Re: [graylog2] journal broken

2015-02-26 Thread Ed Totman 
Thanks for the reply.  How do I clear the journal of old messages before I 
restart it?

On Wednesday, February 25, 2015 at 10:54:42 PM UTC-8, Bernd Ahlers wrote:

 Ed, 

 as Tristan already said, if you constantly sending in more messages 
 than Graylog or Elasticsearch can process, you will always fill up 
 your journal. 
 Disabling the journal does not really fix the problem, because you 
 will now lose messages. 

 Please check the node details page (System - Nodes - click on the 
 node name) and check the disk journal stats. If you writing more into 
 the journal than reading from it, you have a problem with processing 
 throughput. 

 Regards, 
 Bernd 

 On 26 February 2015 at 00:50, Tristan Rhodes tristan...@gmail.com 
 javascript: wrote: 
  Ed, 
  
  I had this same problem.  However, increasing the journal size will only 
  help if your rate of messages periodically decreases below what your 
 system 
  can process.  (For example, you will grow the journal during peak hours 
 of 
  the day, and drain the journal when fewer logs are being sent to 
 Graylog). 
  
  If you are always sending more messages than your Elasticsearch can 
 ingest, 
  the journal will not help.  I increased my Elasticsearch ingesting 
  performance by changing this setting in elasticsearch.yml: 
  
  index.refresh_interval: 30s 
  
  You can read more about this setting here: 
  
  
 http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/
  
  
 http://www.elasticsearch.org/blog/performance-considerations-elasticsearch-indexing/
  
  
  Disclaimer: I am new to graylog+elastisearch and barely know what I am 
  doing.  :) 
  
  Cheers! 
  
  Tristan 
  
  On Mon, Feb 23, 2015 at 10:41 AM, Ed Totman eto...@gmail.com 
 javascript: wrote: 
  
  I deployed the latest appliance from the ova file.  Graylog2 worked 
 fine 
  for several days, but then the journal files grew to 5GB which is the 
  default limit and search returns no current results.  On the System 
 page 
  this error appeared: 
  
  Journal utilization is too high a few seconds ago 
  Journal utilization is too high and may go over the limit soon. Please 
  verify that your Elasticsearch cluster is healthy and fast enough. You 
 may 
  also want to review your Graylog journal settings and set a higher 
 limit. 
  (Node: 43a9cc82-dc5a-4492-936b-418e1bc98f5e, journal utilization: 
 96.0%) 
  
  I increased the journal limit to 10GB but this did not fix the problem. 
  I 
  restarted all services and checked the logs, but could not find any 
 obvious 
  problem.  The VM is running on very fast storage with lots of CPU and 
  memory.  I set message_journal_enabled = false which seems to have 
  temporarily resolved the problem. 
  
  How do I troubleshoot the journal?  All of the other components are 
  working fine. 
  
  -- 
  You received this message because you are subscribed to the Google 
 Groups 
  graylog2 group. 
  To unsubscribe from this group and stop receiving emails from it, send 
 an 
  email to graylog2+u...@googlegroups.com javascript:. 
  For more options, visit https://groups.google.com/d/optout. 
  
  
  
  
  -- 
  Tristan Rhodes 
  
  -- 
  You received this message because you are subscribed to the Google 
 Groups 
  graylog2 group. 
  To unsubscribe from this group and stop receiving emails from it, send 
 an 
  email to graylog2+u...@googlegroups.com javascript:. 
  For more options, visit https://groups.google.com/d/optout. 



 -- 
 Developer 

 Tel.: +49 (0)40 609 452 077 
 Fax.: +49 (0)40 609 452 078 

 TORCH GmbH - A Graylog company 
 Steckelhörn 11 
 20457 Hamburg 
 Germany 

 Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
 Geschäftsführer: Lennart Koopmann (CEO) 


-- 
You received this message because you are subscribed to the Google Groups 
graylog2 group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Stream URL doesn't show any message

2015-02-26 Thread Jochen Schalanda 
Hi Roberto,

I hope you're using at least Graylog2 0.92.x and even then I'd recommend 
upgrading to Graylog 1.0.0 (it's really easy!).

If the stream URL opens a stream at all and not an error page, it's 
supposed to be the correct stream. Maybe the events only happened in a 
specific timeframe which doesn't happen to be in the selected default 
time-range. Are there any messages in the stream?


Cheers,
Jochen


On Tuesday, 24 February 2015 14:50:17 UTC+1, roberto...@gmail.com wrote:

 Dear, I'm working with Graylog2 version 0.9.

 I've created a stream and after that an email alert that comes to my email 
 account perfectly.

 This alert tells me there are N events matching the stream, and it shows a 
 STREAM URL. When I click this URL, the result is 0 event/message.

 Is it possible that the URL is bad composed ? Or what is the cause the 
 stream URL doesn't show any event?

 Thanks a lot,

 Roberto


-- 
You received this message because you are subscribed to the Google Groups 
graylog2 group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Source field with bad format

2015-02-26 Thread robertocarna36 
Dear, I have Graylog 0.20.6.

I receive logs from Linux and Windows servers very well, but my problem is 
with Cisco ASA logs, in the source field I receive something like this and 
not IP or hostname:

Source: %ASA-6-100881

Source: %link-up-1

etc.


What can I do in order to convert these sources in the corresponding IP's 
or hostnames ???

Thanks a lot,

Roberto

-- 
You received this message because you are subscribed to the Google Groups 
graylog2 group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Source field with bad format

2015-02-26 Thread Henrik Johansen 
One problem usually is that the ASA boxes aren’t transmitting their hostname be 
default.
Running ''logging device-id hostname’ on the boxes in question should do the 
trick.

 On 26 Feb 2015, at 21:18, robertocarn...@gmail.com wrote:
 
 Dear, I have Graylog 0.20.6.
 
 I receive logs from Linux and Windows servers very well, but my problem is 
 with Cisco ASA logs, in the source field I receive something like this and 
 not IP or hostname:
 
 Source: %ASA-6-100881
 
 Source: %link-up-1
 
 etc.
 
 
 What can I do in order to convert these sources in the corresponding IP's or 
 hostnames ???
 
 Thanks a lot,
 
 Roberto
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 graylog2 group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to graylog2+unsubscr...@googlegroups.com 
 mailto:graylog2+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout 
 https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
graylog2 group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Difference between GELF 1.0 and 1.1

2015-02-26 Thread Moocar 
Hi there,

Logback-gelf author here. Congrats on the 1.0 launch! I've been under a 
rock for a while and just noticed that GELF has a 1.1 spec. Is there a list 
of the changes from GELF 1.0?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
graylog2 group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.