[graylog2] Re: first pipeline attempt not working

[Kay Roepke]

Hey!

The static fields are not added by the input, even though the UI makes you 
believe they are. In fact they are added during the filter chain execution, 
which I from your description runs after the pipeline in your system.

The reason for adding the field later is that at the input level the 
message is not actually decoded yet, that happens much later after it has 
been journaled.

cheers,
Kay

On Tuesday, 5 July 2016 01:07:53 UTC+2, Jason Haar wrote:
>
> Hi there
>
> I'm trying to get my first pipeline working - without any luck
>
> I have checked and "pipeline processor" is #1 in "Message Processors 
> Configuration", and consists of one pipeline, with one stage which contains 
> one rule. The rule is
>
> rule "My little pony"
> when
> has_field("dont_like_cricket") 
> then
> drop_message();
> end
> 
>
> I can see on the "Pipeline overview" page that it's processing the entire 
> incoming feed.
>
> What I have is a Syslog Input channel which I have the Input adding the 
> field "dont_like_cricket" to every incoming record (ie tagging it as 
> different from other Inputs). If I search graylog, I can see the records 
> contain the field "dont_like_cricket". But this pipeline never triggers - I 
> still see the records that should have been dropped.
>
> My end-game is obviously a little more complicated, but even this doesn't 
> work - so 'baby steps' :-)
>
> Any ideas? Also, I really only want this pipeline on one Input channel - 
> do they have to be "universal"? 
>
> Thanks!
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f5985a5e-a9e3-448d-828a-3189ea4c4bd9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog2 Regex extractor help

[Zoizo]

Okay I found the solution.

For some reason, the space after "Nom du compte is a non breaking space. So 
I used alt 0160 to put a non-breaking space here. It works now.

Thanks a lot anyway Kaiser, greatly appreciated ^^

On Tuesday, July 5, 2016 at 8:28:21 AM UTC+4, Zoizo wrote:
>
> Hello,
>
> Even with the (?mi) addition, it's not working. I wonder if some 
> characters are wrong in the log, like maybe some spaces are not spaces in 
> reality (though it would be weird that they are spaces when c/ced).
>
> Because, for example (Nom du compte) returns Nom du compte, but (Nom du 
> compte ) doesn't work.
> Kinda lost here :/
>
> On Monday, July 4, 2016 at 7:10:49 PM UTC+4, Zoizo wrote:
>>
>> I'm on 2.0.x, not sure about the full version, I will check tomorrow, but 
>> it should be the last since I did everything (install, architecture etc) 
>> last week, with latest rpm.
>>
>> Input is syslog tcp.
>>
>> I will try again tomorrow, thanks again.
>>
>>
>> On Mon, Jul 4, 2016 at 7:03 PM, kaiser  wrote:
>>
>>> My test was done on my graylog test server.
>>>
>>> Which graylog version  do you have?
>>>
>>> Which kind of input did you use? Gelf (in that case maybe the (?mi) 
>>> could solve the issue) ?
>>>
>>> I have made the test with graylog 2.0.3
>>>
>>> If it still doesn't work you should try the grok pattern
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>> You received this message because you are subscribed to a topic in the 
>>> Google Groups "Graylog Users" group.
>>> To unsubscribe from this topic, visit 
>>> https://groups.google.com/d/topic/graylog2/O8UNzMSxNGY/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to 
>>> graylog2+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/graylog2/48594df8-bd66-4f5b-90b1-2ca46284bbbf%40googlegroups.com
>>>  
>>> 
>>> .
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1f5776e9-b530-40ad-8d58-0f8fa3e559e3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog2 Regex extractor help

[Zoizo]

Hello,

Even with the (?mi) addition, it's not working. I wonder if some characters 
are wrong in the log, like maybe some spaces are not spaces in reality 
(though it would be weird that they are spaces when c/ced).

