Re: [graylog2] Syslog input: Add source IP field to messages from devices with poor syslog formatting?

Hej Michael, I can use rsyslog to modify the messages or something, but can we get this as an option for the Syslog input? If you use one Input per Accesspoint you can add the Source by input. If you are able to identify by something else a pipeline can help you to add this field. /jd --

[graylog2] Re: Looking for a configuration example of filebeat + graylog collector use

Oh I just saw that the documentation for the collector was updated. Sorry for the inconvenience. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+uns

[graylog2] Looking for a configuration example of filebeat + graylog collector use

Hello, I want to use Filebeat to collect logs from files on windows clients, and forward these logs to graylog. However, I saw that in the output part of filebeat (in the yml file), the only options were elasticsearch, logstash, console or file. And in the collector, we can only chose the hosts

[graylog2] Re: Cisco syslog message source field includes date info and more

OK, so I figured this out myself. On my Cisco devices, I had the following logging option enabled logging timestamp This adds an additional time stamp to every syslog message and that caused issues with the extractor I was using. Once I removed this from the Cisco config, the source field in Gr

[graylog2] Re: How to configure multiple output

I ran into this issue last night as well. It seems to me (from looking at the beats doco) that beats doesn't handle multiple outputs. I'm not sure how graylog is deciding which output to use but it seems that we can't use this type of setup for beats (regardless of the fact that the interface

[graylog2] Re: "Best practice" for multiple source/input configurations

That's the way I've ended up going as well, it definitely make managing extractors simpler since the extractors on an input all apply to the same types of messages. The only gotcha I've run into is with testing filebeats, the collector allows you to set up and attempt to use multiple outputs ho

[graylog2] Failed to start Grizzly HTTP server: permission denied - after 2.1 upgrade

After upgrading my functioning 2.03 environment (1 Graylog server with 2 ElasticSearch nodes all CentOS 7), Graylog won't start up properly. It loops through startup/shutdown as shown below (full log is attached). It seems like a problem binding linux ports below 1024, but I could be wrong.

[graylog2] Re: Seeking Information

This may be of use to you in regards to Graylog and Splunk. https://www.graylog.org/blog/19-graylog-splunk-integration-is-now-here On Wednesday, September 7, 2016 at 10:34:36 AM UTC-6, peterse...@gmail.com wrote: > > Seeking Information about GreyLog, I am Currently an Administrator of > Splun

[graylog2] Rest API on 9000 doesn't work.

According to http://docs.graylog.org/en/2.1/pages/upgrade/graylog-2.1.html I can now use port 9000 for the web interface and rest API. However after editing /etc/graylog/server/server.conf and changing the rest_listen_uri = to LANIP:9000/, neither the web interface or rest API work. No firewal

[graylog2] Collectors show Unknown or Failing status after upgrading to 2.1 from 2.0.3

I'm still receiving messages but under System > Collectors, all show either Failing or Unknown. I can make changes to my configurations and they update my nxlog.conf files so I know communication is happening both ways. I've restarted the collector and no change. All collectors are version 0

[graylog2] Re: Updating to Graylog 2.1.0 from 2.0.3

$ wget https:// packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb $ sudo dpkg -i graylog-2.1-repository_latest.deb $ sudo apt-get update $ sudo apt-get install graylog-server Worked for me. On Tu

[graylog2] Re: Bigger production setup

Thanks Aykisn for passing on this useful bloc On Wednesday, September 7, 2016 at 6:28:48 AM UTC-5, Aykisn wrote: > > I recommend this guide : > http://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch > > You just have to adapt the guide to match the archite

[graylog2] Re: "Best practice" for multiple source/input configurations

I use a different input for each type of log, platform, eventlog, iis, etc.. My thinking was mainly I want to see everything from something specific without noise from another and without the need for a stream. - On Wednesday, September 7, 2016 at 4:01:08 AM UTC-6, Michael Anthon wrote: > > Wh

[graylog2] Is it possible to setup a stream to alert if number of messages from a single source exceeds a count?

