[graylog2] Increase OUTPUT speed

[robertocarna36]

Dear, my OUTPUT is too slow so the journal of my Graylog is increasing time 
after time.

How can I speed up the OUTPUT in order to make it faster than the INPUT 
always??

Thanks a lot,

Roberto

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a500adc6-ed17-467b-82f1-272e15346a49%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Incoming logs incorrectly formatted

[Joshua Walderbach]

I have a Log directory at C:\Logs and in that directory are say 5 different 
logs, per day, by application.  ex. app1-07262016.log, app2-07262016.log, 
etc...  I want to watch these logs and send them over to Graylog.

I have nxlog installed on the Windows server along with sidecar.  I've 
setup a Syslog/UDP input and it's collecting info from these logs.  However 
the formatting isn't allowing for accurate searching.  For example, 
everything is in the message:


In this example I'm unable to search for instances where the "level" = 
something.  This one shows Debug but I'd want to eventually setup alerts 
for "level=Fatal".  I assume that this is a result of how I've setup the 
nxlog.conf or created the input.  The raw logs, as they are now, are pumped 
into Splunk and I can easily search for host=something level=Fatal and 
create an alert on that query.


nxlog.conf which I cobbled together from various online sources:

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log



 Module xm_syslog




 Module im_file
 File 'c:\\Logs\\*.log'
 SavePos TRUE
 ReadFromLast TRUE
 Recursive TRUE
 PollInterval 1




 Module om_udp
 Host XXX.XXX.XXX.XXX
 Port 
 Exec to_syslog_bsd();

 

 Path ivx => out
 


Any tips or ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f0acb92f-3175-42a9-973e-bfd1685e0faf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Backup of indices in Graylog 1.3

[Roberto Carna]

Hi Jochen, thanks for your help.

It's a good news what you told me...but my question is tghis again:
can I backup a CLOSED Elastixsearch indice and a OPEN one??? After I
backup them to a VTL, can I restore thenm and put to work???

Thanks a lot!!!



2016-06-29 6:11 GMT-03:00 Jochen Schalanda :
> Hi Roberto,
>
> you can simply follow the standard Elasticsearch backup/restore procedures,
> see
> https://www.elastic.co/guide/en/elasticsearch/reference/1.7/modules-snapshots.html
> and
> https://www.elastic.co/guide/en/elasticsearch/guide/1.x/backing-up-your-cluster.html.
>
> If you upgraded to Graylog 2.x, you could also make use of the new archiving
> feature: https://www.graylog.org/enterprise/feature/archiving
>
> Cheers,
> Jochen
>
> On Monday, 27 June 2016 18:01:01 UTC+2, roberto...@gmail.com wrote:
>>
>> Hi people, I have Graylog 1.3 as my syslog server. I have setup the
>> following strategy:
>>
>> 10 indices
>> 3 days for indice
>> delete and not close
>> total: 30 days of data
>>
>> I want to backup the indices to a Networker EMC server, but all the
>> indices I have in the Graylog web interface are not closed.
>>
>> Can I backup a non-closed indice (or index) ??? Or when I have to restore
>> it after a long time I will can't do that because the indice was not closed
>> ???
>>
>> Thanks a lot, regards.
>>
>> Roberto
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/1rmGpL5-UIU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/1add79dd-3109-4ca3-a319-0fff332e69b0%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAG2Qp6sJADYLi0__Z_Y_kkNU5vbdKkgtRGuJCDbTiUhoaK1fFg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: When to scale resources for Graylog???

