[graylog2] Re: Dashboards problems
Hi Alex, did you upgrade both, the Graylog server and the web interface, to version 1.1.5? What kind of queries are you using in your dashboard widgets? Do those queries complete fast and at all if you enter them in the search bar? You can also click on the icon on the dashboard widgets to run those queries. Cheers, Jochen On Wednesday, 29 July 2015 17:13:18 UTC+2, Alex B. wrote: Problem remains after upgrading to 1.1.5 -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Drools rule example in graylog documentation does not work
I'm experiencing the same issue. I'm using the rules located here: http://www.virtualizetheworld.com/2014/04/graylog2-extractors-for-fortigate.html What version are you running on? root@graylog:/root# tail -f /var/log/graylog/server/current | grep rules 2015-07-29_18:12:11.32634 WARN [DroolsEngine] Unable to add rules due to compilation errors. 2015-07-29_18:12:11.32640 org.graylog2.rules.RulesCompilationException: Message [id=1, level=ERROR, path=r1.drl, line=5, column=0 2015-07-29_18:12:11.32647 at org.graylog2.rules.DroolsEngine.createKJar(DroolsEngine.java:221) 2015-07-29_18:12:11.32648 at org.graylog2.rules.DroolsEngine.createAndDeployJar(DroolsEngine.java:190) 2015-07-29_18:12:11.32648 at org.graylog2.rules.DroolsEngine.deployRules(DroolsEngine.java:165) 2015-07-29_18:12:11.32648 at org.graylog2.rules.DroolsEngine.commitRules(DroolsEngine.java:143) 2015-07-29_18:12:11.32649 at org.graylog2.rules.DroolsEngine.addRule(DroolsEngine.java:85) 2015-07-29_18:12:11.32649 at org.graylog2.rules.DroolsEngine.addRulesFromFile(DroolsEngine.java:98) 2015-07-29_18:12:11.32838 INFO [RulesEngineProvider] Unable to load rules due to load error: /etc/graylog2.drl ^C -- You received this message because you are subscribed to the Google Groups Graylog Users group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/dbe21eb7-f0d1-428f-8fd7-dc53a18d4ccb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Drools rule example in graylog documentation does not work
I meant to reply here earlier. For some reason drools didn't like the syntax of the REGEX string I was using. I spun up a test environment so I could rapidly stop/start graylog and test the rules. -- You received this message because you are subscribed to the Google Groups Graylog Users group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/59a2eb44-71e8-4229-8330-1aaf233c0c6f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Check Graylog Node Status via API
This is possibly a little obscure but also possibly useful... I've written a Nagios plugin (in Perl) to check the health of all my Graylog nodes but the one thing I can't seem to find how to check is the status of a Graylog node in relation to being able to connect to the MongoDB. I can check pretty much everything else I want to (eg. journal utilisation, messages in vs. out, etc.). Essentially we have some funky network issues on occasion that will stop one or more nodes from talking to the MongoDB servers and they don't always recover, meaning one or more nodes will constantly report Did not find meta info of this node. Re-registering. in the server.log. I can certainly run another stream in Graylog and alert on this but I'd much prefer to be able to get it from the API if this is possible. Is there a function in the API already for this that I'm missing or should this be a feature request? I realise the key here is fixing the funky network issues and I'm working on that in parallel :) Cheers, Pete -- You received this message because you are subscribed to the Google Groups Graylog Users group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/63ec7d06-c078-453b-874e-6a276c564ecd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] TCP Syslog input channel restarting all the time?
