[graylog2] Variable Length Key=Value pairs
In the uri-query field of my IIS logs I have a website that generates values for this field that is key=value pairs delimited by . Sometimes this field might have one or two key=value pairs, and sometimes it has as many as six or seven. I would like to extract those key=value pairs and bring them into graylog as separate fields, but haven't had much luck. Is there a good way to extract these fields? -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: hyper-v virtual appliance
Thanks guys for the tips. I have submitted a request to the ideas portal. On Friday, June 19, 2015 at 11:34:59 AM UTC+2, Marius Sturm wrote: You can follow these instructions in order to perfom an update on the appliance: https://github.com/Graylog2/graylog2-images/tree/master/ova#upgrade-graylog Hyper-V images produce some costs on our side because we dont have Windows build servers at the moment. You can add that request to the ideas portal, if there is a significant amount of people voting for it we can provide it natively: https://www.graylog.org/product-ideas/ On 17 June 2015 at 15:55, David Gerdeman dave.g...@gmail.com javascript: wrote: I've been running the virtual appliance in hyper-v for a while now. Use some extraction program to open the OVA file. Take the vmdk file out and use virtualbox or some other application to convert it to a VHD. You can either use that VHD directly with Hyper-V or you can use Hyper-V to convert it again to a VHDX file and use that. Either way works great. I don't know about your other question. I would like to know how to upgrade the virtual appliances as well. On Tuesday, June 16, 2015 at 5:51:50 PM UTC-5, Gabor.Technology wrote: Hi guys, Few questions please: 1. With version 1.1.2 out, what is the recommended way to run Graylog in production under Hyper-V? Convert Workstation image to vhdx? Chef / Puppet / Ansible? 2. What is the best way to upgrade from 1.0 to 1.1.2 or is it just better to create new VMs by using converted virtual appliances? Can data from existing elastic cluster be imported? Cheers, Gabor -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog Company Steckelhörn 11 20457 Hamburg Germany https://www.graylog.com https://www.torch.sh/ Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Graylog 0.20.2 field search trouble
Hi there Sean, Not sure what logstash is, but when you search (i.e. for a field) can't you just append/prepend with a wild card? E.g. Frequently I search: source:123.456.* I think appending wildcards is enabled by default and you'd have to enable prepending: graylog-server.conf: allow_leading_wildcard_searches = true have you tried: tags:nserv* ? Cheers, On Tuesday, May 27, 2014 at 6:02:28 PM UTC-5, Sean Talts wrote: Hey all, Just set up Graylog2 for the first time and got all of my logs are coming from logstash :) They have tag field entries like this: nserv, log, (for some reason). I'm trying to search for all logs with the nserv tag like so: `tag:nserv` because the documentation suggests that this will find any logs with tag fields containing the string nserv. However, no results come back! The only results that come back from tag searches are exact strings: `tags:nserv, log,`. Any ideas? Thanks, Sean -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Newbie Questin (Web Interface)
Hello All, Just started using graylog. Love it. Read the docs, but still having this problem: 1) Using the web interface I made a TEST input, and setup some extractors. 2) From System|Inputs I select Messages from this input for TEST. Great. Here's the problem: 1) SOMETIMES, the fields don't show up on the right (even when I select 'all') 2) SOMETIMES, the Regex will work fine in the Extractormenu, but won't work when viewing the messages. Probably an easy fix, but I can't figure this out. So if anyone has any idea or suggestions, I'm all ears! :p Thanks in advance! -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: [ANNOUNCE] Graylog v1.1.3 has been released
Upgrading from 1.1.2 to 1.1.3, was there any changes in config files ? Can you blindly copy the config files from 1.1.2 to 1.1.3 ? On Friday, June 19, 2015 at 9:41:02 AM UTC-7, lennart wrote: Hey everybody, I am happy to announce that we just released Graylog v.1.1.3. This release is addressing several bugs and brings numerous improvements: * https://www.graylog.org/graylog-v1-1-3-is-now-available/ Thanks, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Graylog plugin - elastic field types
