[graylog2] How To Handle Messages With Incorrect Formats

[Jacob]

Hello,

I'm have a problem with the format of syslog messages sent from an Aruba 
Instant  
device. 
The following is a sample message:

Apr 28 21:43:59 *2016* 192.168.110.240 stm[1789]: <304055>  
<###> |ap| Unexpected stm (Station management) runtime error at 
wifi_mgmt_recv_frame, 7565, wifi_mgmt_recv_frame:7565: NULL src-mac, frame 
type=0, subtype=15

The problem has to do with the year, int this case 2016, that is in the 
message. This causes Graylog to incorrectly identify the various fields. 
For example, the source becomes the year, the application_name becomes the 
host/ip address etc.

I cannot change the format of the message that the Aruba device sends. I 
need to strip the year from the message and that should fix this issue. Can 
I accomplish this using Graylog?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/22fe13b6-ce97-46ea-8f7e-729e5887c778%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Unable to start graylog-2.0.0-1.ova using oracle vm box in windows server 2008 R2 standard

[nikhil shetty]

Hi ,

I am trying to start graylog-2.0.0-1.ova using Oracle 
VirtualBox-5.0.18-106667-Win on Windows server 2008 R2 standard .

When I hit the start button on the vm, graylog is up with just a black 
blank screen . (PFA)

How do i start the virtual graylog ubunto os .

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2e6fecaf-63ec-4ef1-81ce-8dcd50e9d82c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] How to access field value in pipeline rules

[Ross]

Hi-

I'm trying to create a pipeline to send messages to another stream based on 
the application that generated it. In the message, that's represented in 
the tag field. All I need is a simple string comparison, but I can't figure 
out how to access the actual values of the fields. I've tried the following 
two rules to no avail:

rule "app_1_tomcat"
when
  contains(to_string(message.tag), "tomcat")
then
  route_to_stream("App 1 Tomcat");
end

rule "app_1_tomcat"
when
  message.tag == "tomcat"
then
  route_to_stream("App 1 Tomcat");
end

The stream that is attached to this pipeline only matches on App 1, the 
pipeline is only attached to that stream, and one of the above rules is the 
only rule attached to the pipeline. What am I missing?

Let me know if there's any information I can fill in.

-Ross

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2af96886-1ba1-4c65-b016-dfba6dcfc177%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: GELF TCP option for collectors

[Michael Taylor]

Are you guys following Github or the product ideas page more closely now? 
Most of the posts on https://www.graylog.org/pages/product_ideas are months 
old.

On Wednesday, April 27, 2016 at 3:12:46 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Michael,
>
> the collector sidecar in Graylog 2.0.0 is the very first release and it's 
> certainly missing some features.
>
> Please file a feature request at 
> https://github.com/Graylog2/graylog-plugin-collector/issues if you need 
> support for GELF via TCP in the nxlog support of the collector sidecar.
>
> Of course you can always configure nxlog manually to use GELF via TCP 
> instead of using the collector sidecar. But filing that feature request 
> surely won't hurt. ;-)
>
> Cheers,
> Jochen
>
> On Tuesday, 26 April 2016 22:00:28 UTC+2, Michael Taylor wrote:
>>
>> I try to use TCP with GELF on all my nxlog collectors on my Windows 
>> servers, so that if Graylog goes down the servers know the connection is 
>> gone and they hold their messages until they can connect to it again. Then 
>> they dump all their backlogged messages to Graylog and I don't lose any 
>> messages from the downtime.
>>
>> Is there a reason GELF uses UDP by default, and it's not an option at all 
>> for collector outputs in the sidecar configuration? Am I misunderstanding 
>> how GELF uses TCP? Can we get GELF TCP as an option for the sidecar 
>> collectors?
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/11c1a4b0-a279-4f62-bc91-e53416d6b5b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Switching to whitespace analyzer

[Dilip Muthukrishnan]

I'm trying to change the analyzer from "standard" to "whitespace".  I've 
set the following property in my Graylog server configuration:

elasticsearch_analyzer = whitespace

It states that my change will be applied to new indices so I manually 
cycled the deflector so that it is now pointing to graylog2_1 (previously 
graylog2_0).  However, the new index still uses the "standard" analyzer 
based on the mapping in Elasticsearch:

"message" : {
"type" : "string",
"analyzer" : "standard"
  },


How do I change the analyzer?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8dc3babd-949d-4ecc-b74f-ccb73510abf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: graylog-server-2.0.0-5 installation guide for CentOS 7 ?

[T.J. Yang]

On Thursday, April 28, 2016 at 1:12:40 PM UTC-5, T.J. Yang wrote:
>
> Hi there
>
> Is there a similar graylog2 centos 6 guide 
> 
>  
> but for centos 7 ?
>
> After some google search, I found this one is pretty close except no need 
for graylog web interface part.

http://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-install-graylog2-on-centos-7-rhel-7.html
 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7b553de5-5208-490e-8709-867cf61fb1d3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Extraction Help

[Peter Krammer]

Hi Henrik,

Thank you very much, that looks perfect =)
I will try it out as soon as I can. 

best regards,
Peter

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f44d2ea7-f574-4710-9f1a-016e47b57a45%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Elasticsearch 2.0.0-5 Client announcing wrong URI

[Bryan Vukich]

Hello Jochen,

I have elasticsearch_network_host, elasticsearch_network_bind_host, 
and elasticsearch_network_publish_host all set.  Basically anywhere I could 
specify and IP I did so to try and get this working.  They didn't appear to 
have any impact.