Because, for example (Nom du compte) returns Nom du compte, but (Nom du 
compte ) doesn't work.
Kinda lost here :/

On Monday, July 4, 2016 at 7:10:49 PM UTC+4, Zoizo wrote:
>
> I'm on 2.0.x, not sure about the full version, I will check tomorrow, but 
> it should be the last since I did everything (install, architecture etc) 
> last week, with latest rpm.
>
> Input is syslog tcp.
>
> I will try again tomorrow, thanks again.
>
>
> On Mon, Jul 4, 2016 at 7:03 PM, kaiser  wrote:
>
>> My test was done on my graylog test server.
>>
>> Which graylog version  do you have?
>>
>> Which kind of input did you use? Gelf (in that case maybe the (?mi) could 
>> solve the issue) ?
>>
>> I have made the test with graylog 2.0.3
>>
>> If it still doesn't work you should try the grok pattern
>>
>>
>>
>>
>>
>> -- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "Graylog Users" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/graylog2/O8UNzMSxNGY/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> graylog2+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/48594df8-bd66-4f5b-90b1-2ca46284bbbf%40googlegroups.com
>>  
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/dd247520-6fea-47b0-a842-573bfb9ab745%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] first pipeline attempt not working

[Jason Haar]

Hi there

I'm trying to get my first pipeline working - without any luck

I have checked and "pipeline processor" is #1 in "Message Processors
Configuration", and consists of one pipeline, with one stage which contains
one rule. The rule is

rule "My little pony"
when
has_field("dont_like_cricket")
then
drop_message();
end


I can see on the "Pipeline overview" page that it's processing the entire
incoming feed.

What I have is a Syslog Input channel which I have the Input adding the
field "dont_like_cricket" to every incoming record (ie tagging it as
different from other Inputs). If I search graylog, I can see the records
contain the field "dont_like_cricket". But this pipeline never triggers - I
still see the records that should have been dropped.

My end-game is obviously a little more complicated, but even this doesn't
work - so 'baby steps' :-)

Any ideas? Also, I really only want this pipeline on one Input channel - do
they have to be "universal"?

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgJNhTrS%3DToy6UhfrMpfoP6RwswNvVv0LWaq6ifhPCF0Fg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] nxlog issue after some time sending logs properly

[Steve Kuntz]

Hello All,

I'm running the following on CentOS and am having issues with nxlog.

collector-sidecar-0.0.8-1.x86_64 (Centos 6.5)
nxlog-ce-2.9.1504-1.x86_64 (Centos 6.5)
graylog-server-2.0.3-1.noarch (CentOS 7.2)

When it start up it seems to work fine, then I get the error below. After 
this it doesn't work until I restart the collector-sidecar (which restart 
the nxlog). I'm not sure if it is time based or triggered by a log entry. I 
have other servers connecting to this graylog server so I don't think there 
are any connection issues. Any help would be appreciated.

ERROR ### ASSERTION FAILED at line 52 in xm_gelf.c/xm_gelf_writer_udp(): 
"deflate(, Z_FINISH) == Z_STREAM_END" ###

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8b864f19-c407-4b07-88fd-8eac07e3fad6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Nessus vulnerability scanner and Graylog

[cypherbit]

Thank you Marius, I implemented the suggestions listed under: 
http://docs.graylog.org/en/2.0/pages/configuration/graylog_ctl.html#production-readiness
 apart 
from: "Seperate the box network-wise from the outside, otherwise 
Elasticsearch can be reached by anyone".

I'd like to limit access to our Graylog server from one VLAN (user) to 
another (servers; where Graylog is) so that only SSH is available (that is 
easy), but we also need to view the web page. Which ports must be 
accessible (HTTPS anything else)?


