[graylog2] Full list of Permissions?

2016-08-03 Thread Pete GS 
Hi all,

Just wondering where I could find a full list of available permissions I 
can assign to roles via the API?

I've got a few people here I would like to give extra privileges to without 
granting full Admin rights.

Things like creating/deleting dashboards and streams and viewing the status 
of Collectors are currently only available to Admins.

I've created a "PowerUser" role which does some of this but not all:

{
  "name": "PowerUser",
  "description": "Create streams, dashboards, etc. but no admin tasks",
  "permissions": [
"clusterconfigentry:read",
"indexercluster:read",
"messagecount:read",
"journal:read",
"inputs:read",
"metrics:read",
"savedsearches:edit",
"fieldnames:read",
"buffers:read",
"system:read",
"savedsearches:create",
"jvmstats:read",
"throughput:read",
"savedsearches:read",
"messages:read",
"streams:create",
"streams:edit:*",
"streams:read:*",
"dashboards:create",
"dashboards:edit:*",
"dashboards:read:*"
  ],
  "read_only": false
}

Any info would be greatly appreciated.

Cheers, Pete

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4d869098-b2c8-45f4-a116-639b9934a87c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: graylog-web for 2.0

2016-08-03 Thread walderbachjoshua 
You must edit your server.conf and:

1. Ensure the web_listen_uri is an IP that is reachable by outside servers, 
unless you only want to access it locally.
2. Same for rest_listen_uri.
3. Ensure web_listen variable is True.
4. Ensure you have a password_secret is set.
5. Ensure root_password_sha2 is set.
6. Access the WebUI at http://IPAddress:9000 

On Wednesday, August 3, 2016 at 5:47:00 PM UTC-6, sam wrote:
>
> Hi All,
>
> I installed the graylog 2.0 version in my box. I don't see any graylog web 
> for this version? DO we have one graylog -web for this version. If not can 
> anyone of you tell me how to access the web interface. 
>
>
>
>
>
>
>
> Thank you 
> sam
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/def2ccc9-a102-485c-8016-3bb5264b0e8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: graylog-web for 2.0

2016-08-03 Thread walderbachjoshua 
You must edit your server.conf and:

1. Ensure the web_listen_uri is an IP that is reachable by outside servers, 
unless you only want to access it locally.
2. Same for rest_listen_uri
3. Ensure web_listen variable is True
4. Access the WebUI at http://IPAddress:9000

On Wednesday, August 3, 2016 at 5:47:00 PM UTC-6, sam wrote:
>
> Hi All,
>
> I installed the graylog 2.0 version in my box. I don't see any graylog web 
> for this version? DO we have one graylog -web for this version. If not can 
> anyone of you tell me how to access the web interface. 
>
>
>
>
>
>
>
> Thank you 
> sam
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/34f6f796-5c41-41ea-92a7-2f5ccc0094c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] graylog-web for 2.0

2016-08-03 Thread sam 
Hi All,

I installed the graylog 2.0 version in my box. I don't see any graylog web 
for this version? DO we have one graylog -web for this version. If not can 
anyone of you tell me how to access the web interface. 







Thank you 
sam

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/41d982b6-feea-4570-a2a4-85045f87e4a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog Sidecar reports "unable to map property tags"

2016-08-03 Thread Pete GS 
Ok, looks like there were some surplus lines in the default 
collector_sidecar.yml file that I hadn't defined.

Now that they've been removed it seems to be working.

Cheers, Pete

On Thursday, 4 August 2016 07:38:20 UTC+10, Pete GS wrote:
>
> Thanks for the reply Marius.
>
> I'm pretty sure I verified the config is pointing to the correct locations 
> but I will revisit and double check everything before going any further.
>
> Cheers, Pete
>
> On Wednesday, 3 August 2016 16:06:34 UTC+10, Marius Sturm wrote:
>>
>> Hi,
>> please create a new issue with all versions (Sidecar and Graylog server) 
>> and some more log lines. This issue should already be fixed but I can take 
>> another look.
>> Did you notice that the installation path on Windows systems changed? It 
>> was installed in \Program Files(x86) even though it's a 64bit binary. Maybe 
>> you still execute the old binary? Try the one in \Program Files to verify.
>>
>> Cheers,
>> Marius
>>
>>
>> On 3 August 2016 at 00:19, Pete GS  wrote:
>>
>>> I seem to be encountering this same issue with 0.0.9-beta-1.
>>>
>>> time="2016-08-03T08:13:26+10:00" level=error msg="[UpdateRegistration] 
>>> Failed to
>>>  report collector status to server: PUT 
>>> http://graylog.lab.melbourneit.com:12900
>>>
>>> /plugins/org.graylog.plugins.collector/collectors/628a678c-77eb-4aef-96f1-0bde93
>>> 19cd96: 400 Unable to map property tags.\nKnown properties include: 
>>> operating_sy
>>> stem"
>>>
>>> I'm pretty sure everything is configured correctly and my Graylog 
>>> environment is a fresh one installed two days ago with 2.0.3.
>>>
>>> Do you need me to open a new issue or update the existing issue opened 
>>> by Jeremy?
>>>
>>> Cheers, Pete
>>>
>>> On Monday, 18 July 2016 23:15:31 UTC+10, Jeremy Farr wrote:

 Done.  https://github.com/Graylog2/collector-sidecar/issues/39

 On Monday, July 18, 2016 at 3:35:36 AM UTC-5, Marius Sturm wrote:
>
> Hi,
> could you please create an issue for that over here: 
> https://github.com/Graylog2/collector-sidecar/issues
> Please add your collector_sidecar.yml file to the ticket.
>
> Thanks,
> Marius
>
>
> On 15 July 2016 at 20:25, Jeremy Farr  wrote:
>
>> So I'm using nxlog and I've installed the graylog sidecar.  I'm 
>> manually starting it with my configuration file so I can monitor it.  
>> Just 
>> after reporting that nxlog is starting it gives a 400 error related to 
>> the 
>> property tags.  I've attached the screen shot. I've changed the tag and 
>> ensured it's the same as what I've got in the config on the graylog 
>> side. I 
>> am using the alpha release of the collector just FYI.
>>
>>
>> 
>>
>> -- 
>> You received this message because you are subscribed to the Google 
>> Groups "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to graylog2+u...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/440c674f-b5ea-4315-9733-2e5c4429c41e%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Poolstraße 21
> 20335 Hamburg
> Germany
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>
 -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Graylog Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to graylog2+u...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/graylog2/24ed9163-b9f9-43f3-a444-f7ca94f7a0a4%40googlegroups.com
>>>  
>>> 
>>> .
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>>
>> -- 
>> Developer
>>
>> Tel.: +49 (0)40 609 452 077
>> Fax.: +49 (0)40 609 452 078
>>
>> TORCH GmbH - A Graylog Company
>> Poolstraße 21
>> 20335 Hamburg
>> Germany
>>
>> https://www.graylog.com 
>>
>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
>> Geschäftsführer: Lennart Koopmann (CEO)
>>
>

-- 
You received this message because you are subscribed to the Google Groups

[graylog2] Overall plan for use - comments?

2016-08-03 Thread Linwood Ferguson 
I'm struggling a bit to avoid the "just throw logs in and figure out later 
what to do with them" inclination, and trying to plan how the different 
pieces might best be used.

I'd appreciate any comments as to whether this is a good approach.  I even 
have a picture.

My thinking goes like this: 

1) Bring data in and use extractors (mostly grok) to normalize to some set 
of standardized fields, somewhat based on what I can get free from Gelf.  I 
expect this kind of normalization will be a work in progress forever.  Grok 
especially but extractors in general seem easier to use than pipelines for 
normalization.

2) Let everything just stay in the default stream at that point, and feed 
into a set of pipeline rules.

3) Pipelines decide how to map the log messages from the physical origins 
into logical groupings, for example actual device (e.g. hardware or 
similar) events, infrastructure logins to network gear, VPN and similar 
access, web logs (probably different types)., etc.

3A) Garbage messages no one really cares about get dropped here.

3B) Some messages might end up in two places, e.g. we might have certain 
data access streams which are also web or FTP logs.

4) Streams control the alarms.

All wet, or going in the right direction? 






-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/50de6c0c-6380-4128-8835-7646dc710e06%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog Sidecar reports "unable to map property tags"

2016-08-03 Thread Pete GS 
Thanks for the reply Marius.

I'm pretty sure I verified the config is pointing to the correct locations 
but I will revisit and double check everything before going any further.

Cheers, Pete

On Wednesday, 3 August 2016 16:06:34 UTC+10, Marius Sturm wrote:
>
> Hi,
> please create a new issue with all versions (Sidecar and Graylog server) 
> and some more log lines. This issue should already be fixed but I can take 
> another look.
> Did you notice that the installation path on Windows systems changed? It 
> was installed in \Program Files(x86) even though it's a 64bit binary. Maybe 
> you still execute the old binary? Try the one in \Program Files to verify.
>
> Cheers,
> Marius
>
>
> On 3 August 2016 at 00:19, Pete GS  
> wrote:
>
>> I seem to be encountering this same issue with 0.0.9-beta-1.
>>
>> time="2016-08-03T08:13:26+10:00" level=error msg="[UpdateRegistration] 
>> Failed to
>>  report collector status to server: PUT 
>> http://graylog.lab.melbourneit.com:12900
>>
>> /plugins/org.graylog.plugins.collector/collectors/628a678c-77eb-4aef-96f1-0bde93
>> 19cd96: 400 Unable to map property tags.\nKnown properties include: 
>> operating_sy
>> stem"
>>
>> I'm pretty sure everything is configured correctly and my Graylog 
>> environment is a fresh one installed two days ago with 2.0.3.
>>
>> Do you need me to open a new issue or update the existing issue opened by 
>> Jeremy?
>>
>> Cheers, Pete
>>
>> On Monday, 18 July 2016 23:15:31 UTC+10, Jeremy Farr wrote:
>>>
>>> Done.  https://github.com/Graylog2/collector-sidecar/issues/39
>>>
>>> On Monday, July 18, 2016 at 3:35:36 AM UTC-5, Marius Sturm wrote:

 Hi,
 could you please create an issue for that over here: 
 https://github.com/Graylog2/collector-sidecar/issues
 Please add your collector_sidecar.yml file to the ticket.