Thank you,

Bryan



On Thursday, April 28, 2016 at 2:39:21 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Bryan,
>
> you can manually set the IP address for the embedded Elasticsearch 
> instance in Graylog using the elasticsearch_network_host setting in the 
> configuration file (see 
> https://github.com/Graylog2/graylog2-server/blob/2.0.0/misc/graylog.conf#L187-L192)
>  
> if the automatically discovered IP address isn't correct.
>
> Regarding the web_listen_uri and rest_listen_uri settings, their default 
> value is http://127.0.0.1:9000/ and http://127.0.0.1:12900/ respectively, 
> to avoid accidentally listening on a public interface.
>
>
> Cheers,
> Jochen
>
> On Wednesday, 27 April 2016 22:55:58 UTC+2, Bryan Vukich wrote:
>>
>> Centos 7
>> graylog-server.noarch2.0.0-5
>> elasticsearch.noarch2.3.2-1
>> Both from yum repositories.
>>
>> Graylog-server and Elasticsearch are installed on two different servers. 
>>  When graylog tries to connect to es it appears to be telling es to connect 
>> back on the wrong IP.  I'm seeing the following log on the graylog server:
>>
>>
>> 2016-04-27T14:52:12.246-05:00 INFO  [zen] 
>> [graylog-71192b15-8a49-4f65-847f-cc62028fa176] failed to send join request 
>> to master 
>> [{Scarecrow}{PQaL_Ar1QW6ZLtuGHPWnZw}{10.100.10.222}{10.100.10.222:9300}], 
>> reason 
>> [RemoteTransportException[[Scarecrow][10.100.10.222:9300][internal:discovery/zen/join]];
>>  
>> nested: 
>> ConnectTransportException[[graylog-71192b15-8a49-4f65-847f-cc62028fa176][
>> 127.0.0.1:9350] connect_timeout[30s]]; nested: 
>> NotSerializableExceptionWrapper[connect_exception: Connection refused: /
>> 127.0.0.1:9350]; ]
>>
>>
>> There doesn't appear to be anywhere in the server.conf that sets a listen 
>> or announce IP for the es client, although there is one to override the 
>> default port of 9350.  
>>
>> [root@HRTV-GSW001 ~]# ss -ln | grep 9350
>> tcpLISTEN 0  50 :::127.0.0.1:9350 
>> :::*  
>> tcpLISTEN 0  50  ::1:9350 :::*
>>
>>
>> I should note the web interface and API bind addresses were also 
>> autodiscovered incorrectly (by default only listen on 127.0.0.1), and 
>> needed to be set manually.  They did not need to be set manually on 
>> graylog-server 1.3.4.  
>>
>> I was able to make it work be creating an SSH tunnel from the ES box to 
>> the graylog box.  
>>
>>
>> ssh -L 9350:localhost:9350 root@HRTV-GSW001
>>
>>
>> Any thoughts?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c8263cf6-b99e-424a-95f9-21ce65bab891%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Upgrade] 1.3.4 to 2.0

[kaiser]

Ok Thank you Jochen

>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2556ff79-f891-4181-982a-16bd6203efeb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Unexpected Index rotation

[Mike Daoust]

Does Graylog have a recommended way of handling clusters with multiple 
graylog-server nodes and master elections?
I lost a pretty large chunk of data yesterday due to multiple masters 
creating multiple indexes per day and causing indexes to roll off.  Luckily 
this was not customer data so other than egg on my face it wasn't a big 
deal but I could see where this could accidentally cause some big problems.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/03c12de0-1dd6-4390-a254-b96dca2d7c1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Web Interface Certificate differences from v1 and v2

[Drew Miranda]

It looks like v2 is now fully released. Any idea on how I can get this 
working? Is it a bug?

On Friday, April 15, 2016 at 7:43:32 AM UTC-5, Drew Miranda wrote:
>
> I tested removing the extra characters before BEGIN
>
> This STILL did not help. I'm at a loss.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2c0a1a13-eb63-4835-9c3d-c318a67ebcda%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: any scripts for deleting messages containing fields with dots?

[Jochen Schalanda]

Hi Daniel,

you could use the Elasticsearch Update API 
 
and the integrated scripting for this.

See 
https://stackoverflow.com/questions/29002215/remove-a-field-from-a-elasticsearch-document
 
for a rough idea how to delete a field from one document. You would need to 
retrieve all document IDs and iterate over them, e. g. in a small script. 
Also make sure to "optimize" ("force merge" in Elasticsearch 2.x, see 
https://www.elastic.co/guide/en/elasticsearch/reference/1.7/indices-optimize.html)
 
the updated indices after the modifications.

Cheers,
Jochen

On Thursday, 28 April 2016 10:31:35 UTC+2, Daniel Kamiński wrote:
>
> Hello
> I was playing with snmp some time ago, it created multiple* fields with 
> dots*. Now new ES doesn't support dots in fields names so I cannot 
> upgrade to graylog 2.0. Messages with those fields contain* no valuable 
> data*, so I'd like to *delete *them from few past indices (yes, I know, I 
> have to *unlock *them first). Is there any ES magic i can use to do this 
> semi-automatically or i have to parse mapping json for fields (this is `jq` 
> query I came up with for now: 
> `.graylog_158.mappings.message.properties|keys|map(match(".*\\..*"))[].string`)
>  
> and delete every message containing fields parsing spits out? (_exists_: 
> doesn't seems to work with wildcards)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/82223ab6-391d-4e71-a75b-7870acf8f797%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Elasticsearch 2.0.0-5 Client announcing wrong URI

[Jochen Schalanda]

Hi Thomas,

On Thursday, 28 April 2016 11:20:45 UTC+2, Fachi Son wrote:
>
> Setting elasticsearch_network_host won't make any difference.
>

 What exactly does that mean? To which value did you set the 
elasticsearch_network_host configuration setting and what's the current 
error message regarding Elasticsearch?

The web interface and Graylog REST API stuff can be solved by properly 
setting rest_listen_uri and web_listen_uri, see 
http://docs.graylog.org/en/2.0/pages/configuring_webif.html.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/26a9d868-46d8-4ba9-bd1e-4067e0261cb3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Issue with new graylog 2.0 virtual appliance

[Edmundo Alvarez]

Sounds weird, but I'm glad that it's working now. Please write if it happens 
again, so we can look more into it.

Regards,
Edmundo

> On 28 Apr 2016, at 16:17, David Gerdeman  wrote:
> 
> I guess it was just some lag in the update process...When I went back to the 
> webpage to check for JS errors and the like, every input I created was in the 
> list, with most of them in the failed state because the port was taken by the 
> first instance to start.  Looks like it fixed itself.
> 
> Thanks
> 
> On Thursday, April 28, 2016 at 8:59:46 AM UTC-5, Edmundo Alvarez wrote:
> Hi David, 
> 
> The issue sounds quite odd. Were there errors in your Graylog server logs or 
> browser's JS console when creating the input? Also, did you try restarting 
> your Graylog server to see if the input appears in the list? 
> 
> Regards, 
> Edmundo 
> 
> > On 28 Apr 2016, at 15:42, David Gerdeman  wrote: 
> > 
> > I'm having an issue on a fresh virtual appliance of graylog v2.  When 
> > launching a new input (gelf udp on port 7), I get a message saying that 
> > adding the new input was successful, but the input never shows up on the 
> > inputs page of the web portal, or in the list of inputs returned in the API 
> > browser.  Only the default inputs exist at this point.  Oddly enough, it 
> > seems to be receiving messages sent to port 7 and processing them 
> > correctly.  Any thoughts on this issue and how it might be fixed? 
> > 
> > Thanks! 
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to graylog2+u...@googlegroups.com. 
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/graylog2/0df00bc3-865f-47ed-8e28-f6db9e7c4325%40googlegroups.com.
> >  
> > For more options, visit https://groups.google.com/d/optout. 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/5d372313-a3e1-4d4a-b558-9098519edcff%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/522BFB35-D919-4F99-991D-140A2EB89BC9%40graylog.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Issue with new graylog 2.0 virtual appliance

[David Gerdeman]

I guess it was just some lag in the update process...When I went back to 
the webpage to check for JS errors and the like, every input I created was 
in the list, with most of them in the failed state because the port was 
taken by the first instance to start.  Looks like it fixed itself.

