Re: [graylog2] Syslog input: Add source IP field to messages from devices with poor syslog formatting?

2016-09-07 Thread Jan Doberstein 
Hej Michael,

I can use rsyslog to modify the messages or something, but can we get this as 
an option for the Syslog input?
If you use one Input per Accesspoint you can add the Source by input. If you 
are able to identify by something else a pipeline can help you to add this 
field.

/jd




-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57d109c3.6c65936f.943%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

[graylog2] Re: Looking for a configuration example of filebeat + graylog collector use

2016-09-07 Thread Aykisn 

Oh I just saw that the documentation for the collector was updated. Sorry 
for the inconvenience. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0f5e63bc-c0f8-4624-9a68-05c9e81c38a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Looking for a configuration example of filebeat + graylog collector use

2016-09-07 Thread Aykisn 
Hello,

I want to use Filebeat to collect logs from files on windows clients, and 
forward these logs to graylog. However, I saw that in the output part of 
filebeat (in the yml file), the only options were elasticsearch, logstash, 
console or file. And in the collector, we can only chose the hosts for the 
output, without chosing the output type.

I'm kinda lost on what to fill on the collector, is it the graylog 
instances' ip ? Or the elasticsearch ones ?

Could someone please help and show a configuration example for this setup ?

Thanks.




-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cc71d92a-ab53-4a40-9f86-371b4fc6df0c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Cisco syslog message source field includes date info and more

2016-09-07 Thread Thomas 
OK, so I figured this out myself.

On my Cisco devices, I had the following logging option enabled

logging timestamp

This adds an additional time stamp to every syslog message and that caused 
issues with the extractor I was using.
Once I removed this from the Cisco config, the source field in GrayLog 
showed just the hostname of the device.

Not sure if there is another way of resolving this where 'logging 
timestamp' is still enabled on the Cisco devices?


On Wednesday, 7 September 2016 10:05:17 UTC+8, Thomas wrote:
>
> Does anyone have any suggestions here?
> Am I the only one using this extractor from the Market Place and that is 
> having this issue?
>
>
> On Friday, 2 September 2016 11:11:09 UTC+8, Thomas wrote:
>>
>> Community
>>
>> I have created a new extractor using the following
>>
>> https://marketplace.graylog.org/addons/90396261-812c-4fa8-ad8f-a17771c9f8e0
>>
>> I am receiving syslog messages from my Cisco equipment, however the 
>> "source" field in GrayLog contains more than just the name of the source 
>> field.
>> It includes date information as well.
>>
>>
>> I'll give you an example
>>
>> Syslog message from my Cisco 4507 switch
>>
>> 9/1/2016 3:07 AM : C4K_REDUNDANCY-5-CONFIGSYNC  215: 4507-HOSTNAME: .Sep 
>>  1 03:07:14 EST-DST: %C4K_REDUNDANCY-5-CONFIGSYNC: The startup-config has 
>> been successfully synchronized to the standby supervisor
>>
>> The source field in GrayLog is as follows
>>
>> 215: 4507-HOSTNAME: .Sep 1 03:07:14 EST-DST:
>>
>> Messages from my Cisco ASA5500 has the following source field
>> Sep 01 2016 22:58:05 5500-FW1 :
>>
>>
>> RegEx for the source field is as follows, which is unchanged from the 
>> extractor
>>
>>
>> "regex_value": ">(.+?)%"
>>
>> Any suggestion to how this can be resolved such that only the host name 
>> if included in the source field?
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/02723e38-7169-42be-aae1-f0cbff7b0013%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to configure multiple output

2016-09-07 Thread Michael Anthon 
I ran into this issue last night as well.  It seems to me (from looking at 
the beats doco) that beats doesn't handle multiple outputs.  I'm not sure 
how graylog is deciding which output to use but it seems that we can't use 
this type of setup for beats (regardless of the fact that the interface 
allows you to configure it).

Unless I'm missing something completely Beats doesn't seem to have the 
concept of "routes" like nxlog does, there is no way to associate an input 
to an output.

On Tuesday, 6 September 2016 17:57:41 UTC+10, IronCocker wrote:
>
> [root@mirror ~]# more /etc/graylog/collector-sidecar/generated/filebeat.yml
> filebeat:
>   prospectors:
>   - document_type: linux
> fields:
>   gl2_source_collector: 0d2e5631-e187-4f09-b1a1-562908f44631
> ignore_older: 0
> input_type: log
> paths:
> - /var/log/*
> scan_frequency: 10s
> tail_files: true
>   - document_type: nginx
> fields:
>   gl2_source_collector: 0d2e5631-e187-4f09-b1a1-562908f44631
> ignore_older: 0
> input_type: log
> paths:
> - /var/log/nginx/*
> scan_frequency: 10s
> tail_files: true
> output:
>   logstash:
> hosts:
> - 192.168.1.1:5044
>
> Hi,
> I configured two tags: *linux* and *nginx*, tag *linux* output ['
> 192.168.1.1:*5044*'], tag *nginx* output ['192.168.1.1:*5055*'], but 
> *filebeat.yml* only have *linux* output, How should i do?
> thx.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ed2047db-631b-44aa-ae10-246ba787dfa1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: "Best practice" for multiple source/input configurations

2016-09-07 Thread Michael Anthon 
That's the way I've ended up going as well, it definitely make managing 
extractors simpler since the extractors on an input all apply to the same 
types of messages.

