RE: [graylog2] Need assistance on building an alert.

[Tom Vile]

Here I am over thinking the issue. I will talk with the networking guys to go 
that route as it makes sense and keeps the processing down on my server. We use 
Cisco gear and have worked on them before and have done something similar in 
the past. I guess since I don't control the networking equipment it didn't 
cross my mind.

Thanks for the suggestion.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/711db8ec-a4ca-4d25-a90a-a941705c00d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [graylog2] Need assistance on building an alert.

[STARNES, CURTIS]

Tom,
I didn’t see where you specified the firewall/routers but I have an ACL in our 
Cisco router that checks outbound traffic and if any traffic matches an ACL 
rule it is set to log.
This router logging is sent to our Graylog2 collector via syslog messages to 
the specified IP/port combination.
The syslog entries coming from the firewall has all the information needed for 
decent logging.
Based on these syslog messages, you can create your alerts on the 
router/firewall inputs.

Curtis Starnes
Senior Network Administrator
Granbury ISD
600 W. Bridge St. Ste. 40
Granbury, Texas  76048
(817) 408-4104
(817) 408-4126 Fax
curtis.star...@granburyisd.org
www.granburyisd.org

 [cid:image002.jpg@01CE9CF9.C7F9CDF0]

OPEN RECORDS NOTICE: This email and responses may be subject to Texas Open 
Records laws and may be disclosed to the public upon request.



From: graylog2@googlegroups.com [mailto:graylog2@googlegroups.com] On Behalf Of 
Tom Vile
Sent: Friday, August 19, 2016 3:07 PM
To: Graylog Users 
Subject: [graylog2] Need assistance on building an alert.

I have been tasked with building out a Graylog2 cluster solution at my company 
and it has been going very well but need some help with the best way to handle 
a rather complex alert.

We have roughly1500 Windows computers with 4 at roughly 400 locations on their 
own private networks. They are locked down so that they can only communicate 
with specific IP addresses
listed in a firewall that is at each location. All the firewalls are of the 
same make and model if that helps. I do not need assistance with communication 
to each location as that is already working.

What I want to do is create an alert so that if one of the computers attempts 
to communicate outside of the approved IP network I get an alert.

--
Example:

Location has an IP network of 192.168.1.0
PC attempts to communicate with an IP address outside of the IP range of 
192.168.1.1-10
If the PC attempts to connect to an IP of say 172.17.1.1 or any other not 
approved I receive an alert.
--

Generally this is not an issue but security is a top priority and there have 
been times where a tech plugs in something where he/she shouldn't or an 
employee does the same.
I have been successful in setting up quite a few alerts and they work great but 
I want to make certain I do this in the best possible way without it being too 
complex if possible.

What would be the best way of handling a condition like this?

Thanks in advance for any suggestions,

Tom
--
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0e029699-f35e-4c0d-83c6-8d23d0c0e426%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/DM5PR08MB2395218AFA76FC8A742795229E160%40DM5PR08MB2395.namprd08.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Need assistance on building an alert.

[Tom Vile]

I have been tasked with building out a Graylog2 cluster solution at my 
company and it has been going very well but need some help with the best 
way to handle a rather complex alert.

We have roughly1500 Windows computers with 4 at roughly 400 locations on 
their own private networks. They are locked down so that they can only 
communicate with specific IP addresses
listed in a firewall that is at each location. All the firewalls are of the 
same make and model if that helps. I do not need assistance with 
communication to each location as that is already working.

What I want to do is create an alert so that if one of the computers 
attempts to communicate outside of the approved IP network I get an alert.

--
Example:

Location has an IP network of 192.168.1.0
PC attempts to communicate with an IP address outside of the IP range of 
192.168.1.1-10
If the PC attempts to connect to an IP of say 172.17.1.1 or any other not 
approved I receive an alert.
--

Generally this is not an issue but security is a top priority and there 
have been times where a tech plugs in something where he/she shouldn't or 
an employee does the same.
I have been successful in setting up quite a few alerts and they work great 
but I want to make certain I do this in the best possible way without it 
being too complex if possible.

What would be the best way of handling a condition like this?