Thanks

On Thursday, April 28, 2016 at 8:59:46 AM UTC-5, Edmundo Alvarez wrote:
>
> Hi David, 
>
> The issue sounds quite odd. Were there errors in your Graylog server logs 
> or browser's JS console when creating the input? Also, did you try 
> restarting your Graylog server to see if the input appears in the list? 
>
> Regards, 
> Edmundo 
>
> > On 28 Apr 2016, at 15:42, David Gerdeman  > wrote: 
> > 
> > I'm having an issue on a fresh virtual appliance of graylog v2.  When 
> launching a new input (gelf udp on port 7), I get a message saying that 
> adding the new input was successful, but the input never shows up on the 
> inputs page of the web portal, or in the list of inputs returned in the API 
> browser.  Only the default inputs exist at this point.  Oddly enough, it 
> seems to be receiving messages sent to port 7 and processing them 
> correctly.  Any thoughts on this issue and how it might be fixed? 
> > 
> > Thanks! 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to graylog2+u...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/0df00bc3-865f-47ed-8e28-f6db9e7c4325%40googlegroups.com.
>  
>
> > For more options, visit https://groups.google.com/d/optout. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5d372313-a3e1-4d4a-b558-9098519edcff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Issue with new graylog 2.0 virtual appliance

[Edmundo Alvarez]

Hi David,

The issue sounds quite odd. Were there errors in your Graylog server logs or 
browser's JS console when creating the input? Also, did you try restarting your 
Graylog server to see if the input appears in the list?

Regards,
Edmundo

> On 28 Apr 2016, at 15:42, David Gerdeman  wrote:
> 
> I'm having an issue on a fresh virtual appliance of graylog v2.  When 
> launching a new input (gelf udp on port 7), I get a message saying that 
> adding the new input was successful, but the input never shows up on the 
> inputs page of the web portal, or in the list of inputs returned in the API 
> browser.  Only the default inputs exist at this point.  Oddly enough, it 
> seems to be receiving messages sent to port 7 and processing them 
> correctly.  Any thoughts on this issue and how it might be fixed?
> 
> Thanks!
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/0df00bc3-865f-47ed-8e28-f6db9e7c4325%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/576AEB82-DA6A-4B96-BA5F-7736A87D2D68%40graylog.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Issue with new graylog 2.0 virtual appliance

[David Gerdeman]

I'm having an issue on a fresh virtual appliance of graylog v2.  When 
launching a new input (gelf udp on port 7), I get a message saying that 
adding the new input was successful, but the input never shows up on the 
inputs page of the web portal, or in the list of inputs returned in the API 
browser.  Only the default inputs exist at this point.  Oddly enough, it 
seems to be receiving messages sent to port 7 and processing them 
correctly.  Any thoughts on this issue and how it might be fixed?

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0df00bc3-865f-47ed-8e28-f6db9e7c4325%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Elasticsearch 2.0.0-5 Client announcing wrong URI

[Obie]

The defaults in my setup use an IP of 0.0.0.0.

On Thursday, April 28, 2016 at 3:39:21 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Bryan,
>
> you can manually set the IP address for the embedded Elasticsearch 
> instance in Graylog using the elasticsearch_network_host setting in the 
> configuration file (see 
> https://github.com/Graylog2/graylog2-server/blob/2.0.0/misc/graylog.conf#L187-L192)
>  
> if the automatically discovered IP address isn't correct.
>
> Regarding the web_listen_uri and rest_listen_uri settings, their default 
> value is http://127.0.0.1:9000/ and http://127.0.0.1:12900/ respectively, 
> to avoid accidentally listening on a public interface.
>
>
> Cheers,
> Jochen
>
> On Wednesday, 27 April 2016 22:55:58 UTC+2, Bryan Vukich wrote:
>>
>> Centos 7
>> graylog-server.noarch2.0.0-5
>> elasticsearch.noarch2.3.2-1
>> Both from yum repositories.
>>
>> Graylog-server and Elasticsearch are installed on two different servers. 
>>  When graylog tries to connect to es it appears to be telling es to connect 
>> back on the wrong IP.  I'm seeing the following log on the graylog server:
>>
>>
>> 2016-04-27T14:52:12.246-05:00 INFO  [zen] 
>> [graylog-71192b15-8a49-4f65-847f-cc62028fa176] failed to send join request 
>> to master 
>> [{Scarecrow}{PQaL_Ar1QW6ZLtuGHPWnZw}{10.100.10.222}{10.100.10.222:9300}], 
>> reason 
>> [RemoteTransportException[[Scarecrow][10.100.10.222:9300][internal:discovery/zen/join]];
>>  
>> nested: 
>> ConnectTransportException[[graylog-71192b15-8a49-4f65-847f-cc62028fa176][
>> 127.0.0.1:9350] connect_timeout[30s]]; nested: 
>> NotSerializableExceptionWrapper[connect_exception: Connection refused: /
>> 127.0.0.1:9350]; ]
>>
>>
>> There doesn't appear to be anywhere in the server.conf that sets a listen 
>> or announce IP for the es client, although there is one to override the 
>> default port of 9350.  
>>
>> [root@HRTV-GSW001 ~]# ss -ln | grep 9350
>> tcpLISTEN 0  50 :::127.0.0.1:9350 
>> :::*  
>> tcpLISTEN 0  50  ::1:9350 :::*
>>
>>
>> I should note the web interface and API bind addresses were also 
>> autodiscovered incorrectly (by default only listen on 127.0.0.1), and 
>> needed to be set manually.  They did not need to be set manually on 
>> graylog-server 1.3.4.  
>>
>> I was able to make it work be creating an SSH tunnel from the ES box to 
>> the graylog box.  
>>
>>
>> ssh -L 9350:localhost:9350 root@HRTV-GSW001
>>
>>
>> Any thoughts?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b4ecfff7-5c55-4d6c-a2d9-73d359e0b9d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SSL setup making website unavailable

[Obie]

Sorry for the typo, the path is /opt/graylog/conf/nginx/nginx.conf.