[HockeyFan0000]

On Monday, July 25, 2016 at 1:45:16 PM UTC-4, roberto...@gmail.com wrote:
>
> People, I have a Graylog 1.3 server in just one Linux box (Debian 8), so I 
> mean I have one Elasticsearch node.
>
> Nowadays I'm receiveing about 4000/6000 logs/second. I had to increase the 
> memory heap size of JVM, and used CPU x 10  and RAM x 40GB and after that 
> everything seems OK, because I have near 200/800 unprocessed messages as 
> maximum everytime.
>
> When do you recommend to scale to more Elasticsearch nodes or to have 
> diferent MongoDB's or somethinh like that???
>
> Is there a logs/seg threshold meaning I have to scale to a distributed 
> architecture???
>
> Thanks a lot!!!
>
> Roberto 
>


I can tell you from experience it's unlikely any one server will handle 
that amount of logs per/sec.  I had Graylog installed on a physical server 
with the same specs as my VMware hosts, except with less memory, and it 
couldn't stand the load.  Your best bet is going to be to do an 
Elasticsearch cluster of two servers and have your Graylog server be a 
third node of that cluster.  You'll want your Graylog server to be the 
Elasticsearch master and not store any data or do any indexing.  That will 
push off much of the load and give you some resiliency.  You don't have 
much to worry about with MongoDB.  It mostly stores configuration settings, 
although I think it does store logs that can't be indexed to Elasticsearch 
(don't hold me to that statement, but I'm pretty sure that's what I've 
read).

You could also load-balance several Graylog servers by running them behind 
HAProxy, or maybe even PFSense.  I don't think you'll get the performance 
you want without doing so.  I'm certainly no Graylog expert, but It would 
have to be one monster server to do everything with that much load. 
 Another option is to simply limit what you log.  If you're logging 
Windows, you'll get tons of junk log entries.  You can have more granular 
control with the 'auditpol' command.


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/781fbb06-cc43-4204-885d-80add6b9f26d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Settings for Journal when utilization is too high

[robertocarna36]

Dear, I'm using Graylog 1.3 with CPU x 10, RAM x 40GB and HD x 1.5 TB.

The input is about 4500 logs/second.

Today I have received this warning:

Journal utilization is too hig
Journal utilization is too high and may go over the limit soon. Please 
verify that your Elasticsearch cluster is healthy and fast enough. You may 
also want to review your Graylog journal settings and set a higher limit. 
(Node: *ea2b7f43-cce0-4288-b344-a4e748e3c372*, journal utilization: 96.0%)

and now the journal has 12 millons of logs (in disk).

I've increased the heap size to 16 GB:

/etc/default/elasticsearch:

ES_HEAP_SIZE=16g

and I've done this:

/etc/default/graylog-server:

GRAYLOG_SERVER_JAVA_OPTS="-Xms16g -Xmx20g -XX:NewRatio=1 -XX:PermSize=256m 
-XX:MaxPermSize=512m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC 
-XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC 
-XX:-OmitStackTraceInFastThrow"

How can I solve this journal problem please???

Thanks a lot,


Roberto

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/33510f0b-cde7-4c5b-9636-867a03440fd0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Elasticsearch 5?

[Michael Taylor]

The docs say Elasticsearch 2.1 or greater is required. Does that mean 
Elasticsearch 5 is supported now?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f640979a-7b9c-42c7-9064-16f76716f44c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [ANNOUNCE] Graylog v2.1-beta.1 has been released

[Lennart Koopmann]

Hi everyone,

we just released the first beta of Graylog v2.1. It comes with many
smaller fixes/improvements and also two new features:

  * https://www.graylog.org/blog/60-announcing-graylog-v2-1-0-beta-1

Please try it out and let us know about any issues you encounter.

Thanks,
Lennart

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CADRA1nmi0ywLcmi_NfkOX0DRkrR-qQNO%2BXb-E_9ib73q9j8gAQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog breaking for unknown reason

[HockeyFan0000]

A couple of weeks ago, I installed Graylog.  It was working fine but there 
were a lot of loose ends to take care of.  While I was tightening down 
iptables so the server could only talk to our LAN, I created a rule and 
broke the Graylog connection.  Even when I disabled the rule, Graylog still 
wouldn't start again because MongoDB was refusing the connection.  I 
thought that I would probably spend less time re-installing everything from 
scratch than to troubleshoot the issue.  So, I nuked and paved.