Dne sreda, 29. junij 2016 21.14.17 UTC+2 je oseba Marius Sturm napisala:

> Hi,
> the OVAs in general are made for ease of setup and a quick getting started 
> experience with Graylog. The trade-off of this that some services need to 
> be less restricted as in a setup that is optimized for security. 
> Elasticsearch and MongoDB should always placed in a seperate network as 
> documented here: 
> http://docs.graylog.org/en/2.0/pages/configuration/graylog_ctl.html#production-readiness
>
> If you have higher security needs please consider a manual setup of 
> Graylog and make sure that all services are as secured as possible 
> http://docs.graylog.org/en/2.0/pages/installation/manual_setup.html
>
> Cheers,
> Marius
>
> On 29 June 2016 at 19:57,  wrote:
>
>> We're using the latest version of Graylog OVA and have recently had a 
>> vulnerability assesment. I'm attaching the finding from the Nessus scanner. 
>> Can someone please shed some lights on these results focusing on the Medium 
>> severity and esp. MongoDB Service Without Authentication Detection and Web 
>> Server Generic Cookie Injection.
>>
>> Many thanks in advance.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to graylog2+u...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/6f262db7-5494-47ce-aa54-28fde164a383%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Poolstraße 21
> 20335 Hamburg
> Germany
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/14f3ae72-7b64-4c3c-8d85-2edd7c4363fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog Does not work on AWS

[123Dev]

Hi Jan,

First and foremost, that statement was not meant as a knock on Graylog 
documentation, in fact I'm impressed how fast and frequent the docs are 
updated and kept current.
Given all the configuration / distribution varieties, it is a 
understandably impossible to have flawless documentation.
Seriously you guys have been amazing with the development and documentation 
Graylog.

Having said that, we ourselves still struggle getting the REST API part of 
the setup working correctly, even after experimenting lots of configuration 
options and reading many forum / issue tickets.

Some examples.
https://groups.google.com/forum/#!topic/graylog2/2FmvMohU45Q

As you can see our comments in that ticket, REST API calls are over HTTP 
and not HTTPS even though they are configured to be over HTTPS (nginx)
Furthermore the graylog TLS settings are not applicable for AWS image as 
stated by Jochen.

We are also hit by this issue
https://github.com/Graylog2/graylog2-server/issues/2179
https://github.com/Graylog2/graylog2-server/issues/2288
Which if you google, you'd get many many hits.
Our logs are flooded by this
org.graylog2.shared.rest.resources.ProxiedResource - Unable to call 
http://10.20.1.229:12900/system/metrics/multiple 
on node <5ac...>, caught exception: timeout (class 
java.net.SocketTimeoutException)

Considering that against our wishes, API calls are over HTTP, PKI cert 
being the issue is not applicable.

Thanks



On Friday, July 1, 2016 at 5:40:11 AM UTC-4, Jan Doberstein wrote:
>
> Hej 
>
>
> On 30. Juni 2016 at 16:09:28, 123Dev (hr...@123loadboard.com ) 
> wrote: 
> > REST API access part is a bit flaky and I agree it can benefit from 
> better 
> > documentation / code, but Graylog folks have always been proactive and I 
> > constantly see doc and code updates. 
>
> could you please give us a hint what part of the documentation could be 
> better? 
>
> Only if we see caveats we can work on them 
>
> Thank you 
> Jan 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/354236e0-1e20-4b4a-83f7-15b223961529%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog2 Regex extractor help

[Houss Decouette]

I'm on 2.0.x, not sure about the full version, I will check tomorrow, but
it should be the last since I did everything (install, architecture etc)
last week, with latest rpm.

Input is syslog tcp.

I will try again tomorrow, thanks again.


On Mon, Jul 4, 2016 at 7:03 PM, kaiser  wrote:

> My test was done on my graylog test server.
>
> Which graylog version  do you have?
>
> Which kind of input did you use? Gelf (in that case maybe the (?mi) could
> solve the issue) ?
>
> I have made the test with graylog 2.0.3
>
> If it still doesn't work you should try the grok pattern
>
>
>
>
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/O8UNzMSxNGY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/48594df8-bd66-4f5b-90b1-2ca46284bbbf%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGJb0GAxUUeMYXnsErp23z0cQo0y-WhSWOR6oPYG-KzdFc1Etw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog2 Regex extractor help

[kaiser]

My test was done on my graylog test server.

Which graylog version  do you have?

Which kind of input did you use? Gelf (in that case maybe the (?mi) could 
solve the issue) ?