On Thursday, April 28, 2016 at 9:22:43 AM UTC-4, Obie wrote:
>
> In the VMware OVA running ngnix, what would I need to add/change? Here's a 
> snippet of the config.
>
> /opt/graylog/conf/ngnix/ngnix.conf
>
>   location / {
> proxy_pass http://localhost:9000/;
> proxy_http_version 1.1;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_pass_request_headers on;
> proxy_connect_timeout 150;
> proxy_send_timeout 100;
> proxy_read_timeout 100;
> proxy_buffers 4 32k;
> client_max_body_size 8m;
> client_body_buffer_size 128k;
>   }
>
>
> On Thursday, April 28, 2016 at 4:07:55 AM UTC-4, Stefan Tiede wrote:
>>
>> I had to tweak my apache config, see here: 
>> http://docs.graylog.org/en/2.0/pages/configuring_webif.html#apache
>>
>> Proxy pass to api is needed now.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cf7fad66-021e-4e10-b071-504865782909%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SSL setup making website unavailable

[Obie]

In the VMware OVA running ngnix, what would I need to add/change? Here's a 
snippet of the config.

/opt/graylog/conf/ngnix/ngnix.conf

  location / {
proxy_pass http://localhost:9000/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffers 4 32k;
client_max_body_size 8m;
client_body_buffer_size 128k;
  }


On Thursday, April 28, 2016 at 4:07:55 AM UTC-4, Stefan Tiede wrote:
>
> I had to tweak my apache config, see here: 
> http://docs.graylog.org/en/2.0/pages/configuring_webif.html#apache
>
> Proxy pass to api is needed now.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/db04995f-491e-4a2e-bc3e-fd01b1722111%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: v2 and multiple interfaces, web not working

[Obie]

I'm running the VMware OVA.

I've tried every combination of http/https and eth0's IP and FQDN I can 
think of. Some changes "get a little further", like when I change 
rest_transport_uri to https with the IP or FQDN--this at least pulls up the 
login page, but ends up failing with the same error after login. All other 
combinations I've tried either show "graylog is restarting" or the original 
error I posted.

Thanks

On Thursday, April 28, 2016 at 4:04:00 AM UTC-4, Jochen Schalanda wrote:
>
> Hi,
>
> Try setting the public IP address of your EC2 instance in rest_listen_uri 
> and web_listen_uri.
>
> See 
> http://docs.graylog.org/en/2.0/pages/installation/graylog_ctl.html#advanced-settings
>  
> and 
> https://github.com/Graylog2/omnibus-graylog2/blob/2.0/files/graylog-cookbooks/graylog/attributes/default.rb#L62-L63
>  
> for information how to configure this.
>
> Also make sure that both, the web interface and the Graylog REST API, are 
> using HTTPS if you want to set this up. Otherwise your browser will most 
> likely issue a mixed content warning and deny loading data from the Graylog 
> REST API.
>
>
> Cheers,
> Jochen
>
> On Wednesday, 27 April 2016 22:57:31 UTC+2, Obie wrote:
>>
>> It looks like the issue has nothing to do with my second interface. 
>> Instead, I see the issue when I enforce ssl. 
>>
>> On Wednesday, April 27, 2016 at 2:50:56 PM UTC-4, Obie wrote:
>>>
>>> Fwiw, I didn't move the service--the NFS mount point is the same as the 
>>> original directory with the original contents moved into it. I stopped all 
>>> services before making the swap.
>>>
>>> /var/opt/graylog/data
>>>
>>>
>>> There is no web.conf on the system, but there is 
>>> /opt/graylog/conf/graylog.conf. This file contains the following 
>>> http-related variables by default:
>>>
>>> # REST API listen URI. Must be reachable by other graylog-server nodes 
>>> if you run a cluster.
>>> rest_listen_uri = http://0.0.0.0:12900/
>>>
>>> # Web interface listen URI
>>> web_listen_uri = http://0.0.0.0:9000/
>>>
>>> # REST API transport address. Defaults to the value of rest_listen_uri. 
>>> Exception: If rest_listen_uri
>>> # is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 
>>> system address is used.
>>> # If set, his will be promoted in the cluster discovery APIs, so other 
>>> nodes may try to connect on
>>> # this address and it is used to generate URLs addressing entities in 
>>> the REST API. (see rest_listen_uri)
>>> # You will need to define this, if your Graylog server is running behind 
>>> a HTTP proxy that is rewriting
>>> # the scheme, host name or URI.
>>> #rest_transport_uri = http://192.168.1.1:12900/
>>>
>>> Thanks
>>>
>>>
>>> On Wednesday, April 27, 2016 at 2:40:03 PM UTC-4, Joi Owen wrote:

 Did you remember to make the same adjustments to the graylogweb config 
 file?  The web service that's sending you the error has its own 
 configuration that needs to know where it should find the graylog service. 
  
 It's a bit confusing because you have to provide nearly the same 
 information to server.conf to tell graylog what ports to listen on and how 
 to refer to itself in uris it provides.

 On our host the web service is configured in 
 /etc/graylog/web/web.conf.  We haven't upgraded to the lastest release so 
 my info may be stale.