The new server has been running great for a week and has collected about 
65GB of logs.  Today, once again, I was tightening IPtables and now Graylog 
won't start because MongoDB is refusing the connection, even though it's 
listening for connections.  I reverted my IPtables config and even disabled 
rules that were working before.  So, the server is wide open now.  The 
MongoDB log shows no errors or warnings from the time it starts until it 
says it's up and waiting for connections.  Performing a netstat seems to 
confirm MongoDB is listening.

Neither of the times I've been creating IPtables rules should the rules 
have stopped anything from happening.  One of the times Graylog server 
stopped working, I created a rule to allow the localhost, restarted the 
server I was up and running again.  I have a two server Elasticsearch 
cluster with a third Graylog server acting as the Elasticsearch master. 
 The Elasticsearch cluster is green.

So, my questions are:

   1. Is it necessary to allow the localhost through IPtables or am I 
   missing something else?
   2. Has anyone else ran into this?
   3. Why would it still be broken?
   4. How can I fix it?

Any help you can give is greatly appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1865c8bd-8ff9-4865-8be4-dc8fd8df5961%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Cannot Configure Collector Inputs

[Tony]

Hi Marius,
sorry to resume this post, but I have a problem in Graylog 2.0 server I 
installed it on Debian 8 by repository and following this 
procedure: 
http://docs.graylog.org/en/2.0/pages/installation/operating_system_packages.html
 
unfortunately I wanna to collect logs from a remote apache server using 
graylog-collector-sidecar but in the Graylog server I don't find the 
Collector choice in System menu. Any ida to help me please?

Thanks

Tony

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b484a3e2-4413-4201-8078-aff336a51fa2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Dashboard permissions, users and roles

[Marcus Franke]

Hello,

am I wrong with the observation, that a user has to have the admin role to
access the search panel and perform searches?

Background: I created a role for group of non admin users to work with some
dashboards, but these users cannot access the "Replay Search" button. I
granted the "allow editing" permission to the role. Now these users are
able to delete widgets and reorder the dashboard.

How should my users change the underlying search for a widget or even
create new ones, when they have the editing rights for a dashboard?

Am I missing something? Are there more permissions I missed to find?


kind regards,
Marcus

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFRuYVfR76HisNWPUdMtyDcfvZnC9myRX8GWqCHDAArCMXsT1g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Help graylog2 can not start!!!

[nile black]

faint!
When I change openjdk to oracle jdk, works!!  
openjdk openjdk openjdk!


