Re: [graylog2] is there a GELF over HTTPS option?

[Kay Röpke]

Hi Jason,

please check out the 1.2 RC we published earlier today:

https://www.graylog.org/announcing-graylog-1-2-rc/ 


It includes TLS support for HTTP as well as TCP keepalive. Each POST is still 
limited to a single GELF message, though.

Best,
Kay

> On 01 Sep 2015, at 02:33, Jason Haar  wrote:
> 
> Hi there
> 
> I just brought up a GELF HTTP Input channel and was surprised to see no
> HTTPS support (graylog-server 1.1.6). Is there some way of doing that?
> 
> Secondly, is this HTTP channel limited to one JSON record per request?
> ie can it be used to "stream" GELF - like the TCP and UDP channel can
> (eg using HTTP Keepalive) - or is it really designed for once-in-a-while
> web application transactions
> 
> Thanks
> 
> -- 
> Cheers
> 
> Jason Haar
> Corporate Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/55E4F256.50607%40trimble.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6EA26274-AC83-44BE-BD2F-479D08E49860%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Autologin for Graylog Dashboard?

[Drew Miranda]

Hi Niklas,
You can configure the session timeout per user (e.g. never timeout) via 
System -> Users -> Timeout if that is of use to you.

Otherwise I think you would have to write a piece of code or script that 
could send the username/password as post data, but I'm not certain and 
havn't tested this.

If you think functionality should be added to address you can submit and 
idea on the idea portal here: https://www.graylog.org/product-ideas/

Hope that helps.

--Drew

On Tuesday, September 1, 2015 at 8:53:28 AM UTC-5, Niklas'ThYpHoOn' Grebe 
wrote:
>
> Hi,
>
> I was wondering if it would be possible to get rid of re-entering the 
> username/password credentials on our Graylog Dashboard after the session 
> got invalidated. Is there a way to put the username/password in the url to 
> automate this process? I don’t want to install a hole password manager just 
> for this.
>
>
>
> Greetings
>
> --
>
> *Niklas Grebe*
> *Backend Developer*
>
> *InnoGames GmbH*
>
> Friesenstraße 13 - 20097 Hamburg - Germany
> Tel +49 40 7889335-0
> Fax +49 40 7889335-200
>
> Managing Directors: Hendrik Klindworth, Eike Klindworth, Michael Zillmer
> VAT-ID: DE264068907 Amtsgericht Hamburg, HRB 108973
>
> *http://www.innogames.com *
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c5703885-4eec-4709-b091-ec15ca579946%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog dashboard showing no messages for last 5 mins

[Drew Miranda]

Do you have your indicies rollover due to retention policies where older 
indices are deleted? Also does running "Recalculate Index Ranges" (System 
-> Indices -> Maintenance) help?


On Tuesday, September 1, 2015 at 8:32:43 AM UTC-5, Sriranga Kulkarni wrote:
>
> Need help graylog dashboard not showing any messages for last 5 mins where 
> as i am able to see messages for last 15 mins. I used to get messages for 5 
> mins before but donno what happened. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/64a1926d-dbc4-405b-b2d8-65611abba370%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Huge gaps between the time stamp on Graylog server and actual logged items

[Kevin Johnson]

Hi Jochen,

I did not create an extractor to parse the access logs. I have setup 
extractors on other inputs.  How do I use the recognized date as the 
message timestamps?

On Tuesday, September 1, 2015 at 4:21:55 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Kevin,
>
> did you create an extractor (e. g. a grok or a regex extractor) to parse 
> those access logs and use the recognized date as the message timestamp? If 
> so, how do those extractors look like?
>
>
> Cheers,
> Jochen
>
> On Tuesday, 1 September 2015 02:50:57 UTC+2, Kevin Johnson wrote:
>>
>> Hi Jochen,
>>
>> Below is a screen shot of some of the messages:
>>
>>
>>
>> I'm running the following script to send the log to the Graylog server.
>>
>> #!/bin/bash
>>
>> tail -F -q /u02/logs/php_error.log | 
>>
>> while read -r line ; 
>>
>> do echo 192.1681.1 $line |
>>
>> nc -w 1 -u 192.168.1.12 12409; 
>>
>> done;
>>
>>
>> On Monday, August 31, 2015 at 5:17:47 AM UTC-4, Jochen Schalanda wrote:
>>>
>>> Hi Kevin,
>>>
>>> could you please post some of the messages you send to Graylog and how 
>>> they are being parsed?
>>>
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Saturday, 29 August 2015 04:20:34 UTC+2, Kevin Johnson wrote:

 I set the root_timezone to EST, which all my servers are set to. 
  Restarted Graylog.  Once again there is a huge gap in time between the 
 Graylog time stamp and the actual time of the logs.  The time between them 
 is well over 24 hrs.  When creating alerts, I receive them while after the 
 fact. Is there anything I tweak on the Graylog server to alleviate the 
 huge 
 gap in time?
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f2a2885e-e7cb-4299-8af2-9bf7451e1bf1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Define full_message extractor only when source=X

[Drew Miranda]

Looks like this is an idea submitted here:
https://graylog.ideas.aha.io/ideas/GL2E-I-436


On Thursday, August 13, 2015 at 12:16:27 PM UTC-5, Jesse Skrivseth wrote:
>
> Perhaps I'll need drools rules for this, but I want to run a key=value 
> tokenizer extractor on messages from a source matching a regex. Is this 
> possible? It seems in the UI the only option is extracting when the field 
> you are extracting from matches something. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a9d9354a-d7ac-4c7a-b97b-e6a7e186e1ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Selecting range via histogram returns zero results (More Timezone woes?)

[Werner van der Merwe]

It did indeed!
Thanks very much

On Wednesday, September 2, 2015 at 1:31:19 PM UTC+12, Drew Miranda wrote:
>
> Does running "Recalculate Index Ranges" (System -> Indices -> Maintenance) 
> help?
>
> On Sunday, August 30, 2015 at 6:43:00 PM UTC-5, Werner van der Merwe wrote:
>>
>> Further Updates:
>> A relative search works 100%
>> Doing the same absolute search via Kibana, 2015-08-31 00:00:00 to 
>> 2015-08-31 10:00:00, gets 2.4M hits
>>
>> Doing an absolute search from 2015-08-29 21:05:54.000 +12:00 to 
>> 2015-08-31 11:07:00.000 +12:00 returns values with timestamps between 
>> 2015-08-29 21:05:57.000 and 2015-08-31 11:07:00.000, as expected.
>> Changing that down to 2015-08-30 21:05:54.000 +12:00 to 2015-08-31 
>> 11:07:00.000 +12:00 returns zero values.  (?!?!?)
>>
>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e3c6cba1-3402-4bb7-8069-95c2245603ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Huge gaps between the time stamp on Graylog server and actual logged items

[Jochen Schalanda]

Hi Kevin,

you can extract the date from the log messages with a regex extractor and 
afterwards use a date or flexdate converter (see 
http://docs.graylog.org/en/1.1/pages/extractors.html#normalization) to 
convert it to an actual timestamp which you store in the timestamp field of 
your message. Otherwise the receive date of the raw text message will be 
used as message timestamp.

Cheers,
Jochen

On Tuesday, 1 September 2015 22:55:04 UTC+2, Kevin Johnson wrote:
>
> Hi Jochen,
>
> I did not create an extractor to parse the access logs. I have setup 
> extractors on other inputs.  How do I use the recognized date as the 
> message timestamps?
>
> On Tuesday, September 1, 2015 at 4:21:55 AM UTC-4, Jochen Schalanda wrote:
>>
>> Hi Kevin,
>>
>> did you create an extractor (e. g. a grok or a regex extractor) to parse 
>> those access logs and use the recognized date as the message timestamp? If 
>> so, how do those extractors look like?
>>
>>
>> Cheers,
>> Jochen
>>
>> On Tuesday, 1 September 2015 02:50:57 UTC+2, Kevin Johnson wrote:
>>>
>>> Hi Jochen,
>>>
>>> Below is a screen shot of some of the messages:
>>>
>>>
>>>
>>> I'm running the following script to send the log to the Graylog server.
>>>
>>> #!/bin/bash
>>>
>>> tail -F -q /u02/logs/php_error.log | 
>>>
>>> while read -r line ; 
>>>
>>> do echo 192.1681.1 $line |
>>>
>>> nc -w 1 -u 192.168.1.12 12409; 
>>>
>>> done;
>>>
>>>
>>> On Monday, August 31, 2015 at 5:17:47 AM UTC-4, Jochen Schalanda wrote:

 Hi Kevin,

 could you please post some of the messages you send to Graylog and how 
 they are being parsed?


 Cheers,
 Jochen

 On Saturday, 29 August 2015 04:20:34 UTC+2, Kevin Johnson wrote:
>
> I set the root_timezone to EST, which all my servers are set to. 
>  Restarted Graylog.  Once again there is a huge gap in time between the 
> Graylog time stamp and the actual time of the logs.  The time between 
> them 
> is well over 24 hrs.  When creating alerts, I receive them while after 
> the 
> fact. Is there anything I tweak on the Graylog server to alleviate the 
> huge 
> gap in time?



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/017b4d51-d4fc-46b3-a6d5-a82aa3dd0b67%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Service graylog2-server shuts down after start of CentOS

[Karl Schleifenbaum]

Hi Drew, thanks for starting me to search for logs. Finally I managed to 
get the latest graylog running.
The problem turned out to be several things 
- etc/graylog/web/web.conf (missing password secret)
- etc/graylog/server/server.conf (missing password secret and 
root_password_sha2)
- Java 1.7 wasn´t sufficient as the web interface log mentioned itself that 
is has a serious bug which causes it to shut down. I installed Java 1.8:

cd /opt

wget --no-cookies --no-check-certificate --header "Cookie: 
gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; 
oraclelicense=accept-securebackup-cookie" "
http://download.oracle.com/otn-pub/java/jdk/8u60-b27/jdk-8u60-linux-x64.rpm;

wget --no-cookies --no-check-certificate --header "Cookie: 
gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; 
oraclelicense=accept-securebackup-cookie" "
http://download.oracle.com/otn-pub/java/jdk/8u60-b27/jre-8u60-linux-x64.rpm;
Then I could start a GELF HTTP input and happily send in messages :)

Now with Java 1.8 when hitting "service graylog-server start" Java 
complains with:
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option PermSize=128m; 
support was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option 
MaxPermSize=256m; support was removed in 8.0
Maybe that´s important for your development.

Thanks for this great tool :)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a4ad1107-d96f-493b-b108-b2e02f7946d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Huge gaps between the time stamp on Graylog server and actual logged items

[Jochen Schalanda]

Hi Kevin,

did you create an extractor (e. g. a grok or a regex extractor) to parse 
those access logs and use the recognized date as the message timestamp? If 
so, how do those extractors look like?


Cheers,
Jochen

On Tuesday, 1 September 2015 02:50:57 UTC+2, Kevin Johnson wrote:
>
> Hi Jochen,
>
> Below is a screen shot of some of the messages:
>
>
>
> I'm running the following script to send the log to the Graylog server.
>
> #!/bin/bash
>
> tail -F -q /u02/logs/php_error.log | 
>
> while read -r line ; 
>
> do echo 192.1681.1 $line |
>
> nc -w 1 -u 192.168.1.12 12409; 
>
> done;
>
>
> On Monday, August 31, 2015 at 5:17:47 AM UTC-4, Jochen Schalanda wrote:
>>
>> Hi Kevin,
>>
>> could you please post some of the messages you send to Graylog and how 
>> they are being parsed?
>>
>>
>> Cheers,
>> Jochen
>>
>> On Saturday, 29 August 2015 04:20:34 UTC+2, Kevin Johnson wrote:
>>>
>>> I set the root_timezone to EST, which all my servers are set to. 
>>>  Restarted Graylog.  Once again there is a huge gap in time between the 
>>> Graylog time stamp and the actual time of the logs.  The time between them 
>>> is well over 24 hrs.  When creating alerts, I receive them while after the 
>>> fact. Is there anything I tweak on the Graylog server to alleviate the huge 
>>> gap in time?
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a0cf21aa-2f7a-4da4-add8-b65fedd730df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Syslog UDP Input

[daniel . schindler73]

HI Jason,

that was helpful, thank you very much.