The only gotcha I've run into is with testing filebeats, the collector 
allows you to set up and attempt to use multiple outputs however it seems 
that filebeats only supports one output so I've switched back to using 
nxlog again

On Thursday, 8 September 2016 03:11:28 UTC+10, 8bits...@gmail.com wrote:
>
> I use a different input for each type of log, platform, eventlog, iis, 
> etc..  My thinking was mainly I want to see everything from something 
> specific without noise from another and without the need for a stream.
>
> -
>
> On Wednesday, September 7, 2016 at 4:01:08 AM UTC-6, Michael Anthon wrote:
>>
>> While our system currently isn't that large I'm trying to determine the 
>> best way to configure Graylog to make future updates and extensions simple 
>> to manage.
>>
>> Where I'm struggling with this is with the impact in terms of performance 
>> of configuring things certain ways.
>>
>> So, for example, we have data being sourced from several different types 
>> of logs
>>
>>- IIS Logs
>>- nginx logs
>>- Windows event logs
>>- PHP Error logs
>>- Custom application logs
>>- syslogs from various devices and servers
>>- tomcat/java logs
>>
>> Each of these different types has various requirements in terms of 
>> extractors and processing that we do to provide us with useful fields for 
>> searching.
>>
>> The options as I see them are 
>>
>>1. create a small number of inputs that handle all the messages and 
>>have a large set of extractors to deal with all the different message 
>> types 
>>that come through the input.
>>2. create an input for each type of message source with the 
>>extractors for that type of message as needed
>>
>> To me, option 2 seems the more sensible in terms of future management and 
>> even initial setup but I'm unsure of the impact of having more inputs 
>> versus less inputs with more extractors.
>>
>> I'd appreciate any insight/advice on this (or pointers to documentation 
>> that I may have missed)
>>
>> Cheers,
>> Michael
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/87a77fa3-4a61-42c2-8170-329050e15a83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Failed to start Grizzly HTTP server: permission denied - after 2.1 upgrade

2016-09-07 Thread Steve A 
After upgrading my functioning 2.03 environment (1 Graylog server with 2 
ElasticSearch nodes all CentOS 7), Graylog won't start up properly.  It 
loops through startup/shutdown as shown below (full log is attached).  It 
seems like a problem binding linux ports below 1024, but I could be wrong. 
 Any thoughts?

 2016-09-07T10:47:08.205-04:00 INFO  [JerseyService] Started REST API at 

2016-09-07T10:47:10.814-04:00 ERROR [ServiceManager] Service JerseyService 
[FAILED] has failed in the STARTING state.
javax.ws.rs.ProcessingException: Failed to start Grizzly HTTP server: 
Permission denied
at 
org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory.createHttpServer(GrizzlyHttpServerFactory.java:299)
 
~[graylog.jar:?]
at 
org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory.createHttpServer(GrizzlyHttpServerFactory.java:163)
 
~[graylog.jar:?]
at 
org.graylog2.shared.initializers.JerseyService.setUp(JerseyService.java:337) 
~[graylog.jar:?]
at 
org.graylog2.shared.initializers.JerseyService.startUpWeb(JerseyService.java:159)
 
~[graylog.jar:?]
at 
org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:135) 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
 
[graylog.jar:?]
at com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_101]
Caused by: java.net.SocketException: Permission denied
at sun.nio.ch.Net.bind0(Native Method) ~[?:1.8.0_101]
at sun.nio.ch.Net.bind(Net.java:433) ~[?:1.8.0_101]
at sun.nio.ch.Net.bind(Net.java:425) ~[?:1.8.0_101]
at 
sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223) 
~[?:1.8.0_101]
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74) 
~[?:1.8.0_101]
at 
org.glassfish.grizzly.nio.transport.TCPNIOBindingHandler.bindToChannelAndAddress(TCPNIOBindingHandler.java:131)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOBindingHandler.bind(TCPNIOBindingHandler.java:88)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOTransport.bind(TCPNIOTransport.java:248)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOTransport.bind(TCPNIOTransport.java:228)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOTransport.bind(TCPNIOTransport.java:219)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.http.server.NetworkListener.start(NetworkListener.java:714)
 
~[graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpServer.start(HttpServer.java:278) 
~[graylog.jar:?]
at 
org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory.createHttpServer(GrizzlyHttpServerFactory.java:296)
 