在 2016年7月26日星期二 UTC+8下午6:37:06，nile black写道：
>
> graylog.conf
>
> is_master = true
> node_id_file = ~/node-id
> password_secret = 
> 0GfeFiddzix4IdYzTjT8PGSaYnTm5vYzaBk9QXyN12RhwSlIHHY1ewv3cIM4Cj5mgxRN9ImWeCqojc9hjvKDoS2ztrzY7igt
> root_password_sha2 = 
> 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
> root_timezone = Asia/Shanghai
> plugin_dir = plugin
> rest_listen_uri = http://192.168.99.100:12900/
> web_listen_uri = http://192.168.99.100:9000/
> rotation_strategy = count
> elasticsearch_max_docs_per_index = 2000
> elasticsearch_max_number_of_indices = 20
> retention_strategy = delete
> elasticsearch_shards = 4
> elasticsearch_replicas = 0
> allow_leading_wildcard_searches = false
> allow_highlighting = false
> elasticsearch_cluster_name = elasticsearch
> elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.99.100:9300
> elasticsearch_analyzer = standard
> output_batch_size = 500
> output_flush_interval = 1
> output_fault_count_threshold = 5
> output_fault_penalty_seconds = 30
> processbuffer_processors = 5
> outputbuffer_processors = 3
> processor_wait_strategy = blocking
> ring_size = 65536
> inputbuffer_ring_size = 65536
> inputbuffer_processors = 2
> inputbuffer_wait_strategy = blocking
> message_journal_enabled = true
> message_journal_dir = data/journal
> lb_recognition_period_seconds = 3
> mongodb_uri = mongodb://localhost/graylog
> mongodb_max_connections = 1000
> mongodb_threads_allowed_to_block_multiplier = 5
> content_packs_auto_load = grok-patterns.json
>
> elasticsearch.yml
>
> network.host: 192.168.99.100
> discovery.zen.ping.unicast.hosts: ["192.168.99.100"]
>
>
> > java  -Djava.net.preferIPv4Stack=true -jar graylog.jar server -f 
> > graylog.conf ~/graylog-2.0.3@sam-VirtualBox
> 2016-07-26 18:15:43,351 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: Collector 1.0.3 [org.graylog.plugins.collector.CollectorPlugin]
> 2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: Enterprise Integration Plugin 1.0.3 
> [org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin]
> 2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: MapWidgetPlugin 1.0.3 [org.graylog.plugins.map.MapWidgetPlugin]
> 2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: Pipeline Processor Plugin 1.0.0-beta.5 
> [org.graylog.plugins.pipelineprocessor.ProcessorPlugin]
> 2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: Anonymous Usage Statistics 2.0.3 
> [org.graylog.plugins.usagestatistics.UsageStatsPlugin]
> 2016-07-26 18:15:43,438 INFO : org.graylog2.bootstrap.CmdLineTool - Running 
> with JVM arguments: -Djava.net.preferIPv4Stack=true
> 2016-07-26 18:15:43,824 INFO : org.graylog2.shared.system.stats.SigarService 
> - Failed to load SIGAR. Falling back to JMX implementations.
> 2016-07-26 18:15:44,963 INFO : org.graylog2.shared.buffers.InputBufferImpl - 
> Message journal is enabled.
> 2016-07-26 18:15:45,128 INFO : kafka.log.LogManager - Loading logs.
> 2016-07-26 18:15:45,205 INFO : kafka.log.LogManager - Logs loading complete.
> 2016-07-26 18:15:45,206 INFO : org.graylog2.shared.journal.KafkaJournal - 
> Initialized Kafka based journal at data/journal
> 2016-07-26 18:15:45,221 INFO : org.graylog2.shared.buffers.InputBufferImpl - 
> Initialized InputBufferImpl with ring size <65536> and wait strategy 
> , running 2 parallel message handlers.
> 2016-07-26 18:15:45,270 INFO : org.mongodb.driver.cluster - Cluster created 
> with settings {hosts=[localhost:27017], mode=SINGLE, 
> requiredClusterType=UNKNOWN, serverSelectionTimeout='3 ms', 
> maxWaitQueueSize=5000}
> 2016-07-26 18:15:45,309 INFO : org.mongodb.driver.cluster - No server chosen 
> by ReadPreferenceServerSelector{readPreference=primary} from cluster 
> description ClusterDescription{type=UNKNOWN, connectionMode=SINGLE, 
> all=[ServerDescription{address=localhost:27017, type=UNKNOWN, 
> state=CONNECTING}]}. Waiting for 3 ms before timing out
> 2016-07-26 18:15:45,343 INFO : org.mongodb.driver.connection - Opened 
> connection [connectionId{localValue:1, serverValue:26}] to localhost:27017
> 2016-07-26 18:15:45,344 INFO : org.mongodb.driver.cluster - Monitor thread 
> successfully connected to server with description 
> ServerDescription{address=localhost:27017, type=STANDALONE, state=CONNECTED, 
> ok=true, version=ServerVersion{versionList=[2, 6, 10]}, minWireVersion=0, 
> maxWireVersion=2, maxDocumentSize=16777216, roundTripTimeNanos=427079}
> 2016-07-26 18:15:45,348 INFO : org.mongodb.driver.connection - Opened 
> connection [connectionId{localValue:2, serverValue:27}] to localhost:27017
> 2016-07-26 18:15:45,628 INFO : org.graylog2.plugin.system.NodeId - Node ID: 
> c5c29db3-bf0e-4888-8cf4-fbe5ddba0f68
> 2016-07-26 18:15:45,735 INFO : 

[graylog2] Re: Help graylog2 can not start!!!