Regards

Daniel

Am Mittwoch, 26. August 2015 15:04:37 UTC+2 schrieb 
daniel.sc...@googlemail.com:
>
> Hello,
>
> first step I tried on my new graylog server is, to create a Syslog UDP 
> Input, in order to be able to receive 
> syslog messages on the graylog server.
>
> I went to System Menu->Inputs and choosed Systlog UDP Input from the drop 
> down menu and clicked
> on Launch new input.
>
> I gave following information:
>
> Title: syslog
> Port: 514
> Bind address: (IP from graylog server)
>
> Then I clicked Launch. After that I received a new notification that the 
> permission is denied.
>
> I don't know where to check. Has anyone an idea to fix this?
>
> Regards
>
> Daniel
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/24e52a62-51e3-4b6d-ab5f-696d1e3bfc24%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] /etc/issue is being overwritten

[daniel . schindler73]

Hi All,

I changed the contents of /etc/issue and customize it a little bit.

After reboot the changes are lost.

How can I avoid that this file is being overwritten from my personal 
changes?
Or is this the wrong file?

Regards

Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/dce498c4-4304-4dd6-b1b6-e5e963b67e14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Alerts never triggered

[Jose Luis Gordo Romero]

Hi,

I have a 1.1.6 updated install (from 1.1rc), and in some update (I can't 
remember) alerts stop working (never triggered).

I reviewed the mongo collections and server conf (from a fresh install), 
the server.log, ... (nothing different).

So having a stream with +- 20 msg/sec, I configured this alert:

   - Alert is triggered when there is more than 1 message in the last 
   minute. Grace period: 60 minutes. Including last message in alert 
   notification.
   - Send an email (Send test alert works)

And the result is that nothing happens: "This stream has never triggered an 
alert."

Also tested on differents streams (old and newly created), I'm a bit crazy 
(on a fresh 1.1.6 with the same ubuntu version and graylog version/repo 
works). What can I do?

Best Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/dbf3bbee-909e-4306-a0f0-5839ff9081ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: /etc/issue is being overwritten

[daniel . schindler73]

Hi Jochen,

the OVA Image.

Regards

Daniel


Am Dienstag, 1. September 2015 12:40:16 UTC+2 schrieb 
daniel.sc...@googlemail.com:
>
> Hi All,
>
> I changed the contents of /etc/issue and customize it a little bit.
>
> After reboot the changes are lost.
>
> How can I avoid that this file is being overwritten from my personal 
> changes?
> Or is this the wrong file?
>
> Regards
>
> Daniel
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c0ac5d32-923f-4be4-807a-6846815ca5b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Autologin for Graylog Dashboard?

[Niklas Grebe]

Hi,

I was wondering if it would be possible to get rid of re-entering the 
username/password credentials on our Graylog Dashboard after the session got 
invalidated. Is there a way to put the username/password in the url to automate 
this process? I don’t want to install a hole password manager just for this.



Greetings
--
Niklas Grebe
Backend Developer
InnoGames GmbH
Friesenstraße 13 - 20097 Hamburg - Germany
Tel +49 40 7889335-0
Fax +49 40 7889335-200
Managing Directors: Hendrik Klindworth, Eike Klindworth, Michael Zillmer
VAT-ID: DE264068907 Amtsgericht Hamburg, HRB 108973
http://www.innogames.com 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/E1BA330D-9182-4D10-9E74-D4504F555033%40innogames.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using GPGMail

[graylog2] Graylog dashboard showing no messages for last 5 mins

[Sriranga Kulkarni]

Need help graylog dashboard not showing any messages for last 5 mins where 
as i am able to see messages for last 15 mins. I used to get messages for 5 
mins before but donno what happened. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c3efbcb8-1cfa-4d8e-89b7-b20751a79176%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.