~[graylog.jar:?]
... 7 more

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c2cfd04c-a151-4267-92f3-c9142a630c63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
2016-09-07T10:46:50.417-04:00 INFO  [CmdLineTool] Loaded plugin: Elastic Beats 
Input 1.1.0 [org.graylog.plugins.beats.BeatsInputPlugin]
2016-09-07T10:46:50.419-04:00 INFO  [CmdLineTool] Loaded plugin: Collector 
1.1.0 [org.graylog.plugins.collector.CollectorPlugin]
2016-09-07T10:46:50.419-04:00 INFO  [CmdLineTool] Loaded plugin: Enterprise 
Integration Plugin 1.1.0 
[org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin]
2016-09-07T10:46:50.419-04:00 INFO  [CmdLineTool] Loaded plugin: 
MapWidgetPlugin 1.1.0 [org.graylog.plugins.map.MapWidgetPlugin]
2016-09-07T10:46:50.420-04:00 INFO  [CmdLineTool] Loaded plugin: Pipeline 
Processor Plugin 1.1.0 [org.graylog.plugins.pipelineprocessor.ProcessorPlugin]
2016-09-07T10:46:50.420-04:00 INFO  [CmdLineTool] Loaded plugin: Anonymous 
Usage Statistics 2.1.0 [org.graylog.plugins.usagestatistics.UsageStatsPlugin]
2016-09-07T10:46:50.541-04:00 INFO  [CmdLineTool] Running with JVM arguments: 
-Xms1g -Xmx1g -XX:NewRatio=1 -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC 
-XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC 
-XX:-OmitStackTraceInFastThrow 
-Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml 
-Djava.library.path=/usr/share/graylog-server/lib/sigar 
-Dgraylog2.installation_source=rpm
2016-09-07T10:46:53.227-04:00 INFO  [InputBufferImpl] Message journal is 
enabled.
2016-09-07T10:46:53.256-04:00 INFO  [NodeId] Node ID: 
c88199e9-38fd-424d-b4a5-15826d19a1e9
2016-09-07T10:46:53.520-04:00 INFO  [LogManager] Loading logs.
2016-09-07T10:46:53.596-04:00 INFO  [LogManager] Logs loading complete.
2016-09-07T10:46:53.597-04:00 INFO  [KafkaJournal] Initialized Kafka based 
journal at /var/lib/graylog-server/journal
2016-09-07T10:46:53.616-04:00 INFO  [InputBufferImpl] In

[graylog2] Re: Seeking Information

2016-09-07 Thread 8bits1beard 
This may be of use to you in regards to Graylog and Splunk. 
 https://www.graylog.org/blog/19-graylog-splunk-integration-is-now-here

On Wednesday, September 7, 2016 at 10:34:36 AM UTC-6, peterse...@gmail.com 
wrote:
>
> Seeking Information about GreyLog, I am Currently an Administrator of 
> Splunk I am hoping i can reach out to some one in this group to help me on 
> using Grey Log in conjunction with Splunk and how it can bennefit us on 
> license useage with Splunk. Thanks
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a8a4df81-398a-4b0d-926e-766b2420fc2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Rest API on 9000 doesn't work.

2016-09-07 Thread 8bits1beard 
According to http://docs.graylog.org/en/2.1/pages/upgrade/graylog-2.1.html

I can now use port 9000 for the web interface and rest API.  However after 
editing /etc/graylog/server/server.conf and changing the rest_listen_uri = 
to LANIP:9000/, neither the web interface or rest API work.  No firewall in 
place so that shouldn't be the reason.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/75358365-c0b5-4619-9596-9395bcdc0ea2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Collectors show Unknown or Failing status after upgrading to 2.1 from 2.0.3

2016-09-07 Thread 8bits1beard 
I'm still receiving messages but under System > Collectors, all show either 
Failing or Unknown.  I can make changes to my configurations and they 
update my nxlog.conf files so I know communication is happening both ways. 
 I've restarted the collector and no change.  All collectors are version 
0.0.9 and running on Windows hosts.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/10a0a6ad-ad2e-4747-b838-f2ce316a25d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Updating to Graylog 2.1.0 from 2.0.3

2016-09-07 Thread 8bits1beard 
$ wget https://
packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb 

$ sudo dpkg -i graylog-2.1-repository_latest.deb
$ sudo apt-get update
$ sudo apt-get install graylog-server



Worked for me.

On Tuesday, September 6, 2016 at 4:48:06 AM UTC-6, Ciprian wrote:
>
> Hello, 
>
> I have noticed that a new version of Graylog has been released and 
> therefore I am wondering how can I upgrade to it. 
> Will I lose any settings?
>
> Thanks
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/366b7c46-3f39-4f1b-b58b-a3470340303e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Bigger production setup

2016-09-07 Thread T.J. Yang 
Thanks Aykisn for passing on this useful bloc

On Wednesday, September 7, 2016 at 6:28:48 AM UTC-5, Aykisn wrote:
>
> I recommend this guide : 
> http://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch
>
> You just have to adapt the guide to match the architecture you want.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/52d10a44-c9d1-4c08-80f2-818db1db53f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: "Best practice" for multiple source/input configurations

2016-09-07 Thread 8bits1beard 
I use a different input for each type of log, platform, eventlog, iis, 
etc..  My thinking was mainly I want to see everything from something 
specific without noise from another and without the need for a stream.

-

On Wednesday, September 7, 2016 at 4:01:08 AM UTC-6, Michael Anthon wrote:
>
> While our system currently isn't that large I'm trying to determine the 
> best way to configure Graylog to make future updates and extensions simple 
> to manage.
>
> Where I'm struggling with this is with the impact in terms of performance 
> of configuring things certain ways.
>
> So, for example, we have data being sourced from several different types 
> of logs
>
>- IIS Logs
>- nginx logs
>- Windows event logs
>- PHP Error logs
>- Custom application logs
>- syslogs from various devices and servers
>- tomcat/java logs
>
> Each of these different types has various requirements in terms of 
> extractors and processing that we do to provide us with useful fields for 
> searching.
>
> The options as I see them are 
>
>1. create a small number of inputs that handle all the messages and 
>have a large set of extractors to deal with all the different message 
> types 
>that come through the input.
>2. create an input for each type of message source with the extractors 
>for that type of message as needed
>
> To me, option 2 seems the more sensible in terms of future management and 
> even initial setup but I'm unsure of the impact of having more inputs 
> versus less inputs with more extractors.
>
> I'd appreciate any insight/advice on this (or pointers to documentation 
> that I may have missed)
>
> Cheers,
> Michael
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b9c3ab9d-070a-49dc-b75f-e7673d24833e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Is it possible to setup a stream to alert if number of messages from a single source exceeds a count?

