Re: [graylog2] Using kopf plugin to change *_geolocation fields type to geo_point

[Jan Doberstein]

Hej Aykisn

I see that in the kopf plugin web interface, we can add or edit the default 
template.
I edited the graylog-internal template to add the geolocation fields to convert 
tem to geo_point.
did you checked the documentation on this topic?

http://docs.graylog.org/en/2.1/pages/configuration/elasticsearch.html#custom-index-mappings

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57da447b.1f1e8e5b.3a1%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

[graylog2] Re: Using kopf plugin to change *_geolocation fields type to geo_point

[Aykisn]

I have managed to convert one field at a time by creating a nex template 
like this :
{
  "order": 0,
  "template": "graylog_*",
  "settings": {},
  "mappings": {
"message": {
  "properties": {
"*_geolocation": {
  "type": "geo_point"
}
  }
}
  },
  "aliases": {}
}

Problem is that it would be really unpractical to have to add a specific 
name in the template and cycle an index each time we would have a new 
geolocation field.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7d601b5f-605c-4035-859c-9c380df91cf6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Deflector throwing exception during rotation

[Jan Doberstein]

Hej,

I am seeing the following exception in the graylog servers periodically. 
[ .. cut off message .. ]

I am using graylog version 2.0.3. Can someone tell me what would cause this 
issue and impact of the issue. 
Did you update your Elasticsearch Cluster/Instance to Version 2.4?

If yes, downgrade your Elasticsearch to 2.3.5 or Upgrade your Graylog to 2.1.1 



/jd





-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57da434d.6ab54d1b.3a1%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Upgrading From 2.0.3 to 2.1.1

[Jan Doberstein]

Hej Nathan,

I've got a pair of servers, one running ES 2.3.5-1 and one running Graylog 
2.0.3.  I believe the version of ES I'm running is supported by Graylog 2.1.1, 
so I'm leaving that be for the time being.  What is the exact process for 
upgrading Graylog?  Simply add the new repo and do a "yum upgrade"?  It was 
originally installed using the CentOS packages.

I know the default port numbers of changed, and I do have some sidecar 
collectors running on Windows servers that point to the "old" port number.  Is 
there an idea for which option is best?  Change Graylog and the collectors to 
use the new settings?  Or stick with what I have?  I guess what I'm really 
asking is, while my number of sidecar collectors is still low, so I go ahead 
and move to the new port numbers?  It will be a lot harder to do in the future, 
but it is optional right now.  Will it still be optional a year from now?
did you looked at the upgrade documentation?  
http://docs.graylog.org/en/2.1/pages/upgrade/graylog-2.1.html

Update is as simple as you said, and all the changes should be covered in the 
document.



/jd




-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57da4276.14cd778e.3a1%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

[graylog2] nxlog running as root but still having permission issues?

[Rulas Mur]

I'm running nxlog as root but its still getting permission denied errors

ERROR failed to open 
/var/atlassian/application-data/jira/log/atlassian-jira.log;Permission 
denied
ERROR apr_stat failed on file 
/var/atlassian/application-data/jira/log/atlassian-jira.log;Permission 
denied

Definitely running as root

2016-09-14 16:40:36 WARNING already running as gid 0
2016-09-14 16:40:36 WARNING already running as uid 0

When not running as root I've tried to set the folder and file group to the 
nxlog group, but still nada.

I've tried just about everthing I can think of. Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d9a73ab4-e666-4033-8b62-e58b719b3ed5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Pipeline doesn't drop message unless attached to Default stream

[Jan Doberstein]

Hej Alexander,
If I attach this pipeline to "Syslog" stream, messages are not dropped, and I 
still can see them in the stream. Only if I attach the pipeline to Default 
stream, messages begin to be dropped.

did you checked the processing order?

http://docs.graylog.org/en/2.1/pages/pipelines/usage.html#configure-the-message-processor

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57da3e4f.4899c389.3a1%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

[graylog2] OSSEC integration with Graylog through csyslogd and CEF Plugin broken.

[Georges Jahchan]

In a pilot, both csyslogd and the Graylog CEF Plugin suffer from bugs (or 
design shortcomings) that preclude their use as they function today:

   - csyslogd truncates certain events -- seemingly those with special 
   characters (such as carriage return, line feed, and tab -- Windows Event ID 
   4627 for example), and it so happens that *critical *security 
   information is stripped in the process.
   Since OSSEC truncates these events, it is difficult to predict the 
   behavior of the CEF Plugin and of Graylog once they receive these events in 
   full.