[Jochen Schalanda]

Hi Nile,

please make sure that the "data" directory is readable for the Graylog user.

You could also set elasticsearch_path_home and elasticsearch_path_data in 
your Graylog configuration file to any readable directory.

As a side node, you can't use the ~ character for path settings in the 
configuration file (e. g. node_id_file). That's a UNIX shell speciality 
(and would expand to the current user's home directory).

Cheers,
Jochen

On Tuesday, 26 July 2016 12:37:06 UTC+2, nile black wrote:
>
> graylog.conf
>
> is_master = true
> node_id_file = ~/node-id
> password_secret = 
> 0GfeFiddzix4IdYzTjT8PGSaYnTm5vYzaBk9QXyN12RhwSlIHHY1ewv3cIM4Cj5mgxRN9ImWeCqojc9hjvKDoS2ztrzY7igt
> root_password_sha2 = 
> 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
> root_timezone = Asia/Shanghai
> plugin_dir = plugin
> rest_listen_uri = http://192.168.99.100:12900/
> web_listen_uri = http://192.168.99.100:9000/
> rotation_strategy = count
> elasticsearch_max_docs_per_index = 2000
> elasticsearch_max_number_of_indices = 20
> retention_strategy = delete
> elasticsearch_shards = 4
> elasticsearch_replicas = 0
> allow_leading_wildcard_searches = false
> allow_highlighting = false
> elasticsearch_cluster_name = elasticsearch
> elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.99.100:9300
> elasticsearch_analyzer = standard
> output_batch_size = 500
> output_flush_interval = 1
> output_fault_count_threshold = 5
> output_fault_penalty_seconds = 30
> processbuffer_processors = 5
> outputbuffer_processors = 3
> processor_wait_strategy = blocking
> ring_size = 65536
> inputbuffer_ring_size = 65536
> inputbuffer_processors = 2
> inputbuffer_wait_strategy = blocking
> message_journal_enabled = true
> message_journal_dir = data/journal
> lb_recognition_period_seconds = 3
> mongodb_uri = mongodb://localhost/graylog
> mongodb_max_connections = 1000
> mongodb_threads_allowed_to_block_multiplier = 5
> content_packs_auto_load = grok-patterns.json
>
> elasticsearch.yml
>
> network.host: 192.168.99.100
> discovery.zen.ping.unicast.hosts: ["192.168.99.100"]
>
>
> > java  -Djava.net.preferIPv4Stack=true -jar graylog.jar server -f 
> > graylog.conf ~/graylog-2.0.3@sam-VirtualBox
> 2016-07-26 18:15:43,351 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: Collector 1.0.3 [org.graylog.plugins.collector.CollectorPlugin]
> 2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: Enterprise Integration Plugin 1.0.3 
> [org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin]
> 2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: MapWidgetPlugin 1.0.3 [org.graylog.plugins.map.MapWidgetPlugin]
> 2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: Pipeline Processor Plugin 1.0.0-beta.5 
> [org.graylog.plugins.pipelineprocessor.ProcessorPlugin]
> 2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
> plugin: Anonymous Usage Statistics 2.0.3 
> [org.graylog.plugins.usagestatistics.UsageStatsPlugin]
> 2016-07-26 18:15:43,438 INFO : org.graylog2.bootstrap.CmdLineTool - Running 
> with JVM arguments: -Djava.net.preferIPv4Stack=true
> 2016-07-26 18:15:43,824 INFO : org.graylog2.shared.system.stats.SigarService 
> - Failed to load SIGAR. Falling back to JMX implementations.
> 2016-07-26 18:15:44,963 INFO : org.graylog2.shared.buffers.InputBufferImpl - 
> Message journal is enabled.
> 2016-07-26 18:15:45,128 INFO : kafka.log.LogManager - Loading logs.
> 2016-07-26 18:15:45,205 INFO : kafka.log.LogManager - Logs loading complete.
> 2016-07-26 18:15:45,206 INFO : org.graylog2.shared.journal.KafkaJournal - 
> Initialized Kafka based journal at data/journal
> 2016-07-26 18:15:45,221 INFO : org.graylog2.shared.buffers.InputBufferImpl - 
> Initialized InputBufferImpl with ring size <65536> and wait strategy 
> , running 2 parallel message handlers.
> 2016-07-26 18:15:45,270 INFO : org.mongodb.driver.cluster - Cluster created 
> with settings {hosts=[localhost:27017], mode=SINGLE, 
> requiredClusterType=UNKNOWN, serverSelectionTimeout='3 ms', 
> maxWaitQueueSize=5000}
> 2016-07-26 18:15:45,309 INFO : org.mongodb.driver.cluster - No server chosen 
> by ReadPreferenceServerSelector{readPreference=primary} from cluster 
> description ClusterDescription{type=UNKNOWN, connectionMode=SINGLE, 
> all=[ServerDescription{address=localhost:27017, type=UNKNOWN, 
> state=CONNECTING}]}. Waiting for 3 ms before timing out
> 2016-07-26 18:15:45,343 INFO : org.mongodb.driver.connection - Opened 
> connection [connectionId{localValue:1, serverValue:26}] to localhost:27017
> 2016-07-26 18:15:45,344 INFO : org.mongodb.driver.cluster - Monitor thread 
> successfully connected to server with description 
> ServerDescription{address=localhost:27017, type=STANDALONE, state=CONNECTED, 
> ok=true, version=ServerVersion{versionList=[2, 6, 10]}, minWireVersion=0, 
> maxWireVersion=2, 