 On Wed, Apr 27, 2016 at 12:37 PM, Obie  wrote:

> I installed the v2 GA OVA and have the same issue.
>
> Thanks
>
> On Wednesday, April 27, 2016 at 11:58:22 AM UTC-4, Obie wrote:
>>
>> lol, I see v2 just went GA! MY issue is with the beta version. I'll 
>> likely punt and start up the GA release.
>>
>> On Wednesday, April 27, 2016 at 11:57:05 AM UTC-4, Obie wrote:
>>>
>>> I set up the v2 OVA appliance and added an interface (eth1) for 
>>> mounting an NFS export for the data directory. That is working fine, 
>>> services start, etc., but when I go to the web page I get:
>>>
>>>  Server currently unavailable
>>>
>>> We are experiencing problems connecting to the Graylog server 
>>> running on *http://:12900/*. Please 
>>> verify that the server is healthy and working correctly.
>>> I've set eth0's IP (the primary, web interface) in the following two 
>>> lines in graylog.conf:
>>>
>>> rest_listen_uri = http://:12900/
>>> web_listen_uri = http://:9000/
>>>
>>> I've tried restarting services and that doesn't do it. Issuing sudo 
>>> graylog-ctl reconfigure reverts the above settings to 
>>> http://0.0.0.0...
>>>
>>> How do I set the web IP?
>>>
>>> Thanks
>>>
>> -- 
> You received this message because you are subscribed to the Google 
> Groups "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to graylog2+u...@googlegroups.com.
> To view this discussion on the web 

[graylog2] Re: [Upgrade] 1.3.4 to 2.0

[kaiser]

My system is centos 6

Le jeudi 28 avril 2016 11:35:50 UTC+2, kaiser a écrit :
>
> Hello,
>
> Is there a method to ugrade from 1.3.4 to 2.0 please?
>
> regards.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c912c4d6-e486-4495-97c5-2e5fb91d724e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Upgrade] 1.3.4 to 2.0

[kaiser]

Hello,

Is there a method to ugrade from 1.3.4 to 2.0 please?

regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/08b042bb-78f6-4dcd-80c6-dcc0059cb42f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Elasticsearch 2.0.0-5 Client announcing wrong URI

[Fachi Son]

Got the same issue here.

Graylog-Server (2.0.0.-5) connecting to external Elasticsearch Server.

Elasticsearch Config Changes:
cluster.name: graylog
network.host: 0.0.0.0
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["publicipelasticsearchserver:9300"]

Graylog Server Config Changes regarding ES:
elasticsearch_shards = 1
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
elasticsearch_cluster_name = graylog
elasticsearch_node_name_prefix = graylog-
elasticsearch_discovery_zen_ping_unicast_hosts = 
publicelasticsearchserver:9300

Elasticsearch Health:
http://publicelasticsearchserver:9200/_cluster/health?pretty=true

{
  "cluster_name" : "graylog",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}


Getting following error:
2016-04-28T11:17:58.424+02:00 INFO  [zen] 
[graylog-ef071c7d-1e72-4cb2-ab00-502b397d12fd] failed to send join request 
to master [{Dan 
Ketch}{V4-j79OyTI62AQ-vir351g}{publicelasticsearchserver}{publicelasticsearchserver:9300}],
 
reason [RemoteTransportException[[Dan 
Ketch][publicelasticsearchserver:9300][internal:discovery/zen/join]]; 
nested: 
ConnectTransportException[[graylog-ef071c7d-1e72-4cb2-ab00-502b397d12fd][127.0.0.1:9350]
 
connect_timeout[30s]]; nested: 
NotSerializableExceptionWrapper[connect_exception: Connection refused: 
/127.0.0.1:9350]; ]

On webinterface:
Error messageBad requestOriginal RequestGET 
http://127.0.0.1:12900/system/cluster/nodeStatus codeundefinedFull error 
messageError: Request has been terminated Possible causes: the network is 
offline, Origin is not allowed by Access-Control-Allow-Origin, the page is 
being unloaded, etc.

Setting elasticsearch_network_host won't make any difference.

Best regards,
Thomas

Am Donnerstag, 28. April 2016 09:39:21 UTC+2 schrieb Jochen Schalanda:
>
> Hi Bryan,
>
> you can manually set the IP address for the embedded Elasticsearch 
> instance in Graylog using the elasticsearch_network_host setting in the 
> configuration file (see 
> https://github.com/Graylog2/graylog2-server/blob/2.0.0/misc/graylog.conf#L187-L192)
>  
> if the automatically discovered IP address isn't correct.
>
> Regarding the web_listen_uri and rest_listen_uri settings, their default 
> value is http://127.0.0.1:9000/ and http://127.0.0.1:12900/ respectively, 
> to avoid accidentally listening on a public interface.
>
>
> Cheers,
> Jochen
>
> On Wednesday, 27 April 2016 22:55:58 UTC+2, Bryan Vukich wrote:
>>
>> Centos 7
>> graylog-server.noarch2.0.0-5
>> elasticsearch.noarch2.3.2-1
>> Both from yum repositories.
>>
>> Graylog-server and Elasticsearch are installed on two different servers. 
>>  When graylog tries to connect to es it appears to be telling es to connect 
>> back on the wrong IP.  I'm seeing the following log on the graylog server:
>>
>>
>> 2016-04-27T14:52:12.246-05:00 INFO  [zen] 
>> [graylog-71192b15-8a49-4f65-847f-cc62028fa176] failed to send join request 
>> to master 
>> [{Scarecrow}{PQaL_Ar1QW6ZLtuGHPWnZw}{10.100.10.222}{10.100.10.222:9300}], 
>> reason 
>> [RemoteTransportException[[Scarecrow][10.100.10.222:9300][internal:discovery/zen/join]];
>>  
>> nested: 
>> ConnectTransportException[[graylog-71192b15-8a49-4f65-847f-cc62028fa176][
>> 127.0.0.1:9350] connect_timeout[30s]]; nested: 
>> NotSerializableExceptionWrapper[connect_exception: Connection refused: /
>> 127.0.0.1:9350]; ]
>>
>>
>> There doesn't appear to be anywhere in the server.conf that sets a listen 
>> or announce IP for the es client, although there is one to override the 
>> default port of 9350.  
>>
>> [root@HRTV-GSW001 ~]# ss -ln | grep 9350
>> tcpLISTEN 0  50 :::127.0.0.1:9350 
>> :::*  
>> tcpLISTEN 0  50  ::1:9350 :::*
>>
>>
>> I should note the web interface and API bind addresses were also 
>> autodiscovered incorrectly (by default only listen on 127.0.0.1), and 
>> needed to be set manually.  They did not need to be set manually on 
>> graylog-server 1.3.4.  
>>
>> I was able to make it work be creating an SSH tunnel from the ES box to 
>> the graylog box.  
>>
>>
>> ssh -L 9350:localhost:9350 root@HRTV-GSW001
>>
>>
>> Any thoughts?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/eadcc33e-01bd-47ba-ac06-7761b8fb022c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: howto Upgrade from OVA Image (1.3.3) to Graylog 2.0.0

[Leittechnik SUN]

ok, my graylog currently is running wiht 1.3.3. I will wait for your 
upgrade instructions
Hans-Wolfgang