2016-09-07 Thread ironmanmk42 
Graylog 1.3.2 (for now and looking to implement graylog 2.1) = 

Is it possible to setup a stream to alert if the number of messages from a 
single sources exceeds a count?
I have some misbehaving apps on hosts which suddenly send over a million 
syslogs in say an hour or two because of a faulty app. 
It would be great to have a stream which can alert with the source and 
message count over last 1 hour if say > 1million. 

Thanks,

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6fa722e6-38cf-4acd-8586-3c760c76d15d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Seeking Information

2016-09-07 Thread petersendana62 
Seeking Information about GreyLog, I am Currently an Administrator of 
Splunk I am hoping i can reach out to some one in this group to help me on 
using Grey Log in conjunction with Splunk and how it can bennefit us on 
license useage with Splunk. Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1930cf5f-f231-40d5-a857-4448b94b6ce4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog V2 web interface stuck on loading after login

2016-09-07 Thread Thangaraj Arunachalam 
Hi Nathan,

We are also facing similar issue in out setup . Could u please share more 
details about the fix.

Thanks in Advance.

Tharun.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/88da3ff0-6141-454e-888c-e6884fbdaf61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog V2 web interface stuck on loading after login

2016-09-07 Thread Thangaraj Arunachalam 
Hi we are also am similar issue in my setup coould you please ellaborate the 
fix ?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d3e7a317-ed4d-4a01-a074-6189ddb0786c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Web interface flashes logon page in every reload

2016-09-07 Thread Phil Sumner 
Thank you!

On Wednesday, 7 September 2016 16:27:24 UTC+1, Edmundo Alvarez wrote:
>
> Hi, 
>
> This is a known presentation issue, please check this Github issue for 
> more information: https://github.com/Graylog2/graylog2-server/issues/2770 
>
> Regards, 
> Edmundo 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6079331e-8fca-4017-8e2e-b1f844902391%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Web interface flashes logon page in every reload

2016-09-07 Thread Edmundo Alvarez 
Hi,

This is a known presentation issue, please check this Github issue for more 
information: https://github.com/Graylog2/graylog2-server/issues/2770

Regards,
Edmundo

> On 07 Sep 2016, at 17:25, Karjic Ioannis  wrote:
> 
> Hi all,
> having the same problem
> 
> Regards
> 
> On Wednesday, September 7, 2016 at 4:37:50 PM UTC+3, Phil Sumner wrote:
> Since upgrading to 2.1.0 from 2.0.3, the web interface has started showing 
> (briefly) the logon page whenever the reload action happens.
> 
> Not sure what information I can provide to be useful here.  Anyone got any 
> idea how to stop it?
> 
> Thanks,
> Phil
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/0d9f5854-ffe4-4f61-b1f9-1832b8fe357f%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4196EC7A-1DC1-4B9A-89D0-CD2F95F541D1%40graylog.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Web interface flashes logon page in every reload

2016-09-07 Thread Karjic Ioannis 
Hi all,
having the same problem

Regards

On Wednesday, September 7, 2016 at 4:37:50 PM UTC+3, Phil Sumner wrote:
>
> Since upgrading to 2.1.0 from 2.0.3, the web interface has started showing 
> (briefly) the logon page whenever the reload action happens.
>
> Not sure what information I can provide to be useful here.  Anyone got any 
> idea how to stop it?
>
> Thanks,
> Phil
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0d9f5854-ffe4-4f61-b1f9-1832b8fe357f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Web interface flashes logon page in every reload

2016-09-07 Thread Phil Sumner 
Since upgrading to 2.1.0 from 2.0.3, the web interface has started showing 
(briefly) the logon page whenever the reload action happens.

Not sure what information I can provide to be useful here.  Anyone got any 
idea how to stop it?

Thanks,
Phil

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6461a08e-f1a8-45e1-84ba-db85c3d4c816%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Bigger production setup

2016-09-07 Thread Aykisn 
I recommend this guide 
: 
http://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch

You just have to adapt the guide to match the architecture you want.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4b2dbb95-8493-4e28-b93d-3f68194163ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Number of records per second on the histogram

2016-09-07 Thread Валерий Казанцев 
Hello! The smallest unit of time for the histogram is minute. I want to 
display the number of records per second. How can I do?
Kibana can display the number of records per second. While I can see that 
Graylog is losing to Kibana.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/14a09039-a312-4c27-8ad6-8321b877a86d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Issue with winlogbeat and TLS connections

2016-09-07 Thread Marius Sturm 
Hi,
could you please open an issue for this here:
https://github.com/Graylog2/collector-sidecar
Should be easy to fix.