[graylog2] Help graylog2 can not start!!!

[nile black]

graylog.conf

is_master = true
node_id_file = ~/node-id
password_secret = 
0GfeFiddzix4IdYzTjT8PGSaYnTm5vYzaBk9QXyN12RhwSlIHHY1ewv3cIM4Cj5mgxRN9ImWeCqojc9hjvKDoS2ztrzY7igt
root_password_sha2 = 
8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
root_timezone = Asia/Shanghai
plugin_dir = plugin
rest_listen_uri = http://192.168.99.100:12900/
web_listen_uri = http://192.168.99.100:9000/
rotation_strategy = count
elasticsearch_max_docs_per_index = 2000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_cluster_name = elasticsearch
elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.99.100:9300
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = data/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_auto_load = grok-patterns.json

elasticsearch.yml

network.host: 192.168.99.100
discovery.zen.ping.unicast.hosts: ["192.168.99.100"]


> java  -Djava.net.preferIPv4Stack=true -jar graylog.jar server -f graylog.conf 
> ~/graylog-2.0.3@sam-VirtualBox
2016-07-26 18:15:43,351 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
plugin: Collector 1.0.3 [org.graylog.plugins.collector.CollectorPlugin]
2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
plugin: Enterprise Integration Plugin 1.0.3 
[org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin]
2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
plugin: MapWidgetPlugin 1.0.3 [org.graylog.plugins.map.MapWidgetPlugin]
2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
plugin: Pipeline Processor Plugin 1.0.0-beta.5 
[org.graylog.plugins.pipelineprocessor.ProcessorPlugin]
2016-07-26 18:15:43,352 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded 
plugin: Anonymous Usage Statistics 2.0.3 
[org.graylog.plugins.usagestatistics.UsageStatsPlugin]
2016-07-26 18:15:43,438 INFO : org.graylog2.bootstrap.CmdLineTool - Running 
with JVM arguments: -Djava.net.preferIPv4Stack=true
2016-07-26 18:15:43,824 INFO : org.graylog2.shared.system.stats.SigarService - 
Failed to load SIGAR. Falling back to JMX implementations.
2016-07-26 18:15:44,963 INFO : org.graylog2.shared.buffers.InputBufferImpl - 
Message journal is enabled.
2016-07-26 18:15:45,128 INFO : kafka.log.LogManager - Loading logs.
2016-07-26 18:15:45,205 INFO : kafka.log.LogManager - Logs loading complete.
2016-07-26 18:15:45,206 INFO : org.graylog2.shared.journal.KafkaJournal - 
Initialized Kafka based journal at data/journal
2016-07-26 18:15:45,221 INFO : org.graylog2.shared.buffers.InputBufferImpl - 
Initialized InputBufferImpl with ring size <65536> and wait strategy 
, running 2 parallel message handlers.
2016-07-26 18:15:45,270 INFO : org.mongodb.driver.cluster - Cluster created 
with settings {hosts=[localhost:27017], mode=SINGLE, 