Am Donnerstag, 28. April 2016 09:44:50 UTC+2 schrieb Jochen Schalanda:
>
> Hi,
>
> the Omnibus package currently doesn't support upgrading from Graylog 1.x 
> to Graylog 2.0.0 which is why the upgrade fails. You should re-install 
> Graylog 1.3.3 (or 1.3.4) to get back to a working state.
>
> We are currently working on some upgrade instructions for the Omnibus 
> package, so that you can at least manually upgrade to the latest version of 
> Graylog at some point.
>
> Cheers,
> Jochen
>
> On Thursday, 28 April 2016 08:26:29 UTC+2, Leittechnik SUN wrote:
>>
>> Hello,
>> i'm running Graylog since 03/2015. I installed graylog from OVA Image on 
>> my VMware Servers and took every update. Last update was Graylog 1.3.3. Is 
>> there some instructions how to Upgrade to Graylog 2.0.0?
>> i downloaded the new package from: 
>> https://packages.graylog2.org/releases/graylog2-omnibus/ubuntu/graylog_latest.deb,
>>  
>> transfered it by sftp to my Ubuntu "/tmp" directory, and tried to install 
>> via command "sudo dpkg -G -i graylog_latest.deb". now i get this message:
>>
>> (Reading database ... 96088 files and directories currently installed.)
>> Preparing to unpack graylog_latest.deb ...
>> This is not a drop-in replacement. Please consult the updating guide!
>> dpkg: error processing archive graylog_latest.deb (--install):
>>  subprocess new pre-installation script returned error exit status 1
>> Graylog has been uninstalled!
>>
>> What i have to do???
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e8c4665e-a8d5-4501-ba42-92a8cf786674%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] any scripts for deleting messages containing fields with dots?

[Daniel Kamiński]

Hello
I was playing with snmp some time ago, it created multiple* fields with 
dots*. Now new ES doesn't support dots in fields names so I cannot upgrade 
to graylog 2.0. Messages with those fields contain* no valuable data*, so 
I'd like to *delete *them from few past indices (yes, I know, I have to *unlock 
*them first). Is there any ES magic i can use to do this semi-automatically 
or i have to parse mapping json for fields (this is `jq` query I came up 
with for now: 
`.graylog_158.mappings.message.properties|keys|map(match(".*\\..*"))[].string`) 
and delete every message containing fields parsing spits out? (_exists_: 
doesn't seems to work with wildcards)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/dffbea9a-f98c-4090-940e-c0c6e5f0550a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: graylog 2.0 GA - issues with nginx and reverse proxy - Error: Request has been terminated

[ghstdev]

Thanks for helping out, i got it working now, im not using ssl, this nginx 
configuration works for me

server {
  listen 80;
  location / {
proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_headerHost $http_host;
proxy_set_headerX-Graylog-Server-URL 
http://my_graylog_server_ip_address/api;
proxy_pass http://localhost:9000/;
  }
  location /api/
  {
proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_headerHost $http_host;
proxy_pass  http://localhost:12900/;
  }
}





On Thursday, April 28, 2016 at 8:34:04 AM UTC+1, Jochen Schalanda wrote:
>
> Hi,
>
> starting with Graylog 2.0.0, the web interface has been merged into the 
> server component and is a single-page application directly communicating 
> with the Graylog REST API. Thus, your client (i. e. web browser) must be 
> able to communicate with the Graylog REST API, which isn't possible with 
> the listener being bound to the loopback interface on 
> http://127.0.0.1:12900/ in your case.
>
> Please refer to 
> http://docs.graylog.org/en/2.0/pages/configuring_webif.html for 
> information how to setup the web interface in Graylog 2.0.0 and for working 
> example configurations for nginx and Apache httpd as reverse proxies.
>
> Cheers,
> Jochen
>
> On Thursday, 28 April 2016 02:26:54 UTC+2, ghs...@gmail.com wrote:
>>
>> Hi I have issues with graylog 2.0 GA release, cant get reverse proxy 
>> working, i tried on ubuntu 14,04 rhel 6 and 7, always same error 
>>
>> my setup:
>> mongo 3.2
>> elastisearch 2.3.2
>> graylog 2.0 GA
>> nginx 1.9.5
>>
>> When im trying to access remote machine (same network), im getting this 
>> error in browser
>> If I access localhost directly on graylog machine it is working
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1a81181d-237c-436c-b352-180c6b5575d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SSL setup making website unavailable

[Stefan Tiede]

I had to tweak my apache config, see here: 
http://docs.graylog.org/en/2.0/pages/configuring_webif.html#apache

Proxy pass to api is needed now.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bb9d45ab-7d2a-4109-bdf7-b7d1aec5d614%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: v2 and multiple interfaces, web not working

[Stefan Tiede]

I had to tweak my apache config... see here: 
http://docs.graylog.org/en/2.0/pages/configuring_webif.html#apache

Proxy pass to api is needed now.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ef949c59-d43c-428f-8b48-d067f523a814%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SSL setup making website unavailable

[Jochen Schalanda]

Cross-post: https://groups.google.com/d/msg/graylog2/kwd3nIt05DI/MrG-bn3bAwAJ

On Thursday, 28 April 2016 00:31:14 UTC+2, Obie wrote:
>
> No, I installed the VMware OVA. Thanks for the link.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9d1e5605-eece-4d40-a22d-bf8f67b2386a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: v2 and multiple interfaces, web not working

[Jochen Schalanda]

Hi,

Try setting the public IP address of your EC2 instance in rest_listen_uri 
and web_listen_uri.

See 
http://docs.graylog.org/en/2.0/pages/installation/graylog_ctl.html#advanced-settings
 
and 
https://github.com/Graylog2/omnibus-graylog2/blob/2.0/files/graylog-cookbooks/graylog/attributes/default.rb#L62-L63
 
for information how to configure this.

Also make sure that both, the web interface and the Graylog REST API, are 
using HTTPS if you want to set this up. Otherwise your browser will most 
likely issue a mixed content warning and deny loading data from the Graylog 
REST API.