   - CEF Plugin seems to handle only the standard Application, Security, 
   and System logs. Events from other 'eventchannel' logs picked up by OSSEC 
   and forwarded by csyslogd in CEF format to CEF Plugin seem to be dropped 
*silently 
   *by the CEF plugin.
   I have not pushed testing further to see what happens to single or 
   multi-line events picked up by OSSEC from plain-text log files and 
   forwarded to Graylog through csyslogd and CEF Plugin.


The transport of events in the [OSSEC --> csyslogd --> CEF plugin --> 
Graylog] chain cannot be trusted with reliably transferring security 
information (whatever happens to be required) from OSSEC into Graylog 
(OSSEC and Graylog work as expected, the transport mechanism between the 
two is evidently broken). Between truncated and dropped events, the 
end-result of the entire event processing chain is *totally unacceptable*.

On the other hand, OSSEC (alerts.json) --> Filebeat --> LogStash --> 
Elasticsearch (when configured correctly) work as expected. All events in 
alerts.json are stored "as is" in Elasticsearch, with no ifs and buts.

Any chance that these issues will be fixed? If yes, what is the expected 
time frame for a fix? I am willing to contribute to testing.

If not, is there an alternative trustworthy (non-syslog) method to reliably 
transport 
all events from OSSEC undoctored into Graylog? Can NxLog come to the rescue 
as an alternative trustworthy transport mechanism?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8a81ee4f-01d0-48e3-94cf-4c3b4a7ddb26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Using kopf plugin to change *_geolocation fields type to geo_point

[Aykisn]

Hello,

I see that in the kopf plugin web interface, we can add or edit the default 
template.
I edited the graylog-internal template to add the geolocation fields to 
convert tem to geo_point.

I then manually cycled the defector on the graylog web interface, but it 
didn't work, the _geolocation fields still stayed as string. When checking 
the template on the kopf plugin, it seems that it erased my changes when 
creating the new index.

I also tried to do a sepate template to add the geolocation part but that 
didn't work either. Also tried without the wildcard and by specifying the 
exact name of a field, didn't work either.

Any insights on how I can use the template to correctly change all the 
_geolocation fields to geo_point ?

Thanks.




-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b733d368-01c0-48a7-b690-6ca32abfa33e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Sum values from squid field

[Michael Anthon]

Hi Daniel,
In fact the only setting I have in that file is this
elasticsearch.url: "http://127.0.0.1:9200";

This is actually causing issues with the way graylog configures the 
elasticsearch listener but changing this address to the local interface's 
network address should fix that.

That URL should be the only setting required to make Kibana work out of the 
box.  Have a look in /opt/graylog/elasticsearch/config/elasticsearch.yml 
for the "network.host" and "http.port" settings to see how graylog has 
configured the elasticsearch listener

You can install Kibana on any machine that has network access to the 
elasticsearch cluster


On Thursday, 15 September 2016 04:10:05 UTC+10, Daniel Reif wrote:
>
> Michael Anthon, 
> *you could publish your kibana.yml?I am unable to do Kibana find my 
> ElasticSearch cluster and load messages.*
> Em quarta-feira, 14 de setembro de 2016 03:17:44 UTC-3, Michael Anthon 
> escreveu:
>>
>> No, you point Kibana at the elasticsearch instance and it "just works". 
>>  There is an option in the Kibana to reload the fields from the indexes in 
>> case they get messed up (sometimes happens when you change the field 
>> extractors in a way that changes the types)
>>
>> On Friday, 9 September 2016 14:52:41 UTC+10, Aykisn wrote:
>>>
>>> Hello Michael,
>>>
>>> I'm really interested in this, have been looking for this feature since 
>>> graylog doesn't support it (yet).
>>> I have a question though, do you need to recreate the fields on kibana ?
>>>
>>> Thanks.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c5b60ead-35ac-4af0-a19e-ce23d442792c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: elasticsearch network.host address

[Michael Anthon]

Hi Jochen,
That's a good question!  I'm sure I looked at this a few weeks ago and 
decided I needed to use localhost.  I will revisit the Kibana setup and see 
if it can be changed.