Hi Jesse! On 23 Jun 2015, at 00:11, Jesse Skrivseth voodood...@gmail.com wrote: The Message class has several field types that can be explicitly declared when adding fields to messages. It seems to support: Double Long String If I want to attach a field as a custom elastic type such as geo_point, how can I declare this custom type? Without a custom type, my current format would always be inserted as a string. I'd love to be able to: msg.addCustomField(String type, String key, Object message) so msg.addCustomField('geo_point', 'source_geopoint', 12.023,-57.012”); Unfortunately this does not work the way you expect it to. The mapping itself is being applied when creating the index, and Graylog currently relies on ES auto detecting the dynamic mapping types. Double, Long and String are actually separate data types, thus ES will create the correct mapping for them, but geo_point is actually just a String and there’s no way to set a mapping type per document during indexing, so even if we offered a addCustomField method this would not work as intended. In the future we want to provide more control over the mapping, but right now what you can do is to look at index templates. If your geo_point fields end with *_geopoint this should be relatively straightforward to implement. Please have a look at https://www.elastic.co/guide/en/elasticsearch/reference/1.6/indices-templates.html https://www.elastic.co/guide/en/elasticsearch/reference/1.6/indices-templates.html Best, Kay -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Upload logs to analyze in GrayLog
Hi! Is there any option where I can upload logs to analyze in GrayLog? I need to import logs from a CISCO ASA device that is not connected to the network, so I need to include this manually. Thanks and regards, By the way sorry for my bad english, -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Upload logs to analyze in GrayLog
Hi Allan, You can only upload logs to Graylog by sending them through a network interface, but you can do that from a different computer than the one generating the logs. I would place the log file you want to analyse in a computer that can access Graylog, then create a raw TCP input in Graylog (you can also use an existing input or create another type, depending on what you want to do). Once the input is started, you can send the log file through the network by using nc from your command line, for example: nc -w0 graylog-host ./logfile.log As far as I know that only works on OS X and Linux, but I guess there will be a way of doing something similar on Windows :) Hope that helps. Regards, Edmundo On 23 Jun 2015, at 03:46, Allan Vargas allanvarga...@gmail.com wrote: Hi! Is there any option where I can upload logs to analyze in GrayLog? I need to import logs from a CISCO ASA device that is not connected to the network, so I need to include this manually. Thanks and regards, By the way sorry for my bad english, -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Confused by message filed truncation
Hi all, I'm sending my VMware vCenter server logs and Windows event logs into Graylog using nxlog-ce to send to GELF UDP inputs. I'm getting confused as to why the message field is truncated compared with the full_message. At this point I have not tried defining any fields in nxlog for these nor have I defined any extractors on the inputs. What can cause these messages to be truncated? I'm assuming Graylog is trying to process these into various fields which is leading to the truncated message but I'm not sure how I can overcome this. Here's an example: full_message: vpxd2015-06-24T10:36:18.302+10:00 info vpxd[10384] [Originator@6876 sub=vpxLro opID=opId-f89b4b1a-bd95-48fa-8193-d7f494ae37b2-3d-5a] [VpxLRO] -- FINISH task-internal-2506 message: vpxd2015-06-24T10:36:18.302+10:00 info vpxd[10384] [Originator@6 I am seeing the same behaviour for the Windows events and here's an example: full_message: The system call to get account information completed. CN=VMM01,CN=Computers,DC=lab,DC=melbourneit,DC=com The call completed in 0 milliseconds. message: The system call to get account information completed. CN=VMM01 Here are the two relevant inputs used in nxlog.conf: Input InEvents Module im_msvistalog EXEC if $ObjectName =~ /\\Nimsoft\\probes\\/ drop(); /Input Input VPXD Module im_file File C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-[0-9]*.log SavePos TRUE ReadFromLast TRUE Exec $Message = 'vpxd' + $raw_event; /Input I'm guessing It's probably going to be something as simple as defining fields in nxlog but I'm not real sure on that and am hoping someone else has come across this and has a solution or at least some pointers in the right direction. Any help with this would be greatly appreciated! Cheers, Pete -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Upgrade steps for deb based system 1.0.2 -- 1.1.3
Hello. I've got a Graylog system running (Ubuntu 14.04) 1.0.2. I'm going to be upgrading, and have been unable to find any specific instructions. Do I need to do anything other than install the updated deb packages? Thanks. -Pete -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.