.j.JavaAction$$anonfun$11.apply(JavaAction.scala:82)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at
> scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24)
>
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at
> scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24)
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at
> play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:40)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at
> play.api.libs.iteratee.Execution$trampoline$.execute(Execution.scala:46)
> [com.typesafe.play.play-iteratees_2.10-2.3.10.jar:2.3.10]
> at
> play.core.j.HttpExecutionContext.execute(HttpExecutionContext.scala:32)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at scala.concurrent.impl.Future$.apply(Future.scala:31)
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at scala.concurrent.Future$.apply(Future.scala:485)
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at play.core.j.JavaAction$class.apply(JavaAction.scala:82)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at
> play.core.Router$HandlerInvokerFactory$JavaActionInvokerFactory$$anon$15$$anon$1.apply(Router.scala:252)
>
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at
> play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4$$anonfun$apply$5.apply(Action.scala:130)
>
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at
> play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4$$anonfun$apply$5.apply(Action.scala:130)
>
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at play.utils.Threads$.withContextClassLoader(Threads.scala:21)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at
> play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4.apply(Action.scala:129)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at
> play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4.apply(Action.scala:128)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at scala.Option.map(Option.scala:145)
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at play.api.mvc.Action$$anonfun$apply$1.apply(Action.scala:128)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at play.api.mvc.Action$$anonfun$apply$1.apply(Action.scala:121)
> [com.typesafe.play.play_2.10-2.3.10.jar:2.3.10]
> at
> play.api.libs.iteratee.Iteratee$$anonfun$mapM$1.apply(Iteratee.scala:483)
> [com.typesafe.play.play-iteratees_2.10-2.3.10.jar:2.3.10]
> at
> play.api.libs.iteratee.Iteratee$$anonfun$mapM$1.apply(Iteratee.scala:483)
> [com.typesafe.play.play-iteratees_2.10-2.3.10.jar:2.3.10]
> at
> play.api.libs.iteratee.Iteratee$$anonfun$flatMapM$1.apply(Iteratee.scala:519)
> [com.typesafe.play.play-iteratees_2.10-2.3.10.jar:2.3.10]
> at
> play.api.libs.iteratee.Iteratee$$anonfun$flatMapM$1.apply(Iteratee.scala:519)
> [com.typesafe.play.play-iteratees_2.10-2.3.10.jar:2.3.10]
> at
> play.api.libs.iteratee.Iteratee$$anonfun$flatMap$1$$anonfun$apply$14.apply(Iteratee.scala:496)
>
> [com.typesafe.play.play-iteratees_2.10-2.3.10.jar:2.3.10]
> at
> play.api.libs.iteratee.Iteratee$$anonfun$flatMap$1$$anonfun$apply$14.apply(Iteratee.scala:496)
>
> [com.typesafe.play.play-iteratees_2.10-2.3.10.jar:2.3.10]
> at
> scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24)
>
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at
> scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24)
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41)
> [com.typesafe.akka.akka-actor_2.10-2.3.5.jar:na]
> at
> akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:393)
>
> [com.typesafe.akka.akka-actor_2.10-2.3.5.jar:na]
> at
> scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at
> scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
>
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at
> scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
> [org.scala-lang.scala-library-2.10.4.jar:na]
> at
> scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
>
> [org.scala-lang.scala-library-2.10.4.jar:na]
>
> Is this because a user's session has timed out but the browser javascript
> is still running and attempting to contact graylog2 server with an expired
> session key now? How do I resolve this? it is writing to the log every few
> seconds. Is the only solution to close the users browser/stop javascript on
> client side?
>
> Thanks,
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/71270db3-d864-481e-b7ba-04d665f05d14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