On Wednesday, 14 September 2016 18:58:19 UTC+10, Jochen Schalanda wrote:
>
> Hi Michael,
>
> this setting can currently not be overridden in the OVA.
>
> Could you elaborate on why Kibana can't access Elasticsearch on the 
> primary network interface of the VM (which is where the IP address comes 
> from) and has to access it on 127.0.0.1?
>
> Cheers,
> Jochen
>
> On Wednesday, 14 September 2016 10:16:17 UTC+2, Michael Anthon wrote:
>>
>> Hi All,
>> Every time I run the reconfigure command at the moment it updated the 
>> "network.host" entry in /opt/graylog/elasticsearch/config/elasticsearch.yml 
>> to the network address of the machine instead of the (for me) desired 
>> 0.0.0.0 (I have Kibana running on the server as well attempting to connect 
>> to 127.0.0.1).
>>
>> I'm fairly sure this didn't happen prior to the last update I did to 
>> 2.1.0 and that there were no intentional config changes (but I won't rule 
>> that out!)
>>
>> I can see in the reconfigure output that it's replacing this line but I'm 
>> not sure where it's getting the network address from.
>>
>> Is this something that may have changed in the latest release and/or is 
>> there a way for me to override the setting so that elasticsearch will be 
>> configured to listen on 0.0.0.0?
>>
>> Currently I'm manually editing the 
>> /opt/graylog/elasticsearch/config/elasticsearch.yml after a reconfigure
>>
>> Thanks,
>> Michael
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2303b2ce-b669-40e3-a881-4151317f6011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Deflector throwing exception during rotation

[Mayur Mangalampalli]

Hi,

I am seeing the following exception in the graylog servers periodically. 

2016-09-14 20:20:56,618 ERROR: org.graylog2.periodical.IndexRotationThread 
- Couldn't point deflector to a new index
java.lang.NullPointerException
at org.graylog2.indexer.indices.Indices.numberOfMessages(Indices.java:179) 
~[graylog.jar:?]
at 
org.graylog2.indexer.rotation.strategies.MessageCountRotationStrategy.shouldRotate(MessageCountRotationStrategy.java:67)
 
~[graylog.jar:?]
at 
org.graylog2.indexer.rotation.strategies.MessageCountRotationStrategy.shouldRotate(MessageCountRotationStrategy.java:33)
 
~[graylog.jar:?]
at 
org.graylog2.indexer.rotation.strategies.AbstractRotationStrategy.rotate(AbstractRotationStrategy.java:55)
 
~[graylog.jar:?]
at 
org.graylog2.periodical.IndexRotationThread.checkForRotation(IndexRotationThread.java:117)
 
~[graylog.jar:?]
at 
org.graylog2.periodical.IndexRotationThread.doRun(IndexRotationThread.java:77) 
[graylog.jar:?]
at org.graylog2.plugin.periodical.Periodical.run(Periodical.java:77) 
[graylog.jar:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
[?:1.8.0_51]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) 
[?:1.8.0_51]
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
 
[?:1.8.0_51]
at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
 
[?:1.8.0_51]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
[?:1.8.0_51]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
[?:1.8.0_51]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_51]

I am using graylog version 2.0.3. Can someone tell me what would cause this 
issue and impact of the issue. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d7c011d5-3fa2-44dc-855f-b081d61f3919%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Sum values from squid field

[Daniel Reif]

Michael Anthon, 
*you could publish your kibana.yml?I am unable to do Kibana find my 
ElasticSearch cluster and load messages.*
Em quarta-feira, 14 de setembro de 2016 03:17:44 UTC-3, Michael Anthon 
escreveu:
>
> No, you point Kibana at the elasticsearch instance and it "just works". 
>  There is an option in the Kibana to reload the fields from the indexes in 
> case they get messed up (sometimes happens when you change the field 
> extractors in a way that changes the types)
>
> On Friday, 9 September 2016 14:52:41 UTC+10, Aykisn wrote:
>>
>> Hello Michael,
>>
>> I'm really interested in this, have been looking for this feature since 
>> graylog doesn't support it (yet).
>> I have a question though, do you need to recreate the fields on kibana ?
>>
>> Thanks.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8fe43979-d37b-48e7-af3a-e218490202e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Upgrading From 2.0.3 to 2.1.1

[Nathan Mace]

I've got a pair of servers, one running ES 2.3.5-1 and one running Graylog 
2.0.3.  I believe the version of ES I'm running is supported by Graylog 
2.1.1, so I'm leaving that be for the time being.  What is the exact 
process for upgrading Graylog?  Simply add the new repo and do a "yum 
upgrade"?  It was originally installed using the CentOS packages.