 Thanks,
 Marius


 On 15 July 2016 at 20:25, Jeremy Farr  wrote:

> So I'm using nxlog and I've installed the graylog sidecar.  I'm 
> manually starting it with my configuration file so I can monitor it.  
> Just 
> after reporting that nxlog is starting it gives a 400 error related to 
> the 
> property tags.  I've attached the screen shot. I've changed the tag and 
> ensured it's the same as what I've got in the config on the graylog side. 
> I 
> am using the alpha release of the collector just FYI.
>
>
> 
>
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to graylog2+u...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/440c674f-b5ea-4315-9733-2e5c4429c41e%40googlegroups.com
>  
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



 -- 
 Developer

 Tel.: +49 (0)40 609 452 077
 Fax.: +49 (0)40 609 452 078

 TORCH GmbH - A Graylog Company
 Poolstraße 21
 20335 Hamburg
 Germany

 https://www.graylog.com 

 Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
 Geschäftsführer: Lennart Koopmann (CEO)

>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to graylog2+u...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/24ed9163-b9f9-43f3-a444-f7ca94f7a0a4%40googlegroups.com
>>  
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Poolstraße 21
> 20335 Hamburg
> Germany
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f87bf9ce-2ea5-45ad-9e5f-412f5ada284b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Parsing incoming log messages

2016-08-03 Thread walderbachjoshua 
An example log entry Iis: 

{"datetime":"2016-08-03T18:47:45.2747784Z","level":"Debug","name":
"Platform.Data.InstanceProvider","message":"InstanceProvider(ce553f62-f207-41db-aa3d-6d3f74b18df4)
 
returned the cached instance.", "requesterIp":"","threadid":"32"}

And the entire thing is put under the message field.  I want fields for 
Date, Level, Name, Message, RequesterIp, and Threadid.  I see that I cannot 
cut from the message so I've tried GROK parsing with copy.

%{YEAR}[-]%{MONTHNUM2}[-]%{MONTHDAY}[T]%{HOUR}[:]%{MINUTE}[:]%{SECOND}

but I cannot get beyond that.  I've tried continuing with 
[,]%{WORD:name}[,]%{WORD:message}

but it fails.  Any suggestions on how I can continue on for the remaining 
fields?  Or is GROK not the optimal way to parse?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/64735aa4-9454-42dd-8a31-94c31613e03e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Source name is IP instead of DNS

2016-08-03 Thread walderbachjoshua 
My apologies, I misread your question.  I assume you are not using NXLog to 
send logs over but rather using a syslog conf.  I haven't figured that out 
yet.

On Wednesday, August 3, 2016 at 12:47:04 PM UTC-6, Marvin Popyk wrote:
>
> Thanks for the recommendation but where is the location of that file in 
> Ubuntu?
>
> On Tuesday, August 2, 2016 at 11:47:34 PM UTC-4, walderba...@gmail.com 
> wrote:
>>
>> Hello,
>>
>> I added 
>>
>> $Hostname = 'hostnamehere';
>>
>> inside the  ...  within my nxlog.conf file.  
>>
>>
>> On Tuesday, August 2, 2016 at 9:31:41 AM UTC-6, Marvin Popyk wrote:
>>>
>>> Hello,
>>>
>>> We just installed Graylog and our getting logs from a bunch of Linux 
>>> Ubuntu 14.04 machines.  However, under source, it is giving the IP address 
>>> instead of the DNS or hostname.  I've installed the DNS resolver plugin but 
>>> i can't seem to get that working either.  
>>>
>>> Any idea how i can get graylog to post the hostname instead of IP 
>>> address? 
>>>
>>> Thanks
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/86729f65-47c8-4d2e-9f89-7c82b66d2400%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] UDP Debugging

2016-08-03 Thread David Arnold 
I'm inclined to become thinking, that haproxy 1.5 just cannot do UDP:
http://stackoverflow.com/questions/31255780/udp-traffic-with-iperf-for-haproxy

Also interesting: https://news.ycombinator.com/item?id=9409034

On Wednesday, August 3, 2016 at 11:23:19 AM UTC-5, David Arnold wrote:
>
> docker exec -ti 18f6134ac0f9 bash # Graylog Server Instance
> apt-get update && apt-get install -y netcat
> echo -n '{"version": "1.1", "host": "example.org", "short_message": "A 
> short message that helps you identify what is going on", "full_message": 
> "Backtrace here\n\nmore stuff", "timestamp": 1385053862.3072, "level": 1, 
> "_user_id": 9001, "_some_info": "foo", "_some_env_var": "bar"}' | nc -u -q1 
> localhost 12201
>
> Ok, now, with this call I get at least visible throughput in graylog.
> Things which still generate no throughput:
> On the load balancer instance:
> docker exec -ti f396598155a6 bash # Rancher Network Agent (= Haproxy Load 
> Balancer istance)
> apt-get update && apt-get install -y netcat
>
> echo -n '...' | nc -u -q1 192.168.0.9 12201 # Local Machine IP, goes 
> through docker-for-windows port exposure mechanisms
>
> echo -n '...' | nc -u -q1 172.17.0.2 12201 # Docker Host IP, bypassing 
> host machine, only using internal docker network
>
> echo -n '...' | nc -u -q1 192.168.0.9 12201 # Local Machine IP, goes 
> through docker-for-windows port exposure mechanisms
>
> echo -n '...' | nc -u -q1 10.42.248.237 12201 # IP of Loadbalancer in 
> Rancher's Internal Network (Overlay)
>
> Hooray, got the culprit!
> This works:
> echo -n '...' | nc -u -q1 10.42.218.111 12201 # IP of Graylog Server 
> within Rancher's Internal Network
>
>
>
>
> On Wednesday, August 3, 2016 at 10:58:30 AM UTC-5, David Arnold wrote:
>>
>> Hi Marius,
>>
>> thanks a lot. I should have more knowledgable on this. I changed it, yet 
>> still there is silence. Actually, what happened is, that I started with the 
>> correct setting and as things showed not to be working I tried random 
>> changes to put some entropy in the case.
>>
>> Isn't there a way how I can verify, that graylog would receive an UDP 
>> message from localhost (within the container) to systematically isolate the 
>> failure? 
>>
>> Best, David
>>
>> On Wednesday, August 3, 2016 at 2:17:52 AM UTC-5, Marius Sturm wrote:
>>>
>>> Hi,
>>> your 'gelf-address' looks odd. To get the Docker logging driver working 
>>> start a UDP GELF input on the server side and use a address like udp://
>>> 192.168.0.9:12201 on the container. Something like /gelf only exist in 
>>> a  HTTP context what is not used in this case.
>>>
>>> Cheers,
>>> Marius
>>>  
>>>
>>> On 3 August 2016 at 08:46, David Arnold  wrote:
>>>
 Hi 
 I have the following docker-compose file, on top of docker-for-windows 
 0.12 and rancher:
 elasticsearch:
   command: elasticsearch -Des.cluster.name='graylog'
   image: elasticsearch:2
   volumes: ['graylog-elst:/usr/share/elasticsearch/data']
 graylog:
   environment: {GRAYLOG_PASSWORD_SECRET: '${graylog_secret}', 
 GRAYLOG_REST_TRANSPORT_URI: 'http://${graylog_fqdn}:12900',
 GRAYLOG_ROOT_PASSWORD_SHA2: '${graylog_password}'}
   image: graylog2/server:2.1.0-beta.2-1
   labels: {io.rancher.container.hostname_override: container_name}
   links: ['mongodb:mongo', 'elasticsearch:elasticsearch']
   restart: always
   expose: ['12201/udp']
   volumes: ['graylog-data:/usr/share/graylog/data']
 lb:
   image: rancher/load-balancer-service
   labels: {io.rancher.scheduler.global: 'true'}
   links: ['graylog:graylog']
   ports: ['9000:9000', '12900:12900', '12201:12201/udp', '12202:12202']
   restart: always
 mongodb:
   image: mongo:3
   labels: {io.rancher.container.hostname_override: container_name}
   volumes: ['graylog-mngo:/data/db']


 lb is rancher's haproxy 1.5 loadbalancer. From mi machine I can happily 
 do:

 curl -XPOST http://192.168.0.9:12202/gelf -p0 -d 
 '{"short_message":"Hello there 2", "host":"example.org", 
 "facility":"test", "_foo":"bar"}'

 and hooray, everything as expected.

 Now I start another container with 

 gelf-address=udp://192.168.0.9:12201/gelf

 Yet, there is an unbearable silence all over the place.

 I really don't know quite well how to debug and see if graylog is 
 accepting as expected.
 So here is the question:

 What can I do to enter the graylog docker and test the UDP Input?

 I can't enter moby linux VM (docker-for-windows has blocked the 
 access), but I can do those kind of stuff on localhost or from within a 
 peer container as well.

 Thank's for any help. I hit the point where I don't advance by myself 
 anymore.

 -- 
 You received this message because you are subscribed to the Google 
 Groups "Graylog Users" group.
 To unsubscribe from this group and stop

[graylog2] Re: Source name is IP instead of DNS

2016-08-03 Thread Marvin Popyk 
Thanks for the recommendation but where is the location of that file in 
Ubuntu?