I have made the test with graylog 2.0.3

If it still doesn't work you should try the grok pattern





-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/48594df8-bd66-4f5b-90b1-2ca46284bbbf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog2 Regex extractor help

[Zoizo]

Thank you for your time mate. 

Hmm well it might have worked in a tester (it that's where you tested it) 
but in the graylog interface it didn't for me. 

Nevertheless,I will try again with your version tomorrow at work and keep 
the thread updated.
Thanks.

On Monday, July 4, 2016 at 6:33:01 PM UTC+4, kaiser wrote:
>
> Your regex is ok.
>
> Worked for me.
>
> You can otherwise try:
>
> (?mi)Nom du compte :  ([a-zA-Z0-9.-]{1,50})
>
> And for the second one you just need to capture Compte cible :D:
>
> (?mi)Compte cible : .*Nom du compte :  ([a-zA-Z0-9.-]{1,50})
>
> @peluche
>
>
>
> Le lundi 4 juillet 2016 11:52:03 UTC+2, Zoizo a écrit :
>>
>> Hello,
>>
>> I am looking for a solution to my problem since several hours in vain, so 
>> I'm posting here in hope you could help me.
>>
>> I have some logs who follow this scheme (it's in french) :
>>
>>
>>
>> domain.name.com MSWinEventLog 1 Security 665240 Thu Jun 30 14:35:38 2016 
>> 4724 Microsoft-Windows-Security-Auditing N/A N/A Success Audit 
>> domain.name.com Gestion des comptes d’utilisateur Une tentative de 
>> réinitialisation de mot de passe d’un compte a été effectuée. Sujet : ID de 
>> sécurité : S-1-5-21-151410-1935793592-2975913076-1170 Nom du compte : 
>> firstname.lastname Domaine du compte : DOMAIN123 ID d’ouverture de 
>> session : 0x21CACB1 Compte cible : ID de sécurité : 
>> S-1-5-21-151410-1935793592-2975913076-1650 Nom du compte : 
>> firstname.lastname Domaine du compte : DOMAIN123 256107419
>>
>> I want to make a regex extractor that will return the value of 
>> "firstname.lastname" after "Nom du compte :  ". Since there are two "Nom du 
>> compte :  ", I will use a regex for each of them (and create two fields).
>>
>> I tried to extract the first one with this regex but it's not working 
>> (regular expression did not match) :
>>
>> Nom du compte :  ([a-zA-Z0-9.-]{1,50})
>>
>> This regex works in a regex tester so I'm kinda lost here... Could anyone 
>> provide an answer to this please ?
>>
>> Also, my second question is : if I want to extract the second 
>> "firstname.lastname", how would I change my regex to do so ?
>>
>> Would really appreciate some help.
>>
>> Thanks!
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cd253809-10e1-4a39-8032-ca82caf8726a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog2 Regex extractor help

[kaiser]

Your regex is ok.

Worked for me.

You can otherwise try:

(?mi)Nom du compte :  ([a-zA-Z0-9.-]{1,50})

And for the second one you just need to capture Compte cible :D:

(?mi)Compte cible : .*Nom du compte :  ([a-zA-Z0-9.-]{1,50})