Jason, thank you for the report. We have a similar issue open: https://github.com/Graylog2/graylog2-server/issues/1105 We haven't been able to reproduce this. I will try again with your setup. Can you send us the syslog-ng configuration snippet for Graylog? That would be helpful. Thanks, Bernd Jason Haar [Tue, Jul 28, 2015 at 07:37:54PM -0700] wrote: Hi there I'm using syslog-ng to feed in data via a syslog/TCP channel and it's continually (every 10 seconds) dropping the TCP channel - forcing syslog-ng to restart it 2015-07-29T02:26:31+00:00 syslog.server syslog notice syslog-ng[30512]: Syslog connection broken; fd='408', server='AF_INET(192.168.6.3:1514)', time_reopen='10' 2015-07-29T02:26:41+00:00 syslog.server syslog notice syslog-ng[30512]: Syslog connection established; fd='465', server='AF_INET(192.168.6.3:1514)', local='AF_INET(0.0.0.0:0)' 2015-07-29T02:26:41+00:00 syslog.server syslog notice syslog-ng[30512]: Syslog connection broken; fd='465', server='AF_INET(192.168.6.3:1514)', time_reopen='10' 2015-07-29T02:26:51+00:00 syslog.server syslog notice syslog-ng[30512]: Syslog connection established; fd='379', server='AF_INET(192.168.6.3:1514)', local='AF_INET(0.0.0.0:0)' 2015-07-29T02:26:51+00:00 syslog.server syslog notice syslog-ng[30512]: Syslog connection broken; fd='379', server='AF_INET(192.168.6.3:1514)', time_reopen='10' 2015-07-29T02:27:01+00:00 syslog.server syslog notice syslog-ng[30512]: Syslog connection established; fd='476', server='AF_INET(192.168.6.3:1514)', local='AF_INET(0.0.0.0:0)' 2015-07-29T02:27:02+00:00 syslog.server syslog notice syslog-ng[30512]: Syslog connection broken; fd='476', server='AF_INET(192.168.6.3:1514)', time_reopen='10' tcpdump shows normal data flow followed by two TCP resets coming back from the graylog-1.1.5 server - so it's definitely graylog that's borking. BTW, this system *is working*: I'm seeing these syslogs flowing in - can do searches/etc - but I assume I'm losing some records due to this issue. I even created a xinetd.d based tcp service on the graylog server that just logged what it received to a file, configured the syslog server to send to both tcp channels - and it's running fine with no restarts (ie tcpdump of both ports only shows TCP resets on the graylog port not the xinetd port). So I think that implies it isn't the OS (CentOS-7) Whatever the root cause is should be logged somewhere - can someone point out to me how the debug this? Thanks Jason -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: how to use sessionid with rest api
Hi Jochen, Many thanks for the prompt reply. It works exactly as you described it. Best Regards, Emde On Tuesday, July 28, 2015 at 5:48:47 PM UTC+3, Jochen Schalanda wrote: Hi, the session handling of Graylog is kind of special (i. e. using a very custom mechanism). You'll have to use the session ID as user name and the special password session as credentials and send those as standard Authorization header (Basic Auth) to the Graylog server. In the end your requests will look like http://${ SESSION_ID}:sess...@graylog.example.net:12900/foo/bar. Cheers, Jochen On Tuesday, 28 July 2015 16:21:56 UTC+2, Emde wrote: Hello, I am accesing the REST API of Graylog from java. I want to use a sessionId to make the calls to the REST api without username and password. I haven't found any documentation reading how this should be set in order for graylog to accept it. I have tried the following and all of them return 401 Unauthorized: URLConnection graylogConnection = graylogUrl.openConnection(); graylogConnection.setRequestProperty(sessionid, sessionId); graylogConnection.setRequestProperty(session-id, sessionId); graylogConnection.setRequestProperty(session_id, sessionId); graylogConnection.setRequestProperty(id, sessionId); graylogConnection.setRequestProperty(authorization, Bearer + sessionId); graylogConnection.setRequestProperty(JSESSIONID, sessionId); graylogConnection.setRequestProperty(Cookie, JSESSIONID= + sessionId); I got the sessionId value from the system/sessions resource and has a valid expiry date(it is not expired). I also tried all of the above with sessionId Base64 encoded. Could anyone suggest how I should set the sessionId in order for graylog to accept it? -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Index rotation problems
It looks like index size issue, because new indexes are created faster than retention process tries to remove old indexes. So, even with index size about 1M all looks good. -- WBR, Eugene Prokopiev -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] juniper ssg 140
I have setup my Juniper to send data in via syslog to my graylog server 1.1.5. I am seeing the data arrive via tcpdump on the destination server, but it is not ingested into graylog. I am using that same port to ingest other syslog data with no issues. Where should I look next for troubleshooting this? Cheers, Leon -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.