Thanks in advance for any suggestions,

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0e029699-f35e-4c0d-83c6-8d23d0c0e426%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Syslog severity mapper decorator

[Jan Doberstein]

Hej Marcus

That whats what I hoped for, but to me it looks like nothing has changed at 
all. Everything is like it was with 2.0 and/or 2.1beta2. I must be kind of 
too blind to see ;) 

>From my understanding I could still search for something like: 
level:<4 AND message:foo 

But I would expect to see in the search window of my message a decorated view 
of my messages with ERROR, WARNING, FATAL instead of the kind of raw numbers. 
that is what they are used for. 

You need to choose source and target field (when just use the severity mapper). 
We are a little behind providing documentation but it will be present as soon 
as possible.

Give the new beta.4 a try, we had fixed many issues.



/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57b71092.1d770716.5c18%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Starting graylog2-server redirecting stderr to stdout

[Jan Doberstein]

Hej Charmant,



I can have a web link, who show me why to install a latest version of graylog2 
step by step on ubuntu 14.04 amd64 or more ?
Or a web link to download a vmdk (vm ware machine who run graylog2?
Help me please!!
did you tried one of the described installation in the graylog documentation?

http://docs.graylog.org/en/2.0/pages/installation.html



regards

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57b7113e.4dfd5474.5c18%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Speed up the Web Interface

[Dennis Oelkers]

Hey Philipp,

which part of it is slow?

Kr,
D.

> On 19.08.2016, at 13:52, Philipp J.  wrote:
> 
> We use 2.0.3
> 
> Am Donnerstag, 18. August 2016 10:15:32 UTC+2 schrieb Dennis Oelkers:
> Hey Philipp, 
> 
> which Graylog version are you using? Starting with 2.0, the web interface is 
> a client side application, which should consume much less resources on the 
> server, so upgrading might help you. 
> 
> Kr, 
> D. 
> 
> > On 17.08.2016, at 14:55, Philipp J.  wrote: 
> > 
> > Hello, 
> > 
> > is there a possibility to speed up the Web Interface? It react very slowly 
> > but everything else (processing messages etc.) works ok. 
> > It would be nice to set up dedicated RAM and/or Processors for the Web 
> > Interface. 
> > 
> > Thanks al lot for help!! 
> > 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to graylog2+u...@googlegroups.com. 
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/graylog2/ab671152-25fe-4a6e-8aaf-4e7d7efc2cc2%40googlegroups.com.
> >  
> > For more options, visit https://groups.google.com/d/optout. 
> 
> -- 
> Tel.: +49 (0)40 609 452 077 
> Fax.: +49 (0)40 609 452 078 
> 
> TORCH GmbH - A Graylog company 
> Poolstrasse 21 
> 20355 Hamburg 
> Germany 
> 
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
> Geschäftsführer: Lennart Koopmann (CEO) 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/08095456-46f5-4a71-8027-299873f2961c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog company
Poolstrasse 21
20355 Hamburg
Germany

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6630A3DE-BF92-44D4-8D84-1ED7E87A9EA9%40graylog.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Speed up the Web Interface

[Philipp J.]

We use 2.0.3

Am Donnerstag, 18. August 2016 10:15:32 UTC+2 schrieb Dennis Oelkers:
>
> Hey Philipp, 
>
> which Graylog version are you using? Starting with 2.0, the web interface 
> is a client side application, which should consume much less resources on 
> the server, so upgrading might help you. 
>
> Kr, 
> D. 
>
> > On 17.08.2016, at 14:55, Philipp J.  
> wrote: 
> > 
> > Hello, 
> > 
> > is there a possibility to speed up the Web Interface? It react very 
> slowly but everything else (processing messages etc.) works ok. 
> > It would be nice to set up dedicated RAM and/or Processors for the Web 
> Interface. 
> > 
> > Thanks al lot for help!! 
> > 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to graylog2+u...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/ab671152-25fe-4a6e-8aaf-4e7d7efc2cc2%40googlegroups.com.
>  
>
> > For more options, visit https://groups.google.com/d/optout. 
>
> -- 
> Tel.: +49 (0)40 609 452 077 
> Fax.: +49 (0)40 609 452 078 
>
> TORCH GmbH - A Graylog company 
> Poolstrasse 21 
> 20355 Hamburg 
> Germany 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
> Geschäftsführer: Lennart Koopmann (CEO) 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/08095456-46f5-4a71-8027-299873f2961c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.