@peluche



Le lundi 4 juillet 2016 11:52:03 UTC+2, Zoizo a écrit :
>
> Hello,
>
> I am looking for a solution to my problem since several hours in vain, so 
> I'm posting here in hope you could help me.
>
> I have some logs who follow this scheme (it's in french) :
>
>
>
> domain.name.com MSWinEventLog 1 Security 665240 Thu Jun 30 14:35:38 2016 
> 4724 Microsoft-Windows-Security-Auditing N/A N/A Success Audit 
> domain.name.com Gestion des comptes d’utilisateur Une tentative de 
> réinitialisation de mot de passe d’un compte a été effectuée. Sujet : ID de 
> sécurité : S-1-5-21-151410-1935793592-2975913076-1170 Nom du compte : 
> firstname.lastname Domaine du compte : DOMAIN123 ID d’ouverture de 
> session : 0x21CACB1 Compte cible : ID de sécurité : 
> S-1-5-21-151410-1935793592-2975913076-1650 Nom du compte : 
> firstname.lastname Domaine du compte : DOMAIN123 256107419
>
> I want to make a regex extractor that will return the value of 
> "firstname.lastname" after "Nom du compte :  ". Since there are two "Nom du 
> compte :  ", I will use a regex for each of them (and create two fields).
>
> I tried to extract the first one with this regex but it's not working 
> (regular expression did not match) :
>
> Nom du compte :  ([a-zA-Z0-9.-]{1,50})
>
> This regex works in a regex tester so I'm kinda lost here... Could anyone 
> provide an answer to this please ?
>
> Also, my second question is : if I want to extract the second 
> "firstname.lastname", how would I change my regex to do so ?
>
> Would really appreciate some help.
>
> Thanks!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3e546d01-60f5-4031-8ad4-34e483042444%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to configure elsaticsearch cluster for graylog

[sangh]

Hi, 

Thanks.
i was looking for something like that along with the graylog server part 
but i couldn't find any.

Le lundi 4 juillet 2016 11:41:32 UTC+2, Jan Doberstein a écrit :
>
> Hej, 
>
>
> On 4. Juli 2016 at 11:27:29, sangh (sanheg...@gmail.com ) 
> wrote: 
> > i have 2 graylog server and i want to deploy a cluster of three 
> > elasticsearch so the 2 server can use it. Most article explain how to 
> set 
> > up graylong server along with elastic search on the same machine. Like 
> > this one 
> > 
> http://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch
>  
>
> Are you searching such a description how to setup elasticsearch cluster? 
>
> https://www.digitalocean.com/community/tutorials/how-to-set-up-a-production-elasticsearch-cluster-on-ubuntu-14-04
>  
>
> regards 
> Jan 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1e09256b-232a-42b0-bdce-de1a136d6a14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog2 Regex extractor help

[Zoizo]

Hello,

I am looking for a solution to my problem since several hours in vain, so 
I'm posting here in hope you could help me.

I have some logs who follow this scheme (it's in french) :



domain.name.com MSWinEventLog 1 Security 665240 Thu Jun 30 14:35:38 2016 
4724 Microsoft-Windows-Security-Auditing N/A N/A Success Audit 
domain.name.com Gestion des comptes d’utilisateur Une tentative de 
réinitialisation de mot de passe d’un compte a été effectuée. Sujet : ID de 
sécurité : S-1-5-21-151410-1935793592-2975913076-1170 Nom du compte : 
firstname.lastname Domaine du compte : DOMAIN123 ID d’ouverture de 
session : 0x21CACB1 Compte cible : ID de sécurité : 
S-1-5-21-151410-1935793592-2975913076-1650 Nom du compte : 
firstname.lastname Domaine du compte : DOMAIN123 256107419

I want to make a regex extractor that will return the value of 
"firstname.lastname" after "Nom du compte :  ". Since there are two "Nom du 
compte :  ", I will use a regex for each of them (and create two fields).

I tried to extract the first one with this regex but it's not working 
(regular expression did not match) :

Nom du compte :  ([a-zA-Z0-9.-]{1,50})

This regex works in a regex tester so I'm kinda lost here... Could anyone 
provide an answer to this please ?

Also, my second question is : if I want to extract the second 
"firstname.lastname", how would I change my regex to do so ?

Would really appreciate some help.

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6ce26dc9-9976-43aa-af46-23bd1d097060%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to configure elsaticsearch cluster for graylog

[Jan Doberstein]

Hej,


On 4. Juli 2016 at 11:27:29, sangh (sanhegi.ma...@gmail.com) wrote:
> i have 2 graylog server and i want to deploy a cluster of three
> elasticsearch so the 2 server can use it. Most article explain how to set
> up graylong server along with elastic search on the same machine. Like
> this one
> http://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch

Are you searching such a description how to setup elasticsearch cluster?
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-production-elasticsearch-cluster-on-ubuntu-14-04