I know the default port numbers of changed, and I do have some sidecar 
collectors running on Windows servers that point to the "old" port number. 
 Is there an idea for which option is best?  Change Graylog and the 
collectors to use the new settings?  Or stick with what I have?  I guess 
what I'm really asking is, while my number of sidecar collectors is still 
low, so I go ahead and move to the new port numbers?  It will be a lot 
harder to do in the future, but it is optional right now.  Will it still be 
optional a year from now?

Nathan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/50e2cea5-cce6-4eaf-b11b-b923ebaff87d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog Web Interface URL format

[Ryan Waldron]

I am evaluating moving our centralized logging from elasticsearch/kibana to 
graylog. Our current setup has several external applications that link 
directly to specific Kibana searches by generating the proper parameters in 
the URL. Eg:

http://mycentral.log/app/kibana#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'2016-09-14T17:20:00.000Z',mode:absolute,to:'2016-09-14T17:25:00.000Z'))&_a=(columns:!(_source),filters:!(),index:logstash-1,interval:auto,query:(query_string:(analyze_wildcard:!t,query:'*')),sort:!(timestamp,desc),vis:(aggs:!((params:(field:programname,orderBy:'2',size:20),schema:segment,type:terms),(id:'2',schema:metric,type:count)),type:histogram))&indexPattern=graylog_0&type=histogram

As you can see, we can generate a URL on the fly that has control over most 
of the search and display functions available in Kibana. We use this to 
link directly to specific application logs for less technologically 
inclined staff.

It appears from the URL of the Graylog web interface that it uses some kind 
of hash to link to specific content. Is there a way to generate these on 
the fly to link to specific information within the system? I have searched 
for a while today and I can't seem to find any documentation on the subject.

Thanks in advance for any assistance.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b5dd50cd-03ab-4b67-bdfa-a9f67f7d7e0a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [ANNOUNCE] Graylog v2.1.1 has been released

[Edmundo Alvarez]

Hi everyone,

we just released the final version of Graylog v2.1.1. You can find all
required information, download links, new features and changelog here:

* https://www.graylog.org/blog/69-announcing-graylog-v2-1-1

Thanks,
Edmundo

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3A55F58F-14E8-4071-B11F-178EA578BE9F%40graylog.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Pipeline doesn't drop message unless attached to Default stream

[Alexander Chernov]

Not sure if it's a bug or my misunderstanding of documentation.

I have a pipeline with following rule in it

rule "drop cronjob"
when 
has_field("application_name") && to_string($message.application_name) == 
"CRON"
then
drop_message();
end

If I attach this pipeline to "Syslog" stream, messages are not dropped, and 
I still can see them in the stream. Only if I attach the pipeline to Default 
stream, 
messages begin to be dropped.



Currently it's the only pipeline present in the system, it contains only 
one rule, and it's on stage 0. 

Stream *Syslog* is populated through "normal" way (Stream rules, filtering 
by gl2_source_input). 


Any thoughts?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1f25535a-46d5-4892-b07a-a1994d7028f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Sum values from squid field

[Aykisn]

Yeah it's working fine, thanks.
Do you happen to use the maps in kibana too by any chance ?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/452ceb6a-2146-4b4a-9a10-297ea217c8bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: elasticsearch network.host address

[Jochen Schalanda]

Hi Michael,

this setting can currently not be overridden in the OVA.

Could you elaborate on why Kibana can't access Elasticsearch on the primary 
network interface of the VM (which is where the IP address comes from) and 
has to access it on 127.0.0.1?

Cheers,
Jochen

On Wednesday, 14 September 2016 10:16:17 UTC+2, Michael Anthon wrote:
>
> Hi All,
> Every time I run the reconfigure command at the moment it updated the 
> "network.host" entry in /opt/graylog/elasticsearch/config/elasticsearch.yml 
> to the network address of the machine instead of the (for me) desired 
> 0.0.0.0 (I have Kibana running on the server as well attempting to connect 
> to 127.0.0.1).
>
> I'm fairly sure this didn't happen prior to the last update I did to 2.1.0 
> and that there were no intentional config changes (but I won't rule that 
> out!)
>
> I can see in the reconfigure output that it's replacing this line but I'm 
> not sure where it's getting the network address from.
>
> Is this something that may have changed in the latest release and/or is 
> there a way for me to override the setting so that elasticsearch will be 
> configured to listen on 0.0.0.0?
>
> Currently I'm manually editing the 
> /opt/graylog/elasticsearch/config/elasticsearch.yml after a reconfigure
>
> Thanks,
> Michael
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/aa911f5f-494c-4b0b-ab67-08c51200ccbd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] elasticsearch network.host address

[Michael Anthon]

Hi All,
Every time I run the reconfigure command at the moment it updated the 
"network.host" entry in /opt/graylog/elasticsearch/config/elasticsearch.yml 
to the network address of the machine instead of the (for me) desired 
0.0.0.0 (I have Kibana running on the server as well attempting to connect 
to 127.0.0.1).

