[graylog2] Re: unable to figure out permissions using REST API

2016-09-22 Thread Jochen Schalanda 
Hi Jason,

the required permissions are:

   - searches:absolute
   - searches:keyword
   searches:relative

See 
https://github.com/Graylog2/graylog2-server/blob/2.1.1/graylog2-server/src/main/java/org/graylog2/shared/security/RestPermissions.java#L106-L108

Cheers,
Jochen

On Thursday, 22 September 2016 23:38:08 UTC+2, Jason Haar wrote:
>
> Hi there
>
> I'm wanting to create a "read only" admin account that can do any search 
> query against graylog that we want. I created a local account (normally we 
> use LDAP) which just had the "Reader" role - and it couldn't do anything. I 
> then gave it the Admin role and it could indeed search for everything
>
> But I want a "read only" account. This is going to be in scripts - and I 
> don't want scripts lying about with full admin privs. So I played around 
> with other Roles - but they are all stream-specific.
>
> So can someone tell me how I can create a Role that allows universal 
> search - but with no form of write access?
>
> Thanks
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6c0335eb-a4f1-4ff1-b847-89b8e3d4ff2d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog Stream Messages Disappearing

2016-09-22 Thread Jochen Schalanda 
Hi Kenneth,

On Thursday, 22 September 2016 21:32:49 UTC+2, Kenneth Gyan wrote:
>
> When you say index, do you mean the input?
>

No, I mean index: http://docs.graylog.org/en/2.1/pages/index_model.html


On Thursday, 22 September 2016 21:32:49 UTC+2, Kenneth Gyan wrote:

> Also how can i check the retention for the index/input level?
>

You can check and change the configuration in the Graylog web interface on 
the System -> Indices page.


On Thursday, 22 September 2016 21:32:49 UTC+2, Kenneth Gyan wrote:
>
> I have tried going to the input and but I haven't really made note if the 
> messages are the same because I when i go to the input and the message is 
> there, then it should be in the stream if the condition for the stream is 
> met right? which in my case the condition is been met.


What exactly is the stream rule and how do the messages look like? Without 
that information, everything is just wild guessing.


Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/806fc400-3563-4ad6-8f79-eec55c4b6d4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] unable to figure out permissions using REST API

2016-09-22 Thread Jason Haar 
Hi there

I'm wanting to create a "read only" admin account that can do any search
query against graylog that we want. I created a local account (normally we
use LDAP) which just had the "Reader" role - and it couldn't do anything. I
then gave it the Admin role and it could indeed search for everything

But I want a "read only" account. This is going to be in scripts - and I
don't want scripts lying about with full admin privs. So I played around
with other Roles - but they are all stream-specific.

So can someone tell me how I can create a Role that allows universal search
- but with no form of write access?

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgKQ%2BgagBGN1Q7xYG6CdCaf%3DxZZhptJRv_xk9-8Lefe%2BhQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog Stream Messages Disappearing

2016-09-22 Thread Kenneth Gyan 
Hi Jochen,

When you say index, do you mean the input? Also how can i check the 
retention for the index/input level? I have tried going to the input and 
but I haven't really made note if the messages are the same because I when 
i go to the input and the message is there, then it should be in the stream 
if the condition for the stream is met right? which in my case the 
condition is been met.

Thank you,

On Thursday, September 22, 2016 at 3:47:37 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Kenneth,
>
> retention currently only works on index-level, not on stream-level.
>
> What exactly do you mean with disappears? Can you still find the message 
> via the universal search? Is the index containing the message still 
> available?
>
> Cheers,
> Jochen
>
> On Thursday, 22 September 2016 05:03:45 UTC+2, Kenneth Gyan wrote:
>>
>> I have setup host devices consisting of routers and switches and the logs 
>> are been collected in the input with no issues. I have setup a stream to 
>> capture syslog messages with level 0-4. Whenever this condition is met, and 
>> it captures the syslog message in the stream, after some time (about a 
>> couple of hours), the message/s in the stream just disappears and I am 
>> trying to figure out why this is happening. Could it be a stream retention 
>> time that needs to be set? Any assistance on this will be helpful. Thank 
>> you. 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5a3344c1-63ac-4f58-99b7-5878295d1031%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Trying to Get Message from One Stream to Another

2016-09-22 Thread Willis 
I want to get alert emails in certain circumstances that the out of the box 
alert system does not support (using AND's and OR's). I'm trying to use a 
pipeline to take messages from one stream and put them into another. The 
rules in the pipeline can filter the messages for me and then I would be 
able to use the standard alerts on the second stream.

I'm having trouble getting messages from the pipeline to show up in the 2nd 
stream. 