requiredClusterType=UNKNOWN, serverSelectionTimeout='3 ms', 
maxWaitQueueSize=5000}
2016-07-26 18:15:45,309 INFO : org.mongodb.driver.cluster - No server chosen by 
ReadPreferenceServerSelector{readPreference=primary} from cluster description 
ClusterDescription{type=UNKNOWN, connectionMode=SINGLE, 
all=[ServerDescription{address=localhost:27017, type=UNKNOWN, 
state=CONNECTING}]}. Waiting for 3 ms before timing out
2016-07-26 18:15:45,343 INFO : org.mongodb.driver.connection - Opened 
connection [connectionId{localValue:1, serverValue:26}] to localhost:27017
2016-07-26 18:15:45,344 INFO : org.mongodb.driver.cluster - Monitor thread 
successfully connected to server with description 
ServerDescription{address=localhost:27017, type=STANDALONE, state=CONNECTED, 
ok=true, version=ServerVersion{versionList=[2, 6, 10]}, minWireVersion=0, 
maxWireVersion=2, maxDocumentSize=16777216, roundTripTimeNanos=427079}
2016-07-26 18:15:45,348 INFO : org.mongodb.driver.connection - Opened 
connection [connectionId{localValue:2, serverValue:27}] to localhost:27017
2016-07-26 18:15:45,628 INFO : org.graylog2.plugin.system.NodeId - Node ID: 
c5c29db3-bf0e-4888-8cf4-fbe5ddba0f68
2016-07-26 18:15:45,735 INFO : org.elasticsearch.node - 
[graylog-c5c29db3-bf0e-4888-8cf4-fbe5ddba0f68] version[2.3.2], pid[7136], 
build[b9e4a6a/2016-04-21T16:03:47Z]
2016-07-26 18:15:45,735 INFO : org.elasticsearch.node - 
[graylog-c5c29db3-bf0e-4888-8cf4-fbe5ddba0f68] initializing ...
2016-07-26 18:15:45,740 INFO : org.elasticsearch.plugins - 

[graylog2] Re: Web UI Output Indicator Bug (perhaps?)

[Jochen Schalanda]

Hi Ryan,

there is always a default output into Elasticsearch (otherwise you couldn't 
search for messages), so that's what's being shown in the throughput 
indicator in the Graylog web interface.

Cheers,
Jochen

On Monday, 25 July 2016 20:07:46 UTC+2, Ryan Gelston wrote:
>
> Hello Graylog Users,
>
> I recently set up an instance of Graylog on an EC2 instance. I've modified 
> the conf file to set up admin accounts, port bindings for the web UI and 
> REST API, mongodb, elasticsearch, and email alerts. 
>
> I notice that when I send Graylog a GELF log over UDP, it shows in the UI 
> that it's reviving a message as input and sending one as output, or rather 
> the traffic indicator in the top right of the Graylog UI reads 'In 1 / Out 
> 1 msg/s'. No outputs have been created, so I see no reason why it displays 
> that it's outputting a message.
>
> Any suggestions as to why it's doing this or what I could do to help 
> diagnose it. 
>
> Thank you,
> Ryan Gelston
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/becbf47a-2d49-4a02-bfdb-42068bff2f34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.