I'm fairly sure this didn't happen prior to the last update I did to 2.1.0 
and that there were no intentional config changes (but I won't rule that 
out!)

I can see in the reconfigure output that it's replacing this line but I'm 
not sure where it's getting the network address from.

Is this something that may have changed in the latest release and/or is 
there a way for me to override the setting so that elasticsearch will be 
configured to listen on 0.0.0.0?

Currently I'm manually editing the 
/opt/graylog/elasticsearch/config/elasticsearch.yml after a reconfigure

Thanks,
Michael

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/22162a81-7f02-46c5-bdbe-6e01028203a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Extract/Backup logs that Graylog received

[Jochen Schalanda]

Hi William,

I don't know if "greedy" is the correct term, but all log messages will be 
indexed and stored by Elasticsearch, so this will be the component 
requiring the most disk space.

Cheers,
Jochen

On Wednesday, 14 September 2016 09:51:34 UTC+2, WIlliam Song wrote:
>
> OK thanks for that answer :)
>
> So it is Elasticsearch who will be greedy of disk storage capacity ?
>
> Le mardi 13 septembre 2016 16:09:32 UTC+2, Jochen Schalanda a écrit :
>>
>> Hi William,
>>
>> Graylog is indexing all log messages into Elasticsearch 
>> . What you have found is 
>> the local disk journal of Graylog, in which it will write all received log 
>> messages before they are indexed into Elasticsearch (for data integrity 
>> reasons, e. g. when the Elasticsearch cluster is down).
>>
>> In other words, there simply is no such thing as a simple text file you 
>> could back-up.
>>
>> This being said, Graylog Enterprise offers an archive plugin with which 
>> you can create backups of your log messages for long-term storage/backup: 
>> https://www.graylog.org/enterprise
>>
>> Cheers,
>> Jochen
>>
>>
>> On Tuesday, 13 September 2016 15:37:58 UTC+2, WIlliam Song wrote:
>>>
>>> Hello Guys,
>>>
>>> Is it possible to backup the log file that Graylog have received ?
>>>
>>>
>>> I want to extract one file per server (all the servers are on Windows 
>>> Server)  who will looks like : "Server1.2016-09-13.log" 
>>>
>>> 
>>>   
>>> "Server2.2016-09-13.log"
>>>
>>>
>>> How to do it ? I search into that file 
>>> "/var/lib/graylog-server/journal/messagejournal-0/1206.log" 
>>> and i found the logs from my Windows Server but it is a binary file and it 
>>> contains all the logs of all servers
>>>
>>>
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/37a3922d-7fcc-4e56-a9c5-5e2d9ef55beb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Extract/Backup logs that Graylog received

[WIlliam Song]

OK thanks for that answer :)

So it is Elasticsearch who will be greedy of disk storage capacity ?

Le mardi 13 septembre 2016 16:09:32 UTC+2, Jochen Schalanda a écrit :
>
> Hi William,
>
> Graylog is indexing all log messages into Elasticsearch 
> . What you have found is 
> the local disk journal of Graylog, in which it will write all received log 
> messages before they are indexed into Elasticsearch (for data integrity 
> reasons, e. g. when the Elasticsearch cluster is down).
>
> In other words, there simply is no such thing as a simple text file you 
> could back-up.
>
> This being said, Graylog Enterprise offers an archive plugin with which 
> you can create backups of your log messages for long-term storage/backup: 
> https://www.graylog.org/enterprise
>
> Cheers,
> Jochen
>
>
> On Tuesday, 13 September 2016 15:37:58 UTC+2, WIlliam Song wrote:
>>
>> Hello Guys,
>>
>> Is it possible to backup the log file that Graylog have received ?
>>
>>
>> I want to extract one file per server (all the servers are on Windows 
>> Server)  who will looks like : "Server1.2016-09-13.log" 
>>
>>  
>>  
>> "Server2.2016-09-13.log"
>>
>>
>> How to do it ? I search into that file 
>> "/var/lib/graylog-server/journal/messagejournal-0/1206.log" 
>> and i found the logs from my Windows Server but it is a binary file and it 
>> contains all the logs of all servers
>>
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f5c3328f-cf35-43f6-a98c-5a4567fff955%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.