Cheers,
Jochen

On Wednesday, 27 April 2016 22:57:31 UTC+2, Obie wrote:
>
> It looks like the issue has nothing to do with my second interface. 
> Instead, I see the issue when I enforce ssl. 
>
> On Wednesday, April 27, 2016 at 2:50:56 PM UTC-4, Obie wrote:
>>
>> Fwiw, I didn't move the service--the NFS mount point is the same as the 
>> original directory with the original contents moved into it. I stopped all 
>> services before making the swap.
>>
>> /var/opt/graylog/data
>>
>>
>> There is no web.conf on the system, but there is 
>> /opt/graylog/conf/graylog.conf. This file contains the following 
>> http-related variables by default:
>>
>> # REST API listen URI. Must be reachable by other graylog-server nodes if 
>> you run a cluster.
>> rest_listen_uri = http://0.0.0.0:12900/
>>
>> # Web interface listen URI
>> web_listen_uri = http://0.0.0.0:9000/
>>
>> # REST API transport address. Defaults to the value of rest_listen_uri. 
>> Exception: If rest_listen_uri
>> # is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 
>> system address is used.
>> # If set, his will be promoted in the cluster discovery APIs, so other 
>> nodes may try to connect on
>> # this address and it is used to generate URLs addressing entities in the 
>> REST API. (see rest_listen_uri)
>> # You will need to define this, if your Graylog server is running behind 
>> a HTTP proxy that is rewriting
>> # the scheme, host name or URI.
>> #rest_transport_uri = http://192.168.1.1:12900/
>>
>> Thanks
>>
>>
>> On Wednesday, April 27, 2016 at 2:40:03 PM UTC-4, Joi Owen wrote:
>>>
>>> Did you remember to make the same adjustments to the graylogweb config 
>>> file?  The web service that's sending you the error has its own 
>>> configuration that needs to know where it should find the graylog service.  
>>> It's a bit confusing because you have to provide nearly the same 
>>> information to server.conf to tell graylog what ports to listen on and how 
>>> to refer to itself in uris it provides.
>>>
>>> On our host the web service is configured in /etc/graylog/web/web.conf.  
>>> We haven't upgraded to the lastest release so my info may be stale.
>>>
>>>
>>> On Wed, Apr 27, 2016 at 12:37 PM, Obie  wrote:
>>>
 I installed the v2 GA OVA and have the same issue.

 Thanks

 On Wednesday, April 27, 2016 at 11:58:22 AM UTC-4, Obie wrote:
>
> lol, I see v2 just went GA! MY issue is with the beta version. I'll 
> likely punt and start up the GA release.
>
> On Wednesday, April 27, 2016 at 11:57:05 AM UTC-4, Obie wrote:
>>
>> I set up the v2 OVA appliance and added an interface (eth1) for 
>> mounting an NFS export for the data directory. That is working fine, 
>> services start, etc., but when I go to the web page I get:
>>
>>  Server currently unavailable
>>
>> We are experiencing problems connecting to the Graylog server running 
>> on *http://:12900/*. Please verify 
>> that the server is healthy and working correctly.
>> I've set eth0's IP (the primary, web interface) in the following two 
>> lines in graylog.conf:
>>
>> rest_listen_uri = http://:12900/
>> web_listen_uri = http://:9000/
>>
>> I've tried restarting services and that doesn't do it. Issuing sudo 
>> graylog-ctl reconfigure reverts the above settings to http://0.0.0.0.
>> ..
>>
>> How do I set the web IP?
>>
>> Thanks
>>
> -- 
 You received this message because you are subscribed to the Google 
 Groups "Graylog Users" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to graylog2+u...@googlegroups.com.
 To view this discussion on the web visit 
 https://groups.google.com/d/msgid/graylog2/9491d68c-368d-434b-b327-a20a9a5e068c%40googlegroups.com
  
 
 .

 For more options, visit https://groups.google.com/d/optout.

>>>
>>>
>>>
>>> -- 
>>>
>>> No matter what we think of Linux versus FreeBSD, etc., the one thing I
>>> really like about Linux is that it has Microsoft worried. Anything
>>> that kicks a monopoly in the pants has got to be good for something.
>>> - Chris Johnson
>>>
>>>

-- 
You received this message because 

[graylog2] Re: howto Upgrade from OVA Image (1.3.3) to Graylog 2.0.0

[Jochen Schalanda]

Hi,

the Omnibus package currently doesn't support upgrading from Graylog 1.x to 
Graylog 2.0.0 which is why the upgrade fails. You should re-install Graylog 
1.3.3 (or 1.3.4) to get back to a working state.

We are currently working on some upgrade instructions for the Omnibus 
package, so that you can at least manually upgrade to the latest version of 
Graylog at some point.

Cheers,
Jochen

On Thursday, 28 April 2016 08:26:29 UTC+2, Leittechnik SUN wrote:
>
> Hello,
> i'm running Graylog since 03/2015. I installed graylog from OVA Image on 
> my VMware Servers and took every update. Last update was Graylog 1.3.3. Is 
> there some instructions how to Upgrade to Graylog 2.0.0?
> i downloaded the new package from: 
> https://packages.graylog2.org/releases/graylog2-omnibus/ubuntu/graylog_latest.deb,
>  
> transfered it by sftp to my Ubuntu "/tmp" directory, and tried to install 
> via command "sudo dpkg -G -i graylog_latest.deb". now i get this message:
>
> (Reading database ... 96088 files and directories currently installed.)
> Preparing to unpack graylog_latest.deb ...
> This is not a drop-in replacement. Please consult the updating guide!
> dpkg: error processing archive graylog_latest.deb (--install):
>  subprocess new pre-installation script returned error exit status 1
> Graylog has been uninstalled!
>
> What i have to do???
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4c7a2a42-bc98-4ffe-b03c-36d29541462d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Upgrade to v2.0

[Jochen Schalanda]

Hi Haija,

the Omnibus package doesn't support a proper upgrade of Graylog 1.x to 
Graylog 2.0.0. The upgrade process with APT (or dpkg) most likely failed 
and left your system in kind of an undefined state.

If the web interface is showing the correct version in its footer, 
everything should be fine and you can simply close/delete the system 
notification about the update by clicking on the 'X' in the upper right 
corner of the notification.