The first stream has messages coming through. Below is the pipeline which 
will intentionally send everything to the second stream (just to get 
something to show up)

rule "is error or warning message"
when
 true
then
 set_field(field: "facility", value: "alertMsg");
 route_to_stream(name: "Listener - Pre Prod Alerts");
end

in the stream "Listener - Pre Prod Alerts" there is one rule:
* facility must match exactly alertMsg*

I've connected this pipeline to the 1st stream and I see in the UI that 
there are messages going through it in the metrics column. 

Below is a sample message that seems like it should end up in the second 
stream:


ExceptionMessage
error while getting locationid
LoggerName
debug
facility
console-runner
full_message
System.Exception: error while getting locationid ---> 
System.ArgumentException: An item with the same key has already been added. 
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at 
System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, 
Boolean add) at 
EHospitalDataUpdaterListener.Logging.findLocationID(MessageQueueItem 
messageQueueItem) in 
C:\Dev\CCF\EHospital\EHospitalDataUpdaterListener\Logging.cs:line 171 --- 
End of inner exception stack trace ---
level
3
message
System.Exception: error while getting locationid ---> 
System.ArgumentException: An item with the same key has already been added. 
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at 
System.Collections.Generic.Dictionar
source
CC-CLEHOSP56
timestamp
2016-09-22T17:18:22.197Z
I'm missing something but I have no idea what. Does anyone have any ideas 
or suggestions?

thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d75d6e3a-018c-4720-a544-44fb8528f4d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Do I have to uninstall filebeat for collector-sidecar installation?

2016-09-22 Thread Marius Sturm 
Hi,
you dont have to, it's included in the Sidecar package for ease of
installation but you can point in the configurtion file to the executable
you want to use.

Cheers,
Marius


On 22 September 2016 at 20:04, Evgueni Gordienko 
wrote:

> Hi All,
>
> I have filebeat running on my client and need to install sidecar.
> The yum installation results:
> Transaction check error:
>   file /usr/bin/filebeat from install of collector-sidecar-0.0.9-1.x86_64
> conflicts with file from package filebeat-1.3.1-1.x86_64
>
> Should I uninstall filebeat first?
>
> Thanks,
> Evgueni
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/d7983fa4-8b00-4eaf-a270-88fe9d8ee7b4%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbKpu5UsC%3DA4oyQ1Qyk4brnxf1dP0ph%3DpHJ1Ug5FL_CnWg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Do I have to uninstall filebeat for collector-sidecar installation?

2016-09-22 Thread Evgueni Gordienko 
Hi All,

I have filebeat running on my client and need to install sidecar.
The yum installation results:
Transaction check error:
  file /usr/bin/filebeat from install of collector-sidecar-0.0.9-1.x86_64 
conflicts with file from package filebeat-1.3.1-1.x86_64

Should I uninstall filebeat first?

Thanks,
Evgueni

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d7983fa4-8b00-4eaf-a270-88fe9d8ee7b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Error - the server returned: 404 - on login

2016-09-22 Thread Evgueni Gordienko 
My mistake - had wrong entry for
web_endpoint_uri 
It should be
web_endpoint_uri = http://:9000/api/

Thanks,
Evgueni

On Wednesday, September 21, 2016 at 12:40:05 PM UTC-7, Evgueni Gordienko 
wrote:
>
> Hi,
>
> I have graylog2 (2.1) working fine with external elk (elasticsearch) 
> cluster.
>
> But login fails:
>
>   Error - the server returned: 404 - cannot POST 
> http://elk.test.com:9000/system/sessions (404)
>
> I can ping elk.test.com.
>
> server-status.txt shows:
> connecting to: test
> {
> "host" : "elk",   ... etc
>
> Any Ideas where to look in logs and how to fix?
>
> Thanks,
> Evgueni
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/469af0ed-ef97-4e2e-bf46-c6113288b83d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Filebeats collector only one output

2016-09-22 Thread Marius Sturm 
Currently the idea goes like this: if you need routing inside the collector
use nxlog if not use filebeat.
I fear when we start to work around collectors inabilities we end up in
hairy ball of processes. In the end the Sidecar is
a configuration helper and not a feature compensator. And there is still
the option to simply contribute to the Fielbeat project and implement a
multi output feature, or ask the Elastic guys for it.