Cheers,
Marius


On 7 September 2016 at 11:48, Michael Anthon  wrote:

> Hi All,
> I have just attempted to set up filebeat and winlogbeat to see how they
> perform but ran into a bit of an issue with using winlogbeat and TLS
> connections.
>
> The config file generated look (in part) like this for an output defined
> in collectors with "Enable TLS support" and "Insecure TLS connection" both
> enabled and none of the cert/key/ca fields filled in
>
> output:
>   logstash:
> hosts:
> - graylog.example.com:5044
> tls:
>   certificate_authorities:
>   - ""
>   insecure: true
>
> The same settings on a filebeat input generate the following config
> snippet (and this works quite happily)
>
> output:
>   logstash:
> hosts:
> - graylog.exampe.com:5044
> tls:
>   insecure: true
>
> The winlogbeat config will not work (configtest throws an error until I
> manually remove the certificate_authorities line)
>
> At this point I'm reverting back to using nxlog for the windows logs but
> would be keen to revisit this once it's fixed.
>
> Cheers,
> Michael
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/a99d3296-2e87-4771-b390-a257d19e9f17%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbJL8w1fv-qpCYq2cHwX5%2B02EX9zEYh_1eQhvC4jzC8hYw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Sidecar permission denied error

2016-09-07 Thread Marius Sturm 
We plan some performance improvements for the next release, so if you see
too much load on the server side at the moment, this will be improved in
2.2. Maybe not relevant for 50 nodes but for 500.

On 7 September 2016 at 11:36, Werner van der Merwe 
wrote:

> Thanks Marius, that worked like a charm!
>
> No if trial works and I get my approval, we can roll that out to most of
> the Windows and RedHat farms as well.
>
> The Windows guys are hesitant to open that up as they are committed Splunk
> guys, but I think sidecar will bring a lot of weight to move over - then I
> can run all of the +- 460 Windows servers off Graylog as well.
> The ability to integrate with AD already helped a lot towards that.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/CA%2Bq%2BS3MrXPR2V8O7A%2BTODgrtNy2QVHTgnN3xg06N%
> 2BiwkvzTH4A%40mail.gmail.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBb%2B2TFujtBX-hLjjgt-QwEb%3DxeE6mmLKujCqPysyCS07tw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Change "dynamic_templates" and "store_generic"

2016-09-07 Thread SancheZZS 
I did a retry with all manipulation mapping, fixed index name and recreate 
index. It work perfect but I have a little issue. Any new field have  
"index" : "not_analyzed" yet.
curl -X GET 'http://localhost:9200/_template?pretty'
http://pastebin.com/5hyFHkzJ
My "graylog-custom-mapping" contains "index" : "analyzed" in 
"dynamic_templates" 
 "dynamic_templates" : [ {
  "internal_fields" : {
"mapping" : {
  "analyzer" : "standard",
  "index" : "analyzed",
  "type" : "string"
},
"match" : "gl2_*"
  }
}, {
  "store_generic" : {
"mapping" : {
  "analyzer" : "standard",
  "index" : "analyzed",
  "type" : "string"
},
"match" : "*"
  }
} ],

 
I created the new extractor with field "ipt1258", but index of  "ipt1258" 
is "not_analyzed"
  "ipt1258" : {
"type" : "string",
"index" : "not_analyzed"
  },
curl -X GET 'http://localhost:9200/graylog2_0?pretty'
http://pastebin.com/NATNvHjG

Also in graylog2_0 index "dynamic_templates" non equivalent to 
"dynamic_templates" in "graylog-custom-mapping"  template. At same time 
"ipt1132" is correct.
What am I doing wrong?



среда, 7 сентября 2016 г., 11:59:19 UTC+3 пользователь Jochen Schalanda 
написал:
>
> Hi,
>
> did you create the index "graylog2_0" after you've added your custom index 
> mapping and the custom index template? Only newly created indices will 
> receive the new index mapping.
>
> The index name also doesn't match the pattern you're using (which is 
> "graylog_*" and not "graylog2_*").
>
> Also see 
> http://docs.graylog.org/en/2.1/pages/configuration/elasticsearch.html#custom-index-mappings
>  
> for working examples.
>
>
> Cheers,
> Jochen
>
> On Tuesday, 6 September 2016 22:47:26 UTC+2, SancheZZS wrote:
>>
>> I added  new templates mygraylog and mygraylog2. 
>> curl -X GET 'http://localhost:9200/_template?pretty' returns
>> http://pastebin.com/qnweRuqb
>>
>> After that I cretated  new fields ipt2323 and ipt2301. It doesn't work 
>> for me 
>>   "ipt2301" : {
>> "type" : "string",
>> "index" : "not_analyzed"
>>   },
>>   "ipt2323" : {
>> "type" : "string",
>> "index" : "not_analyzed"
>>   },
>>
>> curl -X GET 'http://localhost:9200/graylog2_0?pretty'
>> http://pastebin.com/dkaFZq3A
>> What am I missing ? 
>>
>> вторник, 6 сентября 2016 г., 19:35:59 UTC+3 пользователь Jochen Schalanda 
>> написал:
>>>
>>> Hi,
>>>
>>> you can simply create your own index mapping and put it into a custom 
>>> index template to achieve this. The Graylog index template has the lowest 
>>> priority ("order") and any other index template can override its settings.
>>>
>>> See 
>>> https://www.elastic.co/guide/en/elasticsearch/reference/2.3/mapping.html 
>>> and 
>>> https://www.elastic.co/guide/en/elasticsearch/reference/2.3/indices-templates.html
>>>  
>>> for details.
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Tuesday, 6 September 2016 17:20:17 UTC+2, SancheZZS wrote:

 Hello!
 After first run graylog2 I have defaut template in Elasticsearch
 curl -X GET 'http://loclahost:9200/_template?pretty'
 http://pastebin.com/e5LPiGzC

 How to change mapping in "dynamic_templates" and "store_generic" from
 "index" : "not_analyzed" to

 "analyzer" : "standard",
 "index" : "analyzed",
 "type" : "string"
 ?