Graylog 1.3.2 (for now and looking to implement graylog 2.1) = Is it possible to setup a stream to alert if the number of messages from a single sources exceeds a count? I have some misbehaving apps on hosts which suddenly send over a million syslogs in say an hour or two because of a faulty ap

[graylog2] Seeking Information

Seeking Information about GreyLog, I am Currently an Administrator of Splunk I am hoping i can reach out to some one in this group to help me on using Grey Log in conjunction with Splunk and how it can bennefit us on license useage with Splunk. Thanks -- You received this message because you a

[graylog2] Graylog V2 web interface stuck on loading after login

Hi Nathan, We are also facing similar issue in out setup . Could u please share more details about the fix. Thanks in Advance. Tharun. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails

[graylog2] Re: Graylog V2 web interface stuck on loading after login

Hi we are also am similar issue in my setup coould you please ellaborate the fix ? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googleg

Re: [graylog2] Web interface flashes logon page in every reload

Thank you! On Wednesday, 7 September 2016 16:27:24 UTC+1, Edmundo Alvarez wrote: > > Hi, > > This is a known presentation issue, please check this Github issue for > more information: https://github.com/Graylog2/graylog2-server/issues/2770 > > Regards, > Edmundo > > -- You received this mes

Re: [graylog2] Web interface flashes logon page in every reload

Hi, This is a known presentation issue, please check this Github issue for more information: https://github.com/Graylog2/graylog2-server/issues/2770 Regards, Edmundo > On 07 Sep 2016, at 17:25, Karjic Ioannis wrote: > > Hi all, > having the same problem > > Regards > > On Wednesday, Septemb

[graylog2] Re: Web interface flashes logon page in every reload

Hi all, having the same problem Regards On Wednesday, September 7, 2016 at 4:37:50 PM UTC+3, Phil Sumner wrote: > > Since upgrading to 2.1.0 from 2.0.3, the web interface has started showing > (briefly) the logon page whenever the reload action happens. > > Not sure what information I can provid

[graylog2] Web interface flashes logon page in every reload

Since upgrading to 2.1.0 from 2.0.3, the web interface has started showing (briefly) the logon page whenever the reload action happens. Not sure what information I can provide to be useful here. Anyone got any idea how to stop it? Thanks, Phil -- You received this message because you are sub

[graylog2] Re: Bigger production setup

I recommend this guide : http://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch You just have to adapt the guide to match the architecture you want. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To

[graylog2] Number of records per second on the histogram

Hello! The smallest unit of time for the histogram is minute. I want to display the number of records per second. How can I do? Kibana can display the number of records per second. While I can see that Graylog is losing to Kibana. -- You received this message because you are subscribed to the G

Re: [graylog2] Issue with winlogbeat and TLS connections

Hi, could you please open an issue for this here: https://github.com/Graylog2/collector-sidecar Should be easy to fix. Cheers, Marius On 7 September 2016 at 11:48, Michael Anthon wrote: > Hi All, > I have just attempted to set up filebeat and winlogbeat to see how they > perform but ran into a

Re: [graylog2] Sidecar permission denied error

We plan some performance improvements for the next release, so if you see too much load on the server side at the moment, this will be improved in 2.2. Maybe not relevant for 50 nodes but for 500. On 7 September 2016 at 11:36, Werner van der Merwe wrote: > Thanks Marius, that worked like a charm

[graylog2] Re: Change "dynamic_templates" and "store_generic"

I did a retry with all manipulation mapping, fixed index name and recreate index. It work perfect but I have a little issue. Any new field have "index" : "not_analyzed" yet. curl -X GET 'http://localhost:9200/_template?pretty' http://pastebin.com/5hyFHkzJ My "graylog-custom-mapping" contains "in

[graylog2] "Best practice" for multiple source/input configurations

While our system currently isn't that large I'm trying to determine the best way to configure Graylog to make future updates and extensions simple to manage. Where I'm struggling with this is with the impact in terms of performance of configuring things certain ways. So, for example, we have d