On 22 September 2016 at 17:54, Steve Kuntz  wrote:

> Thanks Marius,
>
> That's unfortunate, are there no plans to have the collector-sidecar
> service to run separate instance of filebeat for each output get around the
> limitations of filebeat?
>
> On Thursday, September 22, 2016 at 11:45:09 AM UTC-4, Marius Sturm wrote:
>>
>> Hi Steve,
>> Filebeat currently doesn't support multiple outputs in the way NXlog is
>> doing it. There is a ticket for it here: https://github.com/Graylog2/co
>> llector-sidecar/issues/57
>> In the end we will allow only one output per beat instance and show some
>> message in the web interface.
>>
>> Cheers,
>> Marius
>>
>>
>> On 22 September 2016 at 17:12, Steve Kuntz  wrote:
>>
>>> Good Morning/Afternoon/Evening/Night,
>>>
>>> I'm probably missing or misunderstanding something or missing some
>>> documentation that says this is not supported but here goes...
>>>
>>> When I configure multiple outputs in my Beats Collector Sidecar
>>> configuration in the web interface only one seems to make it to the
>>> filebeats.xml configuration file. Each prospector below is configured to
>>> forward to a different beats output. I've tried using one collector
>>> configuration for both files and separating the configurations into to 2
>>> collector configurations but it seams that both prospectors always makes it
>>> to the yml by only one output.
>>>
>>> filebeat:
>>>   prospectors:
>>>   - document_type: log
>>> fields:
>>>   gl2_source_collector: f48c9289-cc7c-4f40-84b8-38ba2d30b04c
>>> ignore_older: 0
>>> input_type: log
>>> paths:
>>> - /dev/shm/varnishncsa.log
>>> scan_frequency: 10s
>>> tail_files: true
>>>   - document_type: log
>>> fields:
>>>   gl2_source_collector: f48c9289-cc7c-4f40-84b8-38ba2d30b04c
>>> ignore_older: 0
>>> input_type: log
>>> paths:
>>> - /var/log/nginx/*.log
>>> scan_frequency: 10s
>>> tail_files: true
>>> output:
>>>   logstash:
>>> hosts:
>>> - graylogdmz.storm.dmz:5045
>>>
>>>
>>> Thanks
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Graylog Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to graylog2+u...@googlegroups.com.
>>> To view this discussion on the web visit https://groups.google.com/d/ms
>>> gid/graylog2/b220fbcc-62e7-491d-bb54-c25d181da7f8%40googlegroups.com
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>>
>> --
>> Developer
>>
>> Tel.: +49 (0)40 609 452 077
>> Fax.: +49 (0)40 609 452 078
>>
>> TORCH GmbH - A Graylog Company
>> Poolstraße 21
>> 20335 Hamburg
>> Germany
>>
>> https://www.graylog.com 
>>
>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
>> Geschäftsführer: Lennart Koopmann (CEO)
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/930fd9d5-6e87-420d-9f2e-05156d9630b7%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbK%3DYrUkP18oPQ-%2BPtifPPKtyZbozEC3yTomFAFW4DLEYg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Filebeats collector only one output

2016-09-22 Thread Steve Kuntz 
Thanks Marius,

That's unfortunate, are there no plans to have the collector-sidecar 
service to run separate instance of filebeat for each output get around the 
limitations of filebeat?

On Thursday, September 22, 2016 at 11:45:09 AM UTC-4, Marius Sturm wrote:
>
> Hi Steve,
> Filebeat currently doesn't support multiple outputs in the way NXlog is 
> doing it. There is a ticket for it here: 
> https://github.com/Graylog2/collector-sidecar/issues/57
> In the end we will allow only one output per beat instance and show some 
> message in the web interface.
>
> Cheers,
> Marius
>  
>
> On 22 September 2016 at 17:12, Steve Kuntz  > wrote:
>
>> Good Morning/Afternoon/Evening/Night,
>>
>> I'm probably missing or misunderstanding something or missing some 
>> documentation that says this is not supported but here goes...
>>
>> When I configure multiple outputs in my Beats Collector Sidecar 
>> configuration in the web interface only one seems to make it to the 
>> filebeats.xml configuration file. Each prospector below is configured to 
>> forward to a different beats output. I've tried using one collector 
>> configuration for both files and separating the configurations into to 2 
>> collector configurations but it seams that both prospectors always makes it 
>> to the yml by only one output.
>>
>> filebeat:
>>   prospectors:
>>   - document_type: log
>> fields:
>>   gl2_source_collector: f48c9289-cc7c-4f40-84b8-38ba2d30b04c
>> ignore_older: 0
>> input_type: log
>> paths:
>> - /dev/shm/varnishncsa.log
>> scan_frequency: 10s
>> tail_files: true
>>   - document_type: log
>> fields:
>>   gl2_source_collector: f48c9289-cc7c-4f40-84b8-38ba2d30b04c
>> ignore_older: 0
>> input_type: log
>> paths:
>> - /var/log/nginx/*.log
>> scan_frequency: 10s
>> tail_files: true
>> output:
>>   logstash:
>> hosts:
>> - graylogdmz.storm.dmz:5045
>>
>>
>> Thanks
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to graylog2+u...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/b220fbcc-62e7-491d-bb54-c25d181da7f8%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Poolstraße 21
> 20335 Hamburg
> Germany
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/930fd9d5-6e87-420d-9f2e-05156d9630b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Filebeats collector only one output