 I want that any new field, created in web interface, must have "index" 
 : "analyzed". By default they have 
 "index" : "not_analyzed",
 "type" : "string"

 Any advice is greatly appreciated.




-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/23529511-d629-4cfd-a7db-3147838031b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] "Best practice" for multiple source/input configurations

2016-09-07 Thread Michael Anthon 
While our system currently isn't that large I'm trying to determine the 
best way to configure Graylog to make future updates and extensions simple 
to manage.

Where I'm struggling with this is with the impact in terms of performance 
of configuring things certain ways.

So, for example, we have data being sourced from several different types of 
logs

   - IIS Logs
   - nginx logs
   - Windows event logs
   - PHP Error logs
   - Custom application logs
   - syslogs from various devices and servers
   - tomcat/java logs

Each of these different types has various requirements in terms of 
extractors and processing that we do to provide us with useful fields for 
searching.

The options as I see them are 

   1. create a small number of inputs that handle all the messages and have 
   a large set of extractors to deal with all the different message types that 
   come through the input.
   2. create an input for each type of message source with the extractors 
   for that type of message as needed

To me, option 2 seems the more sensible in terms of future management and 
even initial setup but I'm unsure of the impact of having more inputs 
versus less inputs with more extractors.

I'd appreciate any insight/advice on this (or pointers to documentation 
that I may have missed)

Cheers,
Michael

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3f22860f-7b86-4f6c-a0bb-2f1431adf874%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Issue with winlogbeat and TLS connections

2016-09-07 Thread Michael Anthon 
Hi All,
I have just attempted to set up filebeat and winlogbeat to see how they 
perform but ran into a bit of an issue with using winlogbeat and TLS 
connections.

The config file generated look (in part) like this for an output defined in 
collectors with "Enable TLS support" and "Insecure TLS connection" both 
enabled and none of the cert/key/ca fields filled in

output:
  logstash:
hosts:
- graylog.example.com:5044
tls:
  certificate_authorities:
  - ""
  insecure: true

The same settings on a filebeat input generate the following config snippet 
(and this works quite happily)

output:
  logstash:
hosts:
- graylog.exampe.com:5044
tls:
  insecure: true

The winlogbeat config will not work (configtest throws an error until I 
manually remove the certificate_authorities line) 

At this point I'm reverting back to using nxlog for the windows logs but 
would be keen to revisit this once it's fixed.

Cheers,
Michael

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a99d3296-2e87-4771-b390-a257d19e9f17%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Sidecar permission denied error

2016-09-07 Thread Werner van der Merwe 
Thanks Marius, that worked like a charm!

No if trial works and I get my approval, we can roll that out to most of
the Windows and RedHat farms as well.

The Windows guys are hesitant to open that up as they are committed Splunk
guys, but I think sidecar will bring a lot of weight to move over - then I
can run all of the +- 460 Windows servers off Graylog as well.
The ability to integrate with AD already helped a lot towards that.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CA%2Bq%2BS3MrXPR2V8O7A%2BTODgrtNy2QVHTgnN3xg06N%2BiwkvzTH4A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Sidecar permission denied error

2016-09-07 Thread Marius Sturm 
Awesome, happy to see it working in your environment!

On 7 September 2016 at 11:12, Werner van der Merwe 
wrote:

> Hi Marius,
>
> Currently we have it running on 27 Ubuntu servers and about 25 CentOS
> boxes as trial.
> We're in the prosess of installing onto a Windows trial of 22-25 servers.
>
> Have a Centos puppet manifest (crudely) managing the Centos servers,
> Ubuntu and Windows mostly manual initially.
>
> I'll make the change to adm and report back!
>
> Thanks for a great product!
>
>
> On Wednesday, 7 September 2016, Marius Sturm  wrote:
>
>> Hi Werner,
>> right the nxlog user needs access to the files you want to read, ususally
>> thats the 'adm' group on ubuntu and the 'root' group on centos/redhat
>> machines.
>>
>> Out of curiosity, how many sidecars are you running in parallel?
>>
>> Cheers,
>> Marius
>>
>> On 7 September 2016 at 06:08, Werner van der Merwe <
>> wernervdme...@gmail.com> wrote:
>>
>>> NXlog's User and Group is set to root as well
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Graylog Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to graylog2+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit https://groups.google.com/d/ms
>>> gid/graylog2/72b68b26-2716-4dd2-8801-29bdf0220413%40googlegroups.com
>>> 
>>> .
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>>
>> --
>> Developer
>>
>> Tel.: +49 (0)40 609 452 077
>> Fax.: +49 (0)40 609 452 078
>>
>> TORCH GmbH - A Graylog Company
>> Poolstraße 21
>> 20335 Hamburg
>> Germany
>>
>> https://www.graylog.com 
>>
>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
>> Geschäftsführer: Lennart Koopmann (CEO)
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Graylog Users" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/to
>> pic/graylog2/raDSrcAH2Lg/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> graylog2+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/graylog2/CAMqbBbK9-hdTH_hVpvy891TdVB%2BUxps8T%2BUfQVkVSD
>> mBQF%3Djfg%40mail.gmail.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/CA%2Bq%2BS3MkEb-f6DA5PZuzHvBv1nYFEa_
> cvZiyzhhZc7K2t7uLGg%40mail.gmail.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbLKa8NWCzNX48vOHvGfHy6MhC8Q3fdGEFwcHbPv6Gijmg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Convert log level from number to a more understandable