On Tuesday, August 2, 2016 at 11:47:34 PM UTC-4, walderba...@gmail.com 
wrote:
>
> Hello,
>
> I added 
>
> $Hostname = 'hostnamehere';
>
> inside the  ...  within my nxlog.conf file.  
>
>
> On Tuesday, August 2, 2016 at 9:31:41 AM UTC-6, Marvin Popyk wrote:
>>
>> Hello,
>>
>> We just installed Graylog and our getting logs from a bunch of Linux 
>> Ubuntu 14.04 machines.  However, under source, it is giving the IP address 
>> instead of the DNS or hostname.  I've installed the DNS resolver plugin but 
>> i can't seem to get that working either.  
>>
>> Any idea how i can get graylog to post the hostname instead of IP 
>> address? 
>>
>> Thanks
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2b93cb7b-bcc7-4851-8164-3d0279860aa7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] UDP Debugging

2016-08-03 Thread David Arnold 
docker exec -ti 18f6134ac0f9 bash # Graylog Server Instance
apt-get update && apt-get install -y netcat
echo -n '{"version": "1.1", "host": "example.org", "short_message": "A 
short message that helps you identify what is going on", "full_message": 
"Backtrace here\n\nmore stuff", "timestamp": 1385053862.3072, "level": 1, 
"_user_id": 9001, "_some_info": "foo", "_some_env_var": "bar"}' | nc -u -q1 
localhost 12201

Ok, now, with this call I get at least visible throughput in graylog.
Things which still generate no throughput:
On the load balancer instance:
docker exec -ti f396598155a6 bash # Rancher Network Agent (= Haproxy Load 
Balancer istance)
apt-get update && apt-get install -y netcat

echo -n '...' | nc -u -q1 192.168.0.9 12201 # Local Machine IP, goes 
through docker-for-windows port exposure mechanisms

echo -n '...' | nc -u -q1 172.17.0.2 12201 # Docker Host IP, bypassing host 
machine, only using internal docker network

echo -n '...' | nc -u -q1 192.168.0.9 12201 # Local Machine IP, goes 
through docker-for-windows port exposure mechanisms

echo -n '...' | nc -u -q1 10.42.248.237 12201 # IP of Loadbalancer in 
Rancher's Internal Network (Overlay)

Hooray, got the culprit!
This works:
echo -n '...' | nc -u -q1 10.42.218.111 12201 # IP of Graylog Server within 
Rancher's Internal Network




On Wednesday, August 3, 2016 at 10:58:30 AM UTC-5, David Arnold wrote:
>
> Hi Marius,
>
> thanks a lot. I should have more knowledgable on this. I changed it, yet 
> still there is silence. Actually, what happened is, that I started with the 
> correct setting and as things showed not to be working I tried random 
> changes to put some entropy in the case.
>
> Isn't there a way how I can verify, that graylog would receive an UDP 
> message from localhost (within the container) to systematically isolate the 
> failure? 
>
> Best, David
>
> On Wednesday, August 3, 2016 at 2:17:52 AM UTC-5, Marius Sturm wrote:
>>
>> Hi,
>> your 'gelf-address' looks odd. To get the Docker logging driver working 
>> start a UDP GELF input on the server side and use a address like udp://
>> 192.168.0.9:12201 on the container. Something like /gelf only exist in 
>> a  HTTP context what is not used in this case.
>>
>> Cheers,
>> Marius
>>  
>>
>> On 3 August 2016 at 08:46, David Arnold  wrote:
>>
>>> Hi 
>>> I have the following docker-compose file, on top of docker-for-windows 
>>> 0.12 and rancher:
>>> elasticsearch:
>>>   command: elasticsearch -Des.cluster.name='graylog'
>>>   image: elasticsearch:2
>>>   volumes: ['graylog-elst:/usr/share/elasticsearch/data']
>>> graylog:
>>>   environment: {GRAYLOG_PASSWORD_SECRET: '${graylog_secret}', 
>>> GRAYLOG_REST_TRANSPORT_URI: 'http://${graylog_fqdn}:12900',
>>> GRAYLOG_ROOT_PASSWORD_SHA2: '${graylog_password}'}
>>>   image: graylog2/server:2.1.0-beta.2-1
>>>   labels: {io.rancher.container.hostname_override: container_name}
>>>   links: ['mongodb:mongo', 'elasticsearch:elasticsearch']
>>>   restart: always
>>>   expose: ['12201/udp']
>>>   volumes: ['graylog-data:/usr/share/graylog/data']
>>> lb:
>>>   image: rancher/load-balancer-service
>>>   labels: {io.rancher.scheduler.global: 'true'}
>>>   links: ['graylog:graylog']
>>>   ports: ['9000:9000', '12900:12900', '12201:12201/udp', '12202:12202']
>>>   restart: always
>>> mongodb:
>>>   image: mongo:3
>>>   labels: {io.rancher.container.hostname_override: container_name}
>>>   volumes: ['graylog-mngo:/data/db']
>>>
>>>
>>> lb is rancher's haproxy 1.5 loadbalancer. From mi machine I can happily 
>>> do:
>>>
>>> curl -XPOST http://192.168.0.9:12202/gelf -p0 -d 
>>> '{"short_message":"Hello there 2", "host":"example.org", 
>>> "facility":"test", "_foo":"bar"}'
>>>
>>> and hooray, everything as expected.
>>>
>>> Now I start another container with 
>>>
>>> gelf-address=udp://192.168.0.9:12201/gelf
>>>
>>> Yet, there is an unbearable silence all over the place.
>>>
>>> I really don't know quite well how to debug and see if graylog is 
>>> accepting as expected.
>>> So here is the question:
>>>
>>> What can I do to enter the graylog docker and test the UDP Input?
>>>
>>> I can't enter moby linux VM (docker-for-windows has blocked the access), 
>>> but I can do those kind of stuff on localhost or from within a peer 
>>> container as well.
>>>
>>> Thank's for any help. I hit the point where I don't advance by myself 
>>> anymore.
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Graylog Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to graylog2+u...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/graylog2/406cf55e-eee3-4ab3-821d-bdc3ecb3df50%40googlegroups.com
>>>  
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>

Re: [graylog2] Re: Graylog _Encryption

2016-08-03 Thread Siju Tharakan 
Thank you Jochen.

On Aug 3, 2016 8:57 PM, "Jochen Schalanda"  wrote:

> Hi,
>
> the received log messages are being indexed into Elasticsearch which
> doesn't encrypt them by default. The best you can do is to use an encrypted
> storage device for Elasticsearch indices.
>
> Cheers,
> Jochen
>
> On Wednesday, 3 August 2016 17:10:28 UTC+2, Siju Tharakan wrote:
>>
>> Syslog received from PC or devices.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/n7jBHN03cio/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/7b4c88de-d686-4ae0-9098-de117ea8468a%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CALbzr6xsZXg7i5uZ%2BkyNxdVUp8BSsPh_14CQE6_rNReX7WxxVA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: stuck to install graylog to our VPS Linux CentOS 6

2016-08-03 Thread Lam Do 
Jochen,

It sounds good to me. I will start to work on it tomorrow. Thanks a lot for
your help, I really appreciate it.

Best Regards,
Lam Do

Sent from mobile device.

On Aug 3, 2016 10:25 PM, "Jochen Schalanda"  wrote:

> Hi Luke,
>
> I'd recommend following the official documentation, which is always
> up-to-date, instead of some 3rd party blog posts:
> http://docs.graylog.org/en/2.0/pages/installation/os/centos.html
>
> The steps to install Graylog on CentOS 6 are fairly similar. You'll have
> to use SysV init scripts instead of systemd but except for that, it should
> be the same.
>
> Cheers,
> Jochen
>
> On Wednesday, 3 August 2016 16:23:49 UTC+2, Lam Do wrote:
>>
>> Hi Jochen,
>>
>> Now it makes sense to me because I installed the latest repository
>> Graylog 2.0. And the documentation explains the steps for Centos7 while my
>> VPS is Centos6 so I googled some other articles and those  mention about
>> graylog-web but properly for Graylog 1.x. Others  is for Graylog2 with
>> Centos6 and it mentions about graylog-web too, for example
>> http://www.richardyau.com/?p=377
>> 
>> Is it good article to follow?
>>
>> Based on your suggestions,  it sounds to me to follow again the steps
>> from Graylog 2.0 documentation. Does Centos6 have the same steps with
>> Centos7?
>>
>> Thanks for your help,
>>
>> Best Regards,
>> Lam Do
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/XwLVRe5geAg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/8b92d654-8ce0-464d-8382-4be501b8bd26%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAKc-uyX3CGBu3r6nL1zDVtuxyywGm2xmuUttBQcZFdosk-db5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] UDP Debugging

2016-08-03 Thread Marius Sturm 
Hi,
you could use tcpdump or wireshark to look into the network stream and
check if there are packages arriving on the Graylog server.
Something like this should do it: sudo tcpdump -vv -i eth0 -n udp dst port
12201

On 3 August 2016 at 17:58, David Arnold  wrote:

> Hi Marius,
>
> thanks a lot. I should have more knowledgable on this. I changed it, yet
> still there is silence. Actually, what happened is, that I started with the
> correct setting and as things showed not to be working I tried random
> changes to put some entropy in the case.
>
> Isn't there a way how I can verify, that graylog would receive an UDP
> message from localhost (within the container) to systematically isolate the
> failure?
>
> Best, David
>
> On Wednesday, August 3, 2016 at 2:17:52 AM UTC-5, Marius Sturm wrote:
>>
>> Hi,
>> your 'gelf-address' looks odd. To get the Docker logging driver working
>> start a UDP GELF input on the server side and use a address like udp://
>> 192.168.0.9:12201 on the container. Something like /gelf only exist in
>> a  HTTP context what is not used in this case.
>>
>> Cheers,
>> Marius
>>
>>
>> On 3 August 2016 at 08:46, David Arnold  wrote:
>>
>>> Hi
>>> I have the following docker-compose file, on top of docker-for-windows
>>> 0.12 and rancher:
>>> elasticsearch:
>>>   command: elasticsearch -Des.cluster.name='graylog'
>>>   image: elasticsearch:2
>>>   volumes: ['graylog-elst:/usr/share/elasticsearch/data']
>>> graylog:
>>>   environment: {GRAYLOG_PASSWORD_SECRET: '${graylog_secret}',
>>> GRAYLOG_REST_TRANSPORT_URI: 'http://${graylog_fqdn}:12900',
>>> GRAYLOG_ROOT_PASSWORD_SHA2: '${graylog_password}'}
>>>   image: graylog2/server:2.1.0-beta.2-1
>>>   labels: {io.rancher.container.hostname_override: container_name}
>>>   links: ['mongodb:mongo', 'elasticsearch:elasticsearch']
>>>   restart: always
>>>   expose: ['12201/udp']
>>>   volumes: ['graylog-data:/usr/share/graylog/data']
>>> lb:
>>>   image: rancher/load-balancer-service
>>>   labels: {io.rancher.scheduler.global: 'true'}
>>>   links: ['graylog:graylog']
>>>   ports: ['9000:9000', '12900:12900', '12201:12201/udp', '12202:12202']
>>>   restart: always
>>> mongodb:
>>>   image: mongo:3
>>>   labels: {io.rancher.container.hostname_override: container_name}
>>>   volumes: ['graylog-mngo:/data/db']
>>>
>>>
>>> lb is rancher's haproxy 1.5 loadbalancer. From mi machine I can happily
>>> do:
>>>
>>> curl -XPOST http://192.168.0.9:12202/gelf -p0 -d
>>> '{"short_message":"Hello there 2", "host":"example.org",
>>> "facility":"test", "_foo":"bar"}'
>>>
>>> and hooray, everything as expected.
>>>
>>> Now I start another container with
>>>
>>> gelf-address=udp://192.168.0.9:12201/gelf
>>>
>>> Yet, there is an unbearable silence all over the place.
>>>
>>> I really don't know quite well how to debug and see if graylog is
>>> accepting as expected.
>>> So here is the question:
>>>
>>> What can I do to enter the graylog docker and test the UDP Input?
>>>
>>> I can't enter moby linux VM (docker-for-windows has blocked the access),
>>> but I can do those kind of stuff on localhost or from within a peer
>>> container as well.
>>>
>>> Thank's for any help. I hit the point where I don't advance by myself
>>> anymore.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Graylog Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to graylog2+u...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/graylog2/406cf55e-eee3-4ab3-821d-bdc3ecb3df50%40googlegroups.com
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>>
>> --
>> Developer
>>
>> Tel.: +49 (0)40 609 452 077
>> Fax.: +49 (0)40 609 452 078
>>
>> TORCH GmbH - A Graylog Company
>> Poolstraße 21
>> 20335 Hamburg
>> Germany
>>
>> https://www.graylog.com 
>>
>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
>> Geschäftsführer: Lennart Koopmann (CEO)
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/9e458987-edb0-43dd-a6a8-70119756274b%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg.

Re: [graylog2] UDP Debugging

2016-08-03 Thread David Arnold 
Hi Marius,

thanks a lot. I should have more knowledgable on this. I changed it, yet 
still there is silence. Actually, what happened is, that I started with the 
correct setting and as things showed not to be working I tried random 
changes to put some entropy in the case.

Isn't there a way how I can verify, that graylog would receive an UDP 
message from localhost (within the container) to systematically isolate the 
failure? 

Best, David

On Wednesday, August 3, 2016 at 2:17:52 AM UTC-5, Marius Sturm wrote:
>
> Hi,
> your 'gelf-address' looks odd. To get the Docker logging driver working 
> start a UDP GELF input on the server side and use a address like udp://
> 192.168.0.9:12201 on the container. Something like /gelf only exist in a  
> HTTP context what is not used in this case.
>
> Cheers,
> Marius
>  
>
> On 3 August 2016 at 08:46, David Arnold  
> wrote:
>
>> Hi 
>> I have the following docker-compose file, on top of docker-for-windows 
>> 0.12 and rancher:
>> elasticsearch:
>>   command: elasticsearch -Des.cluster.name='graylog'
>>   image: elasticsearch:2
>>   volumes: ['graylog-elst:/usr/share/elasticsearch/data']
>> graylog:
>>   environment: {GRAYLOG_PASSWORD_SECRET: '${graylog_secret}', 
>> GRAYLOG_REST_TRANSPORT_URI: 'http://${graylog_fqdn}:12900',
>> GRAYLOG_ROOT_PASSWORD_SHA2: '${graylog_password}'}
>>   image: graylog2/server:2.1.0-beta.2-1
>>   labels: {io.rancher.container.hostname_override: container_name}
>>   links: ['mongodb:mongo', 'elasticsearch:elasticsearch']
>>   restart: always
>>   expose: ['12201/udp']
>>   volumes: ['graylog-data:/usr/share/graylog/data']
>> lb:
>>   image: rancher/load-balancer-service
>>   labels: {io.rancher.scheduler.global: 'true'}
>>   links: ['graylog:graylog']
>>   ports: ['9000:9000', '12900:12900', '12201:12201/udp', '12202:12202']
>>   restart: always
>> mongodb:
>>   image: mongo:3
>>   labels: {io.rancher.container.hostname_override: container_name}
>>   volumes: ['graylog-mngo:/data/db']
>>
>>
>> lb is rancher's haproxy 1.5 loadbalancer. From mi machine I can happily 
>> do:
>>
>> curl -XPOST http://192.168.0.9:12202/gelf -p0 -d 
>> '{"short_message":"Hello there 2", "host":"example.org", 
>> "facility":"test", "_foo":"bar"}'
>>
>> and hooray, everything as expected.
>>
>> Now I start another container with 
>>
>> gelf-address=udp://192.168.0.9:12201/gelf
>>
>> Yet, there is an unbearable silence all over the place.
>>
>> I really don't know quite well how to debug and see if graylog is 
>> accepting as expected.
>> So here is the question:
>>
>> What can I do to enter the graylog docker and test the UDP Input?
>>
>> I can't enter moby linux VM (docker-for-windows has blocked the access), 
>> but I can do those kind of stuff on localhost or from within a peer 
>> container as well.
>>
>> Thank's for any help. I hit the point where I don't advance by myself 
>> anymore.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to graylog2+u...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/406cf55e-eee3-4ab3-821d-bdc3ecb3df50%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Poolstraße 21
> 20335 Hamburg
> Germany
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9e458987-edb0-43dd-a6a8-70119756274b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Add Elastic Search Nodes?

2016-08-03 Thread Nathan Mace 
I'm going to try it with a fresh install.  Thanks for your help anyway.

Nathan

On Wednesday, August 3, 2016 at 11:29:40 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Nathan,
>
> I'm not going to debug your Elasticsearch setup. Maybe starting over in a 
> fresh VM makes sense.
>
> Usually, the default config file location is 
> /etc/elasticsearch/elasticsearch.yml (see 
> https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-dir-layout.html#_deb_and_rpm)
>  
> and this reproducibly works for me.
>
> Cheers,
> Jochen
>
> On Wednesday, 3 August 2016 16:50:40 UTC+2, Nathan Mace wrote:
>>
>> I previously removed the leading whitespaces, it didn't make any 
>> difference.
>>
>> I installed ES from the steps listed in the Graylog documentation for 
>> CentOS.  It was install via RPM.
>>
>> Per the init script, it's pulling the /etc/elasticsearch/ folder for the 
>> configuration location.  Which is where the elasticsearch.yml file I'm 
>> editing is located.  That is also the only elasticsearch.yml on the system, 
>> and other settings I've edited there previously did take effect.
>>
>> At this point, it's tempting to just blow away the VM and rebuild it from 
>> scratch.  But it's really frustrating.  If I run into weird problems like 
>> this, is it something I want to deal with in a production setting?
>>
>> Nathan
>>
>> On Wednesday, August 3, 2016 at 10:18:15 AM UTC-4, Jochen Schalanda wrote:
>>>
>>> Hi Nathan,
>>>
>>> On Wednesday, 3 August 2016 16:10:55 UTC+2, Nathan Mace wrote:

 I'm editing /etc/elasticsearch/elasticsearch.yml.  That has to be the 
 correct file, right?  I mean, node 2 doesn't have anything installed 
 besides ElasticSearch, so what other config file would there be to edit?

>>>
>>> This totally depends on how you've installed Elasticsearch and how 
>>> you're starting it. The command line used to start ES might give some hints 
>>> (check `ps -ef | grep java` for the Elasticsearch processes).
>>>
>>> If you haven't removed the leading whitespace in your Elasticsearch 
>>> configuration files yet, this would be a good chance. Just to make sure…
>>>
>>> Cheers,
>>> Jochen
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ff8fb1bd-7f21-4859-86cf-6a70eb56f861%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Add Elastic Search Nodes?

2016-08-03 Thread Jochen Schalanda 
Hi Nathan,

I'm not going to debug your Elasticsearch setup. Maybe starting over in a 
fresh VM makes sense.

Usually, the default config file location is 
/etc/elasticsearch/elasticsearch.yml (see 
https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-dir-layout.html#_deb_and_rpm)
 
and this reproducibly works for me.