2016-09-22 Thread Marius Sturm 
Hi Steve,
Filebeat currently doesn't support multiple outputs in the way NXlog is
doing it. There is a ticket for it here:
https://github.com/Graylog2/collector-sidecar/issues/57
In the end we will allow only one output per beat instance and show some
message in the web interface.

Cheers,
Marius


On 22 September 2016 at 17:12, Steve Kuntz  wrote:

> Good Morning/Afternoon/Evening/Night,
>
> I'm probably missing or misunderstanding something or missing some
> documentation that says this is not supported but here goes...
>
> When I configure multiple outputs in my Beats Collector Sidecar
> configuration in the web interface only one seems to make it to the
> filebeats.xml configuration file. Each prospector below is configured to
> forward to a different beats output. I've tried using one collector
> configuration for both files and separating the configurations into to 2
> collector configurations but it seams that both prospectors always makes it
> to the yml by only one output.
>
> filebeat:
>   prospectors:
>   - document_type: log
> fields:
>   gl2_source_collector: f48c9289-cc7c-4f40-84b8-38ba2d30b04c
> ignore_older: 0
> input_type: log
> paths:
> - /dev/shm/varnishncsa.log
> scan_frequency: 10s
> tail_files: true
>   - document_type: log
> fields:
>   gl2_source_collector: f48c9289-cc7c-4f40-84b8-38ba2d30b04c
> ignore_older: 0
> input_type: log
> paths:
> - /var/log/nginx/*.log
> scan_frequency: 10s
> tail_files: true
> output:
>   logstash:
> hosts:
> - graylogdmz.storm.dmz:5045
>
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/b220fbcc-62e7-491d-bb54-c25d181da7f8%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBb%2BCjMksngcJcGiqX1mvXaz%3DG_2-jbn7g82vtHE7VC066g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Filebeats collector only one output

2016-09-22 Thread Steve Kuntz 
Good Morning/Afternoon/Evening/Night,

I'm probably missing or misunderstanding something or missing some 
documentation that says this is not supported but here goes...

When I configure multiple outputs in my Beats Collector Sidecar 
configuration in the web interface only one seems to make it to the 
filebeats.xml configuration file. Each prospector below is configured to 
forward to a different beats output. I've tried using one collector 
configuration for both files and separating the configurations into to 2 
collector configurations but it seams that both prospectors always makes it 
to the yml by only one output.

filebeat:
  prospectors:
  - document_type: log
fields:
  gl2_source_collector: f48c9289-cc7c-4f40-84b8-38ba2d30b04c
ignore_older: 0
input_type: log
paths:
- /dev/shm/varnishncsa.log
scan_frequency: 10s
tail_files: true
  - document_type: log
fields:
  gl2_source_collector: f48c9289-cc7c-4f40-84b8-38ba2d30b04c
ignore_older: 0
input_type: log
paths:
- /var/log/nginx/*.log
scan_frequency: 10s
tail_files: true
output:
  logstash:
hosts:
- graylogdmz.storm.dmz:5045


Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b220fbcc-62e7-491d-bb54-c25d181da7f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Different color for different status

2016-09-22 Thread Jochen Schalanda 
Hi Tony,

we might add it in the future but most probably not in the next release 
(Graylog 2.2.0).

Cheers,
Jochen

On Thursday, 22 September 2016 16:08:20 UTC+2, Tony wrote:
>
> Thank you Jochen, should be see it in the next release?
>
> Thanks
>
> Tony
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6b45bacc-8545-4438-8683-990acc3cf9d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Different color for different status

2016-09-22 Thread Tony 
Thank you Jochen, should be see it in the next release?

Thanks

Tony

2016-09-22 15:05 GMT+01:00 Jochen Schalanda :

> Hi Tony,
>
> the message decorators currently (as of Graylog 2.1.1) do not support
> changing the HTML markup of messages in the web interface.
>
> Cheers,
> Jochen
>
> On Thursday, 22 September 2016 14:21:47 UTC+2, Tony wrote:
>>
>> Thank you for your answer Jan, but to be honest I don't really know how
>> to do that with decorators. As you can see in the screenshot