2016-09-07 Thread Jochen Schalanda 
Hi Pedro,

you could use the message decorators introduced in Graylog 2.1.0 to convert 
those levels to a human-readable 
format: http://docs.graylog.org/en/2.1/pages/queries.html#syslog-severity-mapper

Cheers,
Jochen

On Wednesday, 7 September 2016 11:29:07 UTC+2, pedro rijo wrote:
>
> We have been using elk but we are migrating to graylog since it seems way 
> more powerful, but some of us have been complaining about a minor detail:
>
> - In elk log levels were values like 'ERROR', 'WARN', 'INFO', 'DEBUG'
> - In graylog levels are represented as numbers from 0 to 7
>
> Couldn't find anything on docs or any other source, but is there any 
> configuration that could change how to present log level? or maybe some 
> plugin?
>
> Thanks
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9c60f1ff-ada1-4e29-84e0-33fed7ae1a38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Convert log level from number to a more understandable

2016-09-07 Thread pedro rijo 
We have been using elk but we are migrating to graylog since it seems way 
more powerful, but some of us have been complaining about a minor detail:

- In elk log levels were values like 'ERROR', 'WARN', 'INFO', 'DEBUG'
- In graylog levels are represented as numbers from 0 to 7

Couldn't find anything on docs or any other source, but is there any 
configuration that could change how to present log level? or maybe some 
plugin?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a3b03672-a471-4d53-95d4-714a7a9c0cdd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog not connecting to elasticsearch

2016-09-07 Thread Jochen Schalanda 
Hi Karan,

try removing (or commenting out) the 
elasticsearch_discovery_zen_ping_unicast_hosts setting from your Graylog 
configuration file.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/addf5309-4455-4c74-837c-1d33d8528dfb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Sidecar permission denied error

2016-09-07 Thread Werner van der Merwe 
Hi Marius,

Currently we have it running on 27 Ubuntu servers and about 25 CentOS boxes
as trial.
We're in the prosess of installing onto a Windows trial of 22-25 servers.

Have a Centos puppet manifest (crudely) managing the Centos servers, Ubuntu
and Windows mostly manual initially.

I'll make the change to adm and report back!

Thanks for a great product!


On Wednesday, 7 September 2016, Marius Sturm  wrote:

> Hi Werner,
> right the nxlog user needs access to the files you want to read, ususally
> thats the 'adm' group on ubuntu and the 'root' group on centos/redhat
> machines.
>
> Out of curiosity, how many sidecars are you running in parallel?
>
> Cheers,
> Marius
>
> On 7 September 2016 at 06:08, Werner van der Merwe <
> wernervdme...@gmail.com
> > wrote:
>
>> NXlog's User and Group is set to root as well
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to graylog2+unsubscr...@googlegroups.com
>> 
>> .
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/graylog2/72b68b26-2716-4dd2-8801-29bdf0220413%40googlegroups.com
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Poolstraße 21
> 20335 Hamburg
> Germany
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/raDSrcAH2Lg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com
> .
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/CAMqbBbK9-hdTH_hVpvy891TdVB%2BUxps8T%
> 2BUfQVkVSDmBQF%3Djfg%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CA%2Bq%2BS3MkEb-f6DA5PZuzHvBv1nYFEa_cvZiyzhhZc7K2t7uLGg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Change "dynamic_templates" and "store_generic"

2016-09-07 Thread Jochen Schalanda 
Hi,

did you create the index "graylog2_0" after you've added your custom index 
mapping and the custom index template? Only newly created indices will 
receive the new index mapping.

The index name also doesn't match the pattern you're using (which is 
"graylog_*" and not "graylog2_*").

Also 
see 
http://docs.graylog.org/en/2.1/pages/configuration/elasticsearch.html#custom-index-mappings
 
for working examples.