[graylog2] Issue with winlogbeat and TLS connections

Hi All, I have just attempted to set up filebeat and winlogbeat to see how they perform but ran into a bit of an issue with using winlogbeat and TLS connections. The config file generated look (in part) like this for an output defined in collectors with "Enable TLS support" and "Insecure TLS co

Re: [graylog2] Sidecar permission denied error

Thanks Marius, that worked like a charm! No if trial works and I get my approval, we can roll that out to most of the Windows and RedHat farms as well. The Windows guys are hesitant to open that up as they are committed Splunk guys, but I think sidecar will bring a lot of weight to move over - th

Re: [graylog2] Sidecar permission denied error

Awesome, happy to see it working in your environment! On 7 September 2016 at 11:12, Werner van der Merwe wrote: > Hi Marius, > > Currently we have it running on 27 Ubuntu servers and about 25 CentOS > boxes as trial. > We're in the prosess of installing onto a Windows trial of 22-25 servers. > >

[graylog2] Re: Convert log level from number to a more understandable

Hi Pedro, you could use the message decorators introduced in Graylog 2.1.0 to convert those levels to a human-readable format: http://docs.graylog.org/en/2.1/pages/queries.html#syslog-severity-mapper Cheers, Jochen On Wednesday, 7 September 2016 11:29:07 UTC+2, pedro rijo wrote: > > We have be

[graylog2] Convert log level from number to a more understandable

We have been using elk but we are migrating to graylog since it seems way more powerful, but some of us have been complaining about a minor detail: - In elk log levels were values like 'ERROR', 'WARN', 'INFO', 'DEBUG' - In graylog levels are represented as numbers from 0 to 7 Couldn't find anyth

Re: [graylog2] Re: Graylog not connecting to elasticsearch

Hi Karan, try removing (or commenting out) the elasticsearch_discovery_zen_ping_unicast_hosts setting from your Graylog configuration file. Cheers, Jochen -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and st

Re: [graylog2] Sidecar permission denied error

Hi Marius, Currently we have it running on 27 Ubuntu servers and about 25 CentOS boxes as trial. We're in the prosess of installing onto a Windows trial of 22-25 servers. Have a Centos puppet manifest (crudely) managing the Centos servers, Ubuntu and Windows mostly manual initially. I'll make th

[graylog2] Re: Change "dynamic_templates" and "store_generic"

Hi, did you create the index "graylog2_0" after you've added your custom index mapping and the custom index template? Only newly created indices will receive the new index mapping. The index name also doesn't match the pattern you're using (which is "graylog_*" and not "graylog2_*"). Also se

Re: [graylog2] Re: Sidecar permission denied error

Hi Werner, right the nxlog user needs access to the files you want to read, ususally thats the 'adm' group on ubuntu and the 'root' group on centos/redhat machines. Out of curiosity, how many sidecars are you running in parallel? Cheers, Marius On 7 September 2016 at 06:08, Werner van der Merwe

[graylog2] Re: Graylog email alert frequency

Hi Ajay, On Wednesday, 7 September 2016 05:20:15 UTC+2, Ajay Kumar wrote: > > Just out of curiosity, is it a limitation by design or intentionally > feature is kept like that? It's a current design limitation. Alerts are being generated by periodically running Elasticsearch queries (default: 6

[graylog2] Re: Install

Hi Chad, Graylog currently doesn't support running Elasticsearch plugins in its embedded instance at all (also see https://github.com/Graylog2/graylog2-server/issues/2789). You have to rely on the standard Elasticsearch configuration settings which Graylog provides: https://github.com/Graylo

Re: [graylog2] Re: Graylog not connecting to elasticsearch

Hi Jochen, Please find the attached updated configuration files. On Tue, Sep 6, 2016 at 2:09 PM, Jochen Schalanda wrote: > Hi Karan, > > please post the current Graylog and Elasticsearch configuration files > you're using (after the changes you've made). > > Cheers, > Jochen > > On Tuesday, 6 S