Cheers,
Jochen

On Wednesday, 3 August 2016 16:50:40 UTC+2, Nathan Mace wrote:
>
> I previously removed the leading whitespaces, it didn't make any 
> difference.
>
> I installed ES from the steps listed in the Graylog documentation for 
> CentOS.  It was install via RPM.
>
> Per the init script, it's pulling the /etc/elasticsearch/ folder for the 
> configuration location.  Which is where the elasticsearch.yml file I'm 
> editing is located.  That is also the only elasticsearch.yml on the system, 
> and other settings I've edited there previously did take effect.
>
> At this point, it's tempting to just blow away the VM and rebuild it from 
> scratch.  But it's really frustrating.  If I run into weird problems like 
> this, is it something I want to deal with in a production setting?
>
> Nathan
>
> On Wednesday, August 3, 2016 at 10:18:15 AM UTC-4, Jochen Schalanda wrote:
>>
>> Hi Nathan,
>>
>> On Wednesday, 3 August 2016 16:10:55 UTC+2, Nathan Mace wrote:
>>>
>>> I'm editing /etc/elasticsearch/elasticsearch.yml.  That has to be the 
>>> correct file, right?  I mean, node 2 doesn't have anything installed 
>>> besides ElasticSearch, so what other config file would there be to edit?
>>>
>>
>> This totally depends on how you've installed Elasticsearch and how you're 
>> starting it. The command line used to start ES might give some hints (check 
>> `ps -ef | grep java` for the Elasticsearch processes).
>>
>> If you haven't removed the leading whitespace in your Elasticsearch 
>> configuration files yet, this would be a good chance. Just to make sure…
>>
>> Cheers,
>> Jochen
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/460f3572-91d3-4b91-9394-9f33c96c1167%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog _Encryption

2016-08-03 Thread Jochen Schalanda 
Hi,

the received log messages are being indexed into Elasticsearch which 
doesn't encrypt them by default. The best you can do is to use an encrypted 
storage device for Elasticsearch indices.

Cheers,
Jochen

On Wednesday, 3 August 2016 17:10:28 UTC+2, Siju Tharakan wrote:
>
> Syslog received from PC or devices.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7b4c88de-d686-4ae0-9098-de117ea8468a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: stuck to install graylog to our VPS Linux CentOS 6

2016-08-03 Thread Jochen Schalanda 
Hi Luke,

I'd recommend following the official documentation, which is always 
up-to-date, instead of some 3rd party blog 
posts: http://docs.graylog.org/en/2.0/pages/installation/os/centos.html

The steps to install Graylog on CentOS 6 are fairly similar. You'll have to 
use SysV init scripts instead of systemd but except for that, it should be 
the same.

Cheers,
Jochen

On Wednesday, 3 August 2016 16:23:49 UTC+2, Lam Do wrote:
>
> Hi Jochen,
>
> Now it makes sense to me because I installed the latest repository Graylog 
> 2.0. And the documentation explains the steps for Centos7 while my VPS is 
> Centos6 so I googled some other articles and those  mention about 
> graylog-web but properly for Graylog 1.x. Others  is for Graylog2 with 
> Centos6 and it mentions about graylog-web too, for example
> http://www.richardyau.com/?p=377 
> 
>  
> Is it good article to follow?
>
> Based on your suggestions,  it sounds to me to follow again the steps from 
> Graylog 2.0 documentation. Does Centos6 have the same steps with Centos7?
>
> Thanks for your help,
>
> Best Regards,
> Lam Do
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8b92d654-8ce0-464d-8382-4be501b8bd26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog _Encryption

2016-08-03 Thread Siju Tharakan 
Syslog received from PC or devices.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7d1ae43d-95ce-497a-b85d-dab0f4558e5d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Add Elastic Search Nodes?

2016-08-03 Thread Nathan Mace 
I previously removed the leading whitespaces, it didn't make any difference.

I installed ES from the steps listed in the Graylog documentation for 
CentOS.  It was install via RPM.

Per the init script, it's pulling the /etc/elasticsearch/ folder for the 
configuration location.  Which is where the elasticsearch.yml file I'm 
editing is located.  That is also the only elasticsearch.yml on the system, 
and other settings I've edited there previously did take effect.

At this point, it's tempting to just blow away the VM and rebuild it from 
scratch.  But it's really frustrating.  If I run into weird problems like 
this, is it something I want to deal with in a production setting?

Nathan

On Wednesday, August 3, 2016 at 10:18:15 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Nathan,
>
> On Wednesday, 3 August 2016 16:10:55 UTC+2, Nathan Mace wrote:
>>
>> I'm editing /etc/elasticsearch/elasticsearch.yml.  That has to be the 
>> correct file, right?  I mean, node 2 doesn't have anything installed 
>> besides ElasticSearch, so what other config file would there be to edit?
>>
>
> This totally depends on how you've installed Elasticsearch and how you're 
> starting it. The command line used to start ES might give some hints (check 
> `ps -ef | grep java` for the Elasticsearch processes).
>
> If you haven't removed the leading whitespace in your Elasticsearch 
> configuration files yet, this would be a good chance. Just to make sure…
>
> Cheers,
> Jochen
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/722df39d-ad69-4611-a7d2-f488e7b811c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Add Elastic Search Nodes?

2016-08-03 Thread Jochen Schalanda 
Hi Nathan,

On Wednesday, 3 August 2016 16:10:55 UTC+2, Nathan Mace wrote:
>
> I'm editing /etc/elasticsearch/elasticsearch.yml.  That has to be the 
> correct file, right?  I mean, node 2 doesn't have anything installed 
> besides ElasticSearch, so what other config file would there be to edit?
>

This totally depends on how you've installed Elasticsearch and how you're 
starting it. The command line used to start ES might give some hints (check 
`ps -ef | grep java` for the Elasticsearch processes).

If you haven't removed the leading whitespace in your Elasticsearch 
configuration files yet, this would be a good chance. Just to make sure…

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c8f0e87c-88f6-43b0-a766-7694d6fc8e58%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: stuck to install graylog to our VPS Linux CentOS 6

2016-08-03 Thread Lam Do 
Hi Jochen,

Now it makes sense to me because I installed the latest repository Graylog
2.0. And the documentation explains the steps for Centos7 while my VPS is
Centos6 so I googled some other articles and those  mention about
graylog-web but properly for Graylog 1.x. Others  is for Graylog2 with
Centos6 and it mentions about graylog-web too, for example
http://www.richardyau.com/?p=377 Is it good article to follow?

Based on your suggestions,  it sounds to me to follow again the steps from
Graylog 2.0 documentation. Does Centos6 have the same steps with Centos7?

Thanks for your help,

Best Regards,
Lam Do

Sent from mobile device.

On Aug 3, 2016 8:09 PM, "Jochen Schalanda"  wrote:

> Hi Luke,
>
> graylog-web is the package for the old Graylog web interface (before
> version 2.0.0). Make sure that you have cleaned the YUM cache and that you
> have only one Graylog repository installed on your system and that it
> points to the latest stable repository (
> https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm
> ).
>
> As far as I know, the documentation for Graylog 2.0.x doesn't mention
> graylog-web anywhere. Where exactly did you read about that package?
>
> Cheers,
> Jochen
>
> On Wednesday, 3 August 2016 12:28:04 UTC+2, Lam Do wrote:
>>
>> Jochen,
>>
>> I was able to disable the 'scl' repository then update all repository by
>> running yum update as your suggestion.
>> Then I run again the command to install graylog-web but it returns
>> another error again. (SSH screenshot below)
>> I'm not sure my way is correct or not now :(. Do we need to install
>> graylog-web anyway? Based on the instruction from graylog website, it
>> doesn't mention anything about graylog-web during the installation steps.
>> http://docs.graylog.org/en/2.0/pages/installation/operating_system_packages.html#rpm-yum-dnf
>>
>> Thanks for your help,
>> Luke
>>
>> root@*** [~]# yum install graylog-web
>> Loaded plugins: fastestmirror, security
>> Setting up Install Process
>> Loading mirror speeds from cached hostfile
>>  * rpmforge: mirror.chpc.utah.edu
>> No package graylog-web available.
>> Error: Nothing to do
>>
>>
>>
>>
>>
>>
>> On Thursday, July 28, 2016 at 3:08:55 PM UTC+7, Jochen Schalanda wrote:
>>>
>>> Hi Luke,
>>>
>>> there's some broken YUM/RPM repository on your system. Remove or disable
>>> the "scl" repository (see
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Managing_Yum_Repositories.html
>>> for details) and run yum update.
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Thursday, 28 July 2016 06:40:19 UTC+2, Lam Do wrote:

 Dear all,

 Please help me with this issue. I'm working on setting up the Graylog 2
 to our VPS Linux Server CentOS 6. I already installed successfully Java ,
 MongoDB, ElasticSearch and Graylog server based on this guidance document
 http://docs.graylog.org/en/2.0/pages/installation/os/centos.html . But
 it looks like and some other articles also instruct to install Graylog web
 to run the dashboard on web based but I stuck in this step. Below is my
 SSH...

 root@xxx [~]# sudo rpm -Uvh
 https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm
 Retrieving
 https://packages.graylog2.org/repo/packages/graylog-2.0-repository_la
 test.rpm
 Preparing...###
 [100%]
 package graylog-2.0-repository-1-1.noarch is already installed
 root@xxx [~]# yum install graylog-web
 Loaded plugins: fastestmirror, security
 Setting up Install Process
 Loading mirror speeds from cached hostfile
  * rpmforge: mirror.chpc.utah.edu
 http://mirror.centos.org/centos/6/SCL/x86_64/repodata/repomd.xml:
 [Errno 14] PYC
 Trying other mirror.
 To address this issue please refer to the below knowledge base article

 https://access.redhat.com/articles/1320623

 If above article doesn't help to resolve this issue please open a
 ticket with Re

 Error: Cannot retrieve repository metadata (repomd.xml) for repository:
 scl. Ple

 Thanks for your help,
 Luke

 --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/XwLVRe5geAg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/cbf11580-85fc-4167-a53c-ef9859d27eef%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google

[graylog2] Re: Graylog _Encryption

2016-08-03 Thread Jochen Schalanda 
Hi,

On Wednesday, 3 August 2016 16:09:22 UTC+2, Siju Tharakan wrote:
>
> Is the client log saved as Encrypted format in Graylog Server? if so, what 
> type of encryption supported?
>

Which client logs are you referring to, specifically?