Cheers,
Jochen

On Tuesday, 6 September 2016 22:47:26 UTC+2, SancheZZS wrote:
>
> I added  new templates mygraylog and mygraylog2. 
> curl -X GET 'http://localhost:9200/_template?pretty' returns
> http://pastebin.com/qnweRuqb
>
> After that I cretated  new fields ipt2323 and ipt2301. It doesn't work for 
> me 
>   "ipt2301" : {
> "type" : "string",
> "index" : "not_analyzed"
>   },
>   "ipt2323" : {
> "type" : "string",
> "index" : "not_analyzed"
>   },
>
> curl -X GET 'http://localhost:9200/graylog2_0?pretty'
> http://pastebin.com/dkaFZq3A
> What am I missing ? 
>
> вторник, 6 сентября 2016 г., 19:35:59 UTC+3 пользователь Jochen Schalanda 
> написал:
>>
>> Hi,
>>
>> you can simply create your own index mapping and put it into a custom 
>> index template to achieve this. The Graylog index template has the lowest 
>> priority ("order") and any other index template can override its settings.
>>
>> See 
>> https://www.elastic.co/guide/en/elasticsearch/reference/2.3/mapping.html 
>> and 
>> https://www.elastic.co/guide/en/elasticsearch/reference/2.3/indices-templates.html
>>  
>> for details.
>>
>> Cheers,
>> Jochen
>>
>> On Tuesday, 6 September 2016 17:20:17 UTC+2, SancheZZS wrote:
>>>
>>> Hello!
>>> After first run graylog2 I have defaut template in Elasticsearch
>>> curl -X GET 'http://loclahost:9200/_template?pretty'
>>> http://pastebin.com/e5LPiGzC
>>>
>>> How to change mapping in "dynamic_templates" and "store_generic" from
>>> "index" : "not_analyzed" to
>>>
>>> "analyzer" : "standard",
>>> "index" : "analyzed",
>>> "type" : "string"
>>> ?
>>>
>>> I want that any new field, created in web interface, must have "index" : 
>>> "analyzed". By default they have 
>>> "index" : "not_analyzed",
>>> "type" : "string"
>>>
>>> Any advice is greatly appreciated.
>>>
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9bb7179b-7a24-469d-a3ec-9094903ef590%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Sidecar permission denied error

2016-09-07 Thread Marius Sturm 
Hi Werner,
right the nxlog user needs access to the files you want to read, ususally
thats the 'adm' group on ubuntu and the 'root' group on centos/redhat
machines.

Out of curiosity, how many sidecars are you running in parallel?

Cheers,
Marius

On 7 September 2016 at 06:08, Werner van der Merwe 
wrote:

> NXlog's User and Group is set to root as well
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/72b68b26-2716-4dd2-8801-29bdf0220413%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbK9-hdTH_hVpvy891TdVB%2BUxps8T%2BUfQVkVSDmBQF%3Djfg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog email alert frequency

2016-09-07 Thread Jochen Schalanda 
Hi Ajay,

On Wednesday, 7 September 2016 05:20:15 UTC+2, Ajay Kumar wrote:
>
> Just out of curiosity, is it a limitation by design or intentionally 
> feature is kept like that?


It's a current design limitation. Alerts are being generated by 
periodically running Elasticsearch queries (default: 60s) over a given time 
window, so it's always possible that there are multiple "hits" within this 
period.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f4b9a33e-726a-40e5-a818-c32de7ad3b41%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Install

2016-09-07 Thread Jochen Schalanda 
Hi Chad,

Graylog currently doesn't support running Elasticsearch plugins in its 
embedded instance at all (also see 
https://github.com/Graylog2/graylog2-server/issues/2789).

You have to rely on the standard Elasticsearch configuration settings which 
Graylog 
provides: 
https://github.com/Graylog2/graylog2-server/blob/2.1.0/misc/graylog.conf#L260-L301

Cheers,
Jochen

On Tuesday, 6 September 2016 21:45:45 UTC+2, Chad wrote:
>
> If I can't load the cloud-aws plugin.  How can I point graylog at an 
> existing cluster?
>
> On Tuesday, September 6, 2016 at 2:38:51 PM UTC-5, Chad wrote:
>>
>> New install on AWS EC2 utilizing the cloud-aws plugin for the existing 
>> elasticsearch cluster.
>>
>> All ES nodes are working correctly.  But when starting the graylog.
>>
>> Caused by: ElasticsearchException[Missing mandatory plugins [cloud-aws]]
>> at 
>> org.elasticsearch.plugins.PluginsService.(PluginsService.java:165)
>> at org.elasticsearch.node.Node.(Node.java:158)
>> at org.elasticsearch.node.GraylogNode.(GraylogNode.java:37)
>> at 
>> org.graylog2.bindings.providers.EsNodeProvider.get(EsNodeProvider.java:57)
>> at 
>> org.graylog2.bindings.providers.EsNodeProvider.get(EsNodeProvider.java:40)
>> at 
>> com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
>>
>>
>> How do I install the cloud-aws plugin on the graylog ES client?
>>
>> Thanks,
>>
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9b1c9305-1c6f-4457-a146-1daabb85d620%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog not connecting to elasticsearch

2016-09-07 Thread Karan Chandok 
Hi Jochen,

Please find the attached updated configuration files.

On Tue, Sep 6, 2016 at 2:09 PM, Jochen Schalanda  wrote:

> Hi Karan,
>
> please post the current Graylog and Elasticsearch configuration files
> you're using (after the changes you've made).
>
> Cheers,
> Jochen
>
> On Tuesday, 6 September 2016 09:38:24 UTC+2, Karan Chandok wrote:
>>
>> Hi Jochen,
>>
>> Yes elasticsearch is running on same machine. I have removed white space
>> and removed unicast host setting as suggested by you however still same
>> error is coming.
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/qnXhVTJEUXo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/ae03a43f-c6df-47f7-893a-74d455a00bed%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Thanks & Regards
karan Chandok

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAKVWUYBi2O4VH8kN9mBVgM22ZyfUnca-6ga6WKTd8Bgf7cgJnQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


elasticsearch.yml
Description: Binary data


server.conf
Description: Binary data