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLaPPz0E_tmbZxWYQcfaha5v_yuZU_ZySdYgk0Fz6nsPsw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to configure elsaticsearch cluster for graylog

[sangh]

Hi,

i have 2 graylog server and i want to deploy a cluster of three 
elasticsearch so the 2 server can use it. Most article explain how to set 
up graylong server along with elastic search on the same machine.  Like 
this one 
 
http://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch
 

Le lundi 4 juillet 2016 10:45:21 UTC+2, Jan Doberstein a écrit :
>
> Hej 
>
> On 4. Juli 2016 at 09:31:03, sangh (sanheg...@gmail.com ) 
> wrote: 
> > for those who deployed bigger production setup for several graylog node. 
> > Can they show how did they install elasticsearch cluster 
>
> what is your question exactly? that most people use the Distribution 
> Package is not what you like to hear or? 
>
> regards 
> Jan 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9ed876d4-336a-4374-a0fa-d6906e1fed2d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to configure elsaticsearch cluster for graylog

[sangh]

hi,

i have 2 graylog server and i w

Le lundi 4 juillet 2016 10:45:21 UTC+2, Jan Doberstein a écrit :
>
> Hej 
>
> On 4. Juli 2016 at 09:31:03, sangh (sanheg...@gmail.com ) 
> wrote: 
> > for those who deployed bigger production setup for several graylog node. 
> > Can they show how did they install elasticsearch cluster 
>
> what is your question exactly? that most people use the Distribution 
> Package is not what you like to hear or? 
>
> regards 
> Jan 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9ae5dbac-9b5d-43c9-b2d1-d967a922e4c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Expand Hard Drive in OVA

[Dietmar Schurr]

Hello Jaime,

I just followed 
this 
http://docs.graylog.org/en/2.0/pages/configuration/graylog_ctl.html#extend-disk-space
tutorial and it worked fine (a cluster with two ova images).
So now I have 100G separate disk space for /var/opt/graylog/data

Regards,

Dietmar

On Friday, July 1, 2016 at 9:38:43 PM UTC+2, Jamie P wrote:
>
> Hello,
>
> I have been researching on how to expand the hard drive in the OVA.  I am 
> needing to extend it to 100G from the 20G minimum, and I keep running into 
> brick walls trying to do this.  Some of the links that I keep clicking on 
> go to articles that are no longer on the web.  Any direction to a document 
> or website on how to do this would be much appreciated. 
>
> Jamie
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b4c40721-4748-4181-bdb5-0662fda6818f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to configure elsaticsearch cluster for graylog

[Jan Doberstein]

Hej

On 4. Juli 2016 at 09:31:03, sangh (sanhegi.ma...@gmail.com) wrote:
> for those who deployed bigger production setup for several graylog node.
> Can they show how did they install elasticsearch cluster

what is your question exactly? that most people use the Distribution
Package is not what you like to hear or?

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZ_zjgJuJHJdncX2BUXGj0%2BOjkKQjr2kbhJ7Xa2rMkqvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Expand Hard Drive in OVA

[Jan Doberstein]

Hej Jamie,


On 1. Juli 2016 at 21:38:45, Jamie P (jamiecpar...@gmail.com) wrote:
> I have been researching on how to expand the hard drive in the OVA. I am
> needing to extend it to 100G from the 20G minimum, and I keep running into
> brick walls trying to do this. Some of the links that I keep clicking on
> go to articles that are no longer on the web. Any direction to a document
> or website on how to do this would be much appreciated.

something like this document from the graylog documentation?

http://docs.graylog.org/en/2.0/pages/configuration/graylog_ctl.html?highlight=extend#extend-disk-space

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZ8bZmt6%3DkHnA_igOP9LTDhdTsnGhb94U5qHeiGGGJZMQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] How to configure elsaticsearch cluster for graylog

[sangh]

Hi, 
for those who deployed bigger production setup for several graylog node. 
Can they show how did they install elasticsearch cluster 
Thanks 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/75c85342-75df-4ced-b884-6d8d18dee55c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.