Cheers,
Jochen

On Wednesday, 27 April 2016 21:20:28 UTC+2, Haija Andres wrote:
>
> Hi all
>
>  
>
> I have just upgrade to the just released version 2.0 this way:
>
>  
>
> wget https:*//*packages*.*graylog2*.*org*/*releases*/*graylog*-*omnibus*/*
> ubuntu*/*graylog_latest*.*deb
>
> sudo graylog*-*ctl stop
>
> sudo dpkg *-*G *-*i graylog_latest*.*deb
>
> sudo graylog*-*ctl reconfigure
>
> The system run fine but i became the following message:
>
>  You are running an outdated Graylog version. (triggered 4 minutes ago)
>
> The most recent stable Graylog version is *2.0.0 (Rothaus) released at 
> 2016-04-27T00:00:00.000Z*. Get it from https://www.graylog.org/.
>
>  
>
> Then I run the upgrade procedure again. I see in the console:
>
>  
>
> Unpacking graylog (2.0.0-1) over (2.0.0-1) ...
>
>  
>
> So i guess that I have already the newest version. 
>
>  
>
> What make I wrong?
>
>  
>
> Any help would be appreciated.
>
>  
>
> Thank you.
>
>  
>
> Gido 
>
>
>
> System: Ubuntu 14.4 on XenServer
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/36625984-5c23-4b71-9f31-031fd617d5d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Unexpected Index rotation

[Jochen Schalanda]

Hi Mike,

On Wednesday, 27 April 2016 21:30:28 UTC+2, Mike Daoust wrote:
>
> as of now Im thinking it was due to multiple graylog-server masters in the 
> cluster.  I ran a config update with chef and all 3 graylog nodes ended up 
> as masters.
>

Yes, that's most likely the reason. Graylog master nodes are the only nodes 
that run maintenance tasks (like index rotation and retention), so there 
should only be 1 Graylog master node in the cluster.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6ebb21f1-9078-4c8f-a94e-0cd9da373ad0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Elasticsearch 2.0.0-5 Client announcing wrong URI

[Jochen Schalanda]

Hi Bryan,

you can manually set the IP address for the embedded Elasticsearch instance 
in Graylog using the elasticsearch_network_host setting in the 
configuration file (see 
https://github.com/Graylog2/graylog2-server/blob/2.0.0/misc/graylog.conf#L187-L192)
 
if the automatically discovered IP address isn't correct.

Regarding the web_listen_uri and rest_listen_uri settings, their default 
value is http://127.0.0.1:9000/ and http://127.0.0.1:12900/ respectively, 
to avoid accidentally listening on a public interface.


Cheers,
Jochen

On Wednesday, 27 April 2016 22:55:58 UTC+2, Bryan Vukich wrote:
>
> Centos 7
> graylog-server.noarch2.0.0-5
> elasticsearch.noarch2.3.2-1
> Both from yum repositories.
>
> Graylog-server and Elasticsearch are installed on two different servers. 
>  When graylog tries to connect to es it appears to be telling es to connect 
> back on the wrong IP.  I'm seeing the following log on the graylog server:
>
>
> 2016-04-27T14:52:12.246-05:00 INFO  [zen] 
> [graylog-71192b15-8a49-4f65-847f-cc62028fa176] failed to send join request 
> to master 
> [{Scarecrow}{PQaL_Ar1QW6ZLtuGHPWnZw}{10.100.10.222}{10.100.10.222:9300}], 
> reason 
> [RemoteTransportException[[Scarecrow][10.100.10.222:9300][internal:discovery/zen/join]];
>  
> nested: 
> ConnectTransportException[[graylog-71192b15-8a49-4f65-847f-cc62028fa176][
> 127.0.0.1:9350] connect_timeout[30s]]; nested: 
> NotSerializableExceptionWrapper[connect_exception: Connection refused: /
> 127.0.0.1:9350]; ]
>
>
> There doesn't appear to be anywhere in the server.conf that sets a listen 
> or announce IP for the es client, although there is one to override the 
> default port of 9350.  
>
> [root@HRTV-GSW001 ~]# ss -ln | grep 9350
> tcpLISTEN 0  50 :::127.0.0.1:9350 
> :::*  
> tcpLISTEN 0  50  ::1:9350 :::*
>
>
> I should note the web interface and API bind addresses were also 
> autodiscovered incorrectly (by default only listen on 127.0.0.1), and 
> needed to be set manually.  They did not need to be set manually on 
> graylog-server 1.3.4.  
>
> I was able to make it work be creating an SSH tunnel from the ES box to 
> the graylog box.  
>
>
> ssh -L 9350:localhost:9350 root@HRTV-GSW001
>
>
> Any thoughts?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a150c052-5f99-4921-a510-6883e2e22b71%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: graylog 2.0 GA - issues with nginx and reverse proxy - Error: Request has been terminated

[Jochen Schalanda]

Hi,

starting with Graylog 2.0.0, the web interface has been merged into the 
server component and is a single-page application directly communicating 
with the Graylog REST API. Thus, your client (i. e. web browser) must be 
able to communicate with the Graylog REST API, which isn't possible with 
the listener being bound to the loopback interface on 
http://127.0.0.1:12900/ in your case.

Please refer to http://docs.graylog.org/en/2.0/pages/configuring_webif.html 
for information how to setup the web interface in Graylog 2.0.0 and for 
working example configurations for nginx and Apache httpd as reverse 
proxies.

Cheers,
Jochen

On Thursday, 28 April 2016 02:26:54 UTC+2, ghs...@gmail.com wrote:
>
> Hi I have issues with graylog 2.0 GA release, cant get reverse proxy 
> working, i tried on ubuntu 14,04 rhel 6 and 7, always same error 
>
> my setup:
> mongo 3.2
> elastisearch 2.3.2
> graylog 2.0 GA
> nginx 1.9.5
>
> When im trying to access remote machine (same network), im getting this 
> error in browser
> If I access localhost directly on graylog machine it is working
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7712e68e-a4d6-4901-9145-9eb730c5769b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] howto Upgrade from OVA Image (1.3.3) to Graylog 2.0.0

[Leittechnik SUN]

Hello,
i'm running Graylog since 03/2015. I installed graylog from OVA Image on my 
VMware Servers and took every update. Last update was Graylog 1.3.3. Is 
there some instructions how to Upgrade to Graylog 2.0.0?
i downloaded the new package from: 
https://packages.graylog2.org/releases/graylog2-omnibus/ubuntu/graylog_latest.deb,
 
transfered it by sftp to my Ubuntu "/tmp" directory, and tried to install 
via command "sudo dpkg -G -i graylog_latest.deb". now i get this message:

(Reading database ... 96088 files and directories currently installed.)
Preparing to unpack graylog_latest.deb ...
This is not a drop-in replacement. Please consult the updating guide!
dpkg: error processing archive graylog_latest.deb (--install):
 subprocess new pre-installation script returned error exit status 1
Graylog has been uninstalled!

What i have to do???

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/eb782900-c207-4fdb-85ef-348c6e7102ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.