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/fee7cccd-d924-4d7a-8b21-b832bc12ee1c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog _Encryption

2016-08-03 Thread Siju Tharakan 
Is the client log saved as Encrypted format in Graylog Server? if so, what 
type of encryption supported?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/dad331f2-9ec7-485a-9abb-17b75b6079f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: stuck to install graylog to our VPS Linux CentOS 6

2016-08-03 Thread Jochen Schalanda 
Hi Luke,

graylog-web is the package for the old Graylog web interface (before 
version 2.0.0). Make sure that you have cleaned the YUM cache and that you 
have only one Graylog repository installed on your system and that it 
points to the latest stable repository (
https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm
).

As far as I know, the documentation for Graylog 2.0.x doesn't mention 
graylog-web anywhere. Where exactly did you read about that package?

Cheers,
Jochen

On Wednesday, 3 August 2016 12:28:04 UTC+2, Lam Do wrote:
>
> Jochen, 
>
> I was able to disable the 'scl' repository then update all repository by 
> running yum update as your suggestion. 
> Then I run again the command to install graylog-web but it returns another 
> error again. (SSH screenshot below)
> I'm not sure my way is correct or not now :(. Do we need to install 
> graylog-web anyway? Based on the instruction from graylog website, it 
> doesn't mention anything about graylog-web during the installation steps.  
> http://docs.graylog.org/en/2.0/pages/installation/operating_system_packages.html#rpm-yum-dnf
>
> Thanks for your help, 
> Luke  
>
> root@*** [~]# yum install graylog-web
> Loaded plugins: fastestmirror, security
> Setting up Install Process
> Loading mirror speeds from cached hostfile
>  * rpmforge: mirror.chpc.utah.edu
> No package graylog-web available.
> Error: Nothing to do
>
>
>
>
>
>
> On Thursday, July 28, 2016 at 3:08:55 PM UTC+7, Jochen Schalanda wrote:
>>
>> Hi Luke,
>>
>> there's some broken YUM/RPM repository on your system. Remove or disable 
>> the "scl" repository (see 
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Managing_Yum_Repositories.html
>>  
>> for details) and run yum update.
>>
>> Cheers,
>> Jochen
>>
>> On Thursday, 28 July 2016 06:40:19 UTC+2, Lam Do wrote:
>>>
>>> Dear all, 
>>>
>>> Please help me with this issue. I'm working on setting up the Graylog 2 
>>> to our VPS Linux Server CentOS 6. I already installed successfully Java , 
>>> MongoDB, ElasticSearch and Graylog server based on this guidance document  
>>> http://docs.graylog.org/en/2.0/pages/installation/os/centos.html . But 
>>> it looks like and some other articles also instruct to install Graylog web 
>>> to run the dashboard on web based but I stuck in this step. Below is my 
>>> SSH... 
>>>
>>> root@xxx [~]# sudo rpm -Uvh 
>>> https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm
>>> Retrieving 
>>> https://packages.graylog2.org/repo/packages/graylog-2.0-repository_la 
>>> test.rpm
>>> Preparing...### 
>>> [100%]
>>> package graylog-2.0-repository-1-1.noarch is already installed
>>> root@xxx [~]# yum install graylog-web
>>> Loaded plugins: fastestmirror, security
>>> Setting up Install Process
>>> Loading mirror speeds from cached hostfile
>>>  * rpmforge: mirror.chpc.utah.edu
>>> http://mirror.centos.org/centos/6/SCL/x86_64/repodata/repomd.xml: 
>>> [Errno 14] PYC
>>> Trying other mirror.
>>> To address this issue please refer to the below knowledge base article
>>>
>>> https://access.redhat.com/articles/1320623
>>>
>>> If above article doesn't help to resolve this issue please open a ticket 
>>> with Re
>>>
>>> Error: Cannot retrieve repository metadata (repomd.xml) for repository: 
>>> scl. Ple
>>>
>>> Thanks for your help, 
>>> Luke 
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cbf11580-85fc-4167-a53c-ef9859d27eef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Extractor not running on inputs that should match

2016-08-03 Thread Phil Sumner 
I ended up deleting the input and recreating it, importing the extractors, 
and everything works as expected on the re-created input.

No idea what was going on...

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/567c66f5-43a5-45cc-b6f0-a9d3fa977000%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: stuck to install graylog to our VPS Linux CentOS 6

2016-08-03 Thread Lam Do 
Jochen, 

I was able to disable the 'scl' repository then update all repository by 
running yum update as your suggestion. 
Then I run again the command to install graylog-web but it returns another 
error again. (SSH screenshot below)
I'm not sure my way is correct or not now :(. Do we need to install 
graylog-web anyway? Based on the instruction from graylog website, it 
doesn't mention anything about graylog-web during the installation steps. 
 
http://docs.graylog.org/en/2.0/pages/installation/operating_system_packages.html#rpm-yum-dnf

Thanks for your help, 
Luke  

root@*** [~]# yum install graylog-web
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
 * rpmforge: mirror.chpc.utah.edu
No package graylog-web available.
Error: Nothing to do






On Thursday, July 28, 2016 at 3:08:55 PM UTC+7, Jochen Schalanda wrote:
>
> Hi Luke,
>
> there's some broken YUM/RPM repository on your system. Remove or disable 
> the "scl" repository (see 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Managing_Yum_Repositories.html
>  
> for details) and run yum update.
>
> Cheers,
> Jochen
>
> On Thursday, 28 July 2016 06:40:19 UTC+2, Lam Do wrote:
>>
>> Dear all, 
>>
>> Please help me with this issue. I'm working on setting up the Graylog 2 
>> to our VPS Linux Server CentOS 6. I already installed successfully Java , 
>> MongoDB, ElasticSearch and Graylog server based on this guidance document  
>> http://docs.graylog.org/en/2.0/pages/installation/os/centos.html . But 
>> it looks like and some other articles also instruct to install Graylog web 
>> to run the dashboard on web based but I stuck in this step. Below is my 
>> SSH... 
>>
>> root@xxx [~]# sudo rpm -Uvh 
>> https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm
>> Retrieving 
>> https://packages.graylog2.org/repo/packages/graylog-2.0-repository_la 
>> test.rpm
>> Preparing...### 
>> [100%]
>> package graylog-2.0-repository-1-1.noarch is already installed
>> root@xxx [~]# yum install graylog-web
>> Loaded plugins: fastestmirror, security
>> Setting up Install Process
>> Loading mirror speeds from cached hostfile
>>  * rpmforge: mirror.chpc.utah.edu
>> http://mirror.centos.org/centos/6/SCL/x86_64/repodata/repomd.xml: [Errno 
>> 14] PYC
>> Trying other mirror.
>> To address this issue please refer to the below knowledge base article
>>
>> https://access.redhat.com/articles/1320623
>>
>> If above article doesn't help to resolve this issue please open a ticket 
>> with Re
>>
>> Error: Cannot retrieve repository metadata (repomd.xml) for repository: 
>> scl. Ple
>>
>> Thanks for your help, 
>> Luke 
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8a4b2a29-6ef0-4366-968d-a8522f52dfea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: stuck to install graylog to our VPS Linux CentOS 6

2016-08-03 Thread Lam Do 
HI Jochen, 

Sorry for my late feedback. I were have some other prioirty task to work on 
last week so now I'm coming back to this issue. In your opinion, if we 
disable the "scl" then anything might get affection? And is it possible if 
I can enable it after installing the graylog web? 

Thanks for your help,
Luke   

On Thursday, July 28, 2016 at 3:08:55 PM UTC+7, Jochen Schalanda wrote:
>
> Hi Luke,
>
> there's some broken YUM/RPM repository on your system. Remove or disable 
> the "scl" repository (see 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Managing_Yum_Repositories.html
>  
> for details) and run yum update.
>
> Cheers,
> Jochen
>
> On Thursday, 28 July 2016 06:40:19 UTC+2, Lam Do wrote:
>>
>> Dear all, 
>>
>> Please help me with this issue. I'm working on setting up the Graylog 2 
>> to our VPS Linux Server CentOS 6. I already installed successfully Java , 
>> MongoDB, ElasticSearch and Graylog server based on this guidance document  
>> http://docs.graylog.org/en/2.0/pages/installation/os/centos.html . But 
>> it looks like and some other articles also instruct to install Graylog web 
>> to run the dashboard on web based but I stuck in this step. Below is my 
>> SSH... 
>>
>> root@xxx [~]# sudo rpm -Uvh 
>> https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm
>> Retrieving 
>> https://packages.graylog2.org/repo/packages/graylog-2.0-repository_la 
>> test.rpm
>> Preparing...### 
>> [100%]
>> package graylog-2.0-repository-1-1.noarch is already installed
>> root@xxx [~]# yum install graylog-web
>> Loaded plugins: fastestmirror, security
>> Setting up Install Process
>> Loading mirror speeds from cached hostfile
>>  * rpmforge: mirror.chpc.utah.edu
>> http://mirror.centos.org/centos/6/SCL/x86_64/repodata/repomd.xml: [Errno 
>> 14] PYC
>> Trying other mirror.
>> To address this issue please refer to the below knowledge base article
>>
>> https://access.redhat.com/articles/1320623
>>
>> If above article doesn't help to resolve this issue please open a ticket 
>> with Re
>>
>> Error: Cannot retrieve repository metadata (repomd.xml) for repository: 
>> scl. Ple
>>
>> Thanks for your help, 
>> Luke 
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ee06039f-6d24-413a-9c41-5517efeedadb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Extractor not running on inputs that should match

2016-08-03 Thread Phil Sumner 
I've changed the grok pattern to include the end of the message and it 
doesn't appear to have made any difference.
  %{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{
WORD:partition} has only %{POSINT:percent_free}\% free

I've since discovered that there are other extractors on the same input 
which aren't extracting:

message: ip-10-244-56-13 tmm6[11383]: Rule /Common/iRules-WebServices-
Sandbox-Production-WhiteList : 166.84.7.123 is not 
permitted to WebServices Sandbox
grok: %{HOSTNAME:source_unit} tmm%{GREEDYDATA:UNWANTED}: Rule %{UNIXPATH:
irule} : %{IP:source_address} is not permitted to %{
GREEDYDATA:service}

Using the "Try" button on the extractor edit page, it all works as 
expected, but new incoming messages do not show any of the additional 
fields.

I've restarted the service using graylog-ctl, deleted the extractors and 
recreated them, but no change.  Any ideas what else could be going on?

Thanks,
Phil

On Wednesday, 3 August 2016 09:55:10 UTC+1, Jan Doberstein wrote:
>
> Hi Phil,
>
>
> the Grok pattern need to match the hole line and in your case it does not.
>
> An example Grok pattern:
> %{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition %{
> WORD:partition} has only %{POSINT:percent_free}
>
> And an example input message:
> ip-10-244-63-14 diskmonitor: 011d0004:3: Disk partition var has only 12% 
> free
>
>
> regards
> Jan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ba51d376-e0c4-40c6-aeb1-da1f480a44a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Extractor not running on inputs that should match

2016-08-03 Thread Jan Doberstein 
Hi Phil,


the Grok pattern need to match the hole line and in your case it does not.

An example Grok pattern:
%{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition 
%{WORD:partition} has only %{POSINT:percent_free}

And an example input message:

ip-10-244-63-14 diskmonitor: 011d0004:3: Disk partition
var
has
only 12% free


regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57a1b169.483d4a3.37e%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

[graylog2] Re: New to graylog Issue to login after server.conf change

2016-08-03 Thread Guillaume Migaszewski 
dear Jochen, 

Thank you it is working now ;) . 

Guillaume.

On Tuesday, August 2, 2016 at 4:41:18 PM UTC+2, Jochen Schalanda wrote:
>
> Hi Guillaume,
>
> that's the wrong port. The POST request must be directed to the Graylog 
> REST API.
>
> Make sure to remove or comment out the web_endpoint_uri setting in your 
> Graylog configuration file.
>
> Cheers,
> Jochen
>
> On Tuesday, 2 August 2016 16:28:43 UTC+2, Guillaume Migaszewski wrote:
>>
>> Dear Jochen , 
>>
>> Attached my server.conf. 
>>
>>
>> Also some additional  curl output 
>>
>>  curl -v -XPOST 10.1.0.215:9000/system/sessions
>> * About to connect() to 10.1.0.215 port 9000 (#0)
>> *   Trying 10.1.0.215... connected
>> * Connected to 10.1.0.215 (10.1.0.215) port 9000 (#0)
>> > POST /system/sessions HTTP/1.1
>> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
>> 3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
>> > Host: 10.1.0.215:9000
>> > Accept: */*
>> >
>> < HTTP/1.1 405 Method Not Allowed
>> < Allow: GET,OPTIONS
>> < X-Graylog-Node-ID: 5416caad-4269-4f9b-ad0f-1beb73770838
>> < Vary: Accept-Encoding
>> < Content-Type: application/json
>> < Date: Tue, 02 Aug 2016 14:27:43 GMT
>> < Content-Length: 59
>> <
>> * Connection #0 to host 10.1.0.215 left intact
>> * Closing connection #0
>> {"type":"ApiError","message":"HTTP 405 Method Not Allowed"}[
>>
>>
>>
>> Guillaume.
>>
>>
>> On Tuesday, August 2, 2016 at 2:57:13 PM UTC+2, Jochen Schalanda wrote:
>>>
>>> Hi Guillaume,
>>>
>>> please post your complete Graylog configuration file or be more explicit 
>>> about how the relevant settings (rest_* and web_*) are configured right 
>>> now.
>>>
>>> Also check the Developer Console of your web browser for error messages 
>>> and post them here.
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Tuesday, 2 August 2016 14:30:29 UTC+2, Guillaume Migaszewski wrote:

 Dear Graylog users, 

 I have done an rpm install of Graylog . At first I was not able to 
 login from any other machine than localhost .As a result , with your 
 assistance , I have changed following settings  server.conf 

 rest_listen_uri = http://127.0.0.1:12900/
 rest_listen_uri = http://10.1.0.215:12900/(10.1.0.215 my server ip)

 web_listen_uri = http://127.0.0.1:9000/
 web_listen_uri = http://10.1.0.215:9000/


 As a result  I can reach login screen from any workstation. But after 
 sending my credentials I have following error message : 

 Error - the server returned: 405 - cannot POST /system/sessions (405)


 All resources I have found are speaking about reverse proxy or ssl use 
 but I have none of it . 

 It has been a while I did not have such a hard time to install an 
 application on Linux. ;) .But I will not give up.

 Thanks for your help.

 Guillaume.

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6d8cb89d-077a-4276-8a33-c23860f612bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] UDP Debugging

2016-08-03 Thread Marius Sturm 
Hi,
your 'gelf-address' looks odd. To get the Docker logging driver working
start a UDP GELF input on the server side and use a address like udp://
192.168.0.9:12201 on the container. Something like /gelf only exist in a
HTTP context what is not used in this case.

Cheers,
Marius


On 3 August 2016 at 08:46, David Arnold  wrote:

> Hi
> I have the following docker-compose file, on top of docker-for-windows
> 0.12 and rancher:
> elasticsearch:
>   command: elasticsearch -Des.cluster.name='graylog'
>   image: elasticsearch:2
>   volumes: ['graylog-elst:/usr/share/elasticsearch/data']
> graylog:
>   environment: {GRAYLOG_PASSWORD_SECRET: '${graylog_secret}',
> GRAYLOG_REST_TRANSPORT_URI: 'http://${graylog_fqdn}:12900',
> GRAYLOG_ROOT_PASSWORD_SHA2: '${graylog_password}'}
>   image: graylog2/server:2.1.0-beta.2-1
>   labels: {io.rancher.container.hostname_override: container_name}
>   links: ['mongodb:mongo', 'elasticsearch:elasticsearch']
>   restart: always
>   expose: ['12201/udp']
>   volumes: ['graylog-data:/usr/share/graylog/data']
> lb:
>   image: rancher/load-balancer-service
>   labels: {io.rancher.scheduler.global: 'true'}
>   links: ['graylog:graylog']
>   ports: ['9000:9000', '12900:12900', '12201:12201/udp', '12202:12202']
>   restart: always
> mongodb:
>   image: mongo:3
>   labels: {io.rancher.container.hostname_override: container_name}
>   volumes: ['graylog-mngo:/data/db']
>
>
> lb is rancher's haproxy 1.5 loadbalancer. From mi machine I can happily do:
>
> curl -XPOST http://192.168.0.9:12202/gelf -p0 -d '{"short_message":"Hello
> there 2", "host":"example.org", "facility":"test", "_foo":"bar"}'
>
> and hooray, everything as expected.
>
> Now I start another container with
>
> gelf-address=udp://192.168.0.9:12201/gelf
>
> Yet, there is an unbearable silence all over the place.
>
> I really don't know quite well how to debug and see if graylog is
> accepting as expected.
> So here is the question:
>
> What can I do to enter the graylog docker and test the UDP Input?
>
> I can't enter moby linux VM (docker-for-windows has blocked the access),
> but I can do those kind of stuff on localhost or from within a peer
> container as well.
>
> Thank's for any help. I hit the point where I don't advance by myself
> anymore.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/406cf55e-eee3-4ab3-821d-bdc3ecb3df50%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbLHZfpoMc%2Bsoq6V-DE9jo9SZrMmY9vEn8TbMQbWCbVRkg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] UDP Debugging

2016-08-03 Thread David Arnold 
Hi 
I have the following docker-compose file, on top of docker-for-windows 0.12 
and rancher:
elasticsearch:
  command: elasticsearch -Des.cluster.name='graylog'
  image: elasticsearch:2
  volumes: ['graylog-elst:/usr/share/elasticsearch/data']
graylog:
  environment: {GRAYLOG_PASSWORD_SECRET: '${graylog_secret}', 
GRAYLOG_REST_TRANSPORT_URI: 'http://${graylog_fqdn}:12900',
GRAYLOG_ROOT_PASSWORD_SHA2: '${graylog_password}'}
  image: graylog2/server:2.1.0-beta.2-1
  labels: {io.rancher.container.hostname_override: container_name}
  links: ['mongodb:mongo', 'elasticsearch:elasticsearch']
  restart: always
  expose: ['12201/udp']
  volumes: ['graylog-data:/usr/share/graylog/data']
lb:
  image: rancher/load-balancer-service
  labels: {io.rancher.scheduler.global: 'true'}
  links: ['graylog:graylog']
  ports: ['9000:9000', '12900:12900', '12201:12201/udp', '12202:12202']
  restart: always
mongodb:
  image: mongo:3
  labels: {io.rancher.container.hostname_override: container_name}
  volumes: ['graylog-mngo:/data/db']


lb is rancher's haproxy 1.5 loadbalancer. From mi machine I can happily do:

curl -XPOST http://192.168.0.9:12202/gelf -p0 -d '{"short_message":"Hello 
there 2", "host":"example.org", "facility":"test", "_foo":"bar"}'

and hooray, everything as expected.

Now I start another container with 

gelf-address=udp://192.168.0.9:12201/gelf

Yet, there is an unbearable silence all over the place.

I really don't know quite well how to debug and see if graylog is accepting 
as expected.
So here is the question:

What can I do to enter the graylog docker and test the UDP Input?

I can't enter moby linux VM (docker-for-windows has blocked the access), 
but I can do those kind of stuff on localhost or from within a peer 
container as well.

Thank's for any help. I hit the point where I don't advance by myself 
anymore.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/406cf55e-eee3-4ab3-821d-bdc3ecb3df50%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Add Elastic Search Nodes?

2016-08-03 Thread Jochen Schalanda 
Hi Nathan,

make sure that you're editing the correct configuration file for 
Elasticsearch. Since both ES nodes do not pick up any settings from the 
configuration file (neither cluster name, nor node name, nor network 
settings), I'm suspecting that you're simply writing to the wrong file(s).

Cheers,
Jochen 

On Tuesday, 2 August 2016 19:59:28 UTC+2, Nathan Mace wrote:
>
> Jochen,
>
> I've looked over the config files and this thread (and then double 
> checked).  I've cleaned up the two config files for ES (removed all the 
> comments and posted here just the uncommented lines). I also added options 
> that seemed like they might help.  But the log files still show it trying 
> to bind port 9300 on 127.0.0.1.  I've done everything I know to do to make 
> it NOT use the loopback interface.  The config's as they exist now are:
>
> cluster.name: graylog
> node.name: node2
> node.master: false
> network.host: x.x.x.149
> network.publish_host: x.x.x.149
> transport.tcp.port: 9300
> http.port: 9200
> discovery.zen.ping.unicast.hosts: ["x.x.x.146", "x.x.x.149"]
> discovery.zen.minimum_master_nodes: 1
>
>
> cluster.name: graylog
> node.name: node1
> node.master: true
> network.host: x.x.x.146
> network.publish_host: x.x.x.146
> transport.tcp.port: 9300
> http.port: 9200
> discovery.zen.ping.unicast.hosts: ["x.x.x.149", "x.x.x.146"]
> discovery.zen.minimum_master_nodes: 1
>
> I am completely out of ideas.
>
>
> Nathan
>
>
>
> On Tuesday, August 2, 2016 at 12:48:39 PM UTC-4, Jochen Schalanda wrote:
>>
>> Hi Nathan,
>>
>> it seems your Elasticsearch config is still wrong. Both nodes only bind 
>> to localhost:
>>
>> ES node 1:
>>> [2016-08-02 09:19:16,184][INFO ][transport ] [Betty Ross Banner] 
>>> publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {
>>> 127.0.0.1:9300}
>>>
>>  
>>
>> ES node 2:
>>> [2016-08-02 09:19:16,064][INFO ][transport ] [Invisible Woman] 
>>> publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {
>>> 127.0.0.1:9300}
>>
>>
>> I suggest you double check the configuration files and do the changes I 
>> suggested in the numerous mails before.
>>
>> Cheers,
>> Jochen
>>
>>
>> On Tuesday, 2 August 2016 18:43:16 UTC+2, Nathan Mace wrote:
>>>
>>> Please see attached files.  I got the elasticsearch.log file from 
>>> /var/log/elasticsearch on both nodes.  Additionally I got graylog.log from 
>>> the same location on both nodes.  Even though node 2 doesn't have graylog 
>>> installed it had a log file for it.  Not sure why that is.
>>>
>>> Thanks!
>>>
>>> Nathan
>>>
>>> On Tuesday, August 2, 2016 at 11:10:49 AM UTC-4, Jochen Schalanda wrote:

 Hi Nathan,

 please post the *complete* log files of your Elasticsearch and Graylog 
 nodes.

 Cheers,
 Jochen

 On Tuesday, 2 August 2016 16:56:58 UTC+2, Nathan Mace wrote:
>
> Removing the leading whitespaces didn't help.
>
> However in looking through the logs I found this in the primary node's 
> graylog.log file:
>
> ConnectTransportException[[ansted-search-01][x.x.x.149:9300] 
> connect_timeout[30s]]; nested: ConnectException[Connection refused: 
> /x.x.x.149:9300];
> at 
> org.elasticsearch.transport.netty.NettyTransport.connectToChannels(NettyTransport.java:987)
> at 
> org.elasticsearch.transport.netty.NettyTransport.connectToNode(NettyTransport.java:920)
> at 
> org.elasticsearch.transport.netty.NettyTransport.connectToNode(NettyTransport.java:893)
> at 
> org.elasticsearch.transport.TransportService.connectToNode(TransportService.java:260)
> at 
> org.elasticsearch.discovery.zen.ZenDiscovery.joinElectedMaster(ZenDiscovery.java:434)
> at 
> org.elasticsearch.discovery.zen.ZenDiscovery.innerJoinCluster(ZenDiscovery.java:386)
> at 
> org.elasticsearch.discovery.zen.ZenDiscovery.access$4800(ZenDiscovery.java:91)
> at 
> org.elasticsearch.discovery.zen.ZenDiscovery$JoinThreadControl$1.run(ZenDiscovery.java:1237)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
> It was repeated several times.  That is it trying to connect to the 
> second node on port 9300 and not being able to.  I see in the 
> documentation 
> that 9300 is the default port and I have nothing in either of the ES YML 
> files referencing that port number, so it seems to be all default.  If I 
> do 
> a netstat on both hosts they are both listening on port 9200 and 9300.  
> It 
> would seem that it is listening, but only allowing connections to 9300 
> from 
> localhost?  What would I need to change to allow a connect from the other 
> node?
>
> Nathan
>
> On Tuesday, August 2, 2016 at 10:22:44 AM UTC-4, Jochen Schalanda 
> wrote:
>>
>> Hi Nathan,
>>

Re: [graylog2] Graylog Sidecar reports "unable to map property tags"

2016-08-03 Thread Marius Sturm 
Hi,
please create a new issue with all versions (Sidecar and Graylog server)
and some more log lines. This issue should already be fixed but I can take
another look.
Did you notice that the installation path on Windows systems changed? It
was installed in \Program Files(x86) even though it's a 64bit binary. Maybe
you still execute the old binary? Try the one in \Program Files to verify.

Cheers,
Marius


On 3 August 2016 at 00:19, Pete GS  wrote:

> I seem to be encountering this same issue with 0.0.9-beta-1.
>
> time="2016-08-03T08:13:26+10:00" level=error msg="[UpdateRegistration]
> Failed to
>  report collector status to server: PUT
> http://graylog.lab.melbourneit.com:12900
>
> /plugins/org.graylog.plugins.collector/collectors/628a678c-77eb-4aef-96f1-0bde93
> 19cd96: 400 Unable to map property tags.\nKnown properties include:
> operating_sy
> stem"
>
> I'm pretty sure everything is configured correctly and my Graylog
> environment is a fresh one installed two days ago with 2.0.3.
>
> Do you need me to open a new issue or update the existing issue opened by
> Jeremy?
>
> Cheers, Pete
>
> On Monday, 18 July 2016 23:15:31 UTC+10, Jeremy Farr wrote:
>>
>> Done.  https://github.com/Graylog2/collector-sidecar/issues/39
>>
>> On Monday, July 18, 2016 at 3:35:36 AM UTC-5, Marius Sturm wrote:
>>>
>>> Hi,
>>> could you please create an issue for that over here:
>>> https://github.com/Graylog2/collector-sidecar/issues
>>> Please add your collector_sidecar.yml file to the ticket.
>>>
>>> Thanks,
>>> Marius
>>>
>>>
>>> On 15 July 2016 at 20:25, Jeremy Farr  wrote:
>>>
 So I'm using nxlog and I've installed the graylog sidecar.  I'm
 manually starting it with my configuration file so I can monitor it.  Just
 after reporting that nxlog is starting it gives a 400 error related to the
 property tags.  I've attached the screen shot. I've changed the tag and
 ensured it's the same as what I've got in the config on the graylog side. I
 am using the alpha release of the collector just FYI.


 

 --
 You received this message because you are subscribed to the Google
 Groups "Graylog Users" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to graylog2+u...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/graylog2/440c674f-b5ea-4315-9733-2e5c4429c41e%40googlegroups.com
 
 .
 For more options, visit https://groups.google.com/d/optout.

>>>
>>>
>>>
>>> --
>>> Developer
>>>
>>> Tel.: +49 (0)40 609 452 077
>>> Fax.: +49 (0)40 609 452 078
>>>
>>> TORCH GmbH - A Graylog Company
>>> Poolstraße 21
>>> 20335 Hamburg
>>> Germany
>>>
>>> https://www.graylog.com 
>>>
>>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
>>> Geschäftsführer: Lennart Koopmann (CEO)
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/24ed9163-b9f9-43f3-a444-f7ca94f7a0a4%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBb%2BiCbm3L-DtDbrNSLQ0C3Hp3rw-hppWNxRJ%2BT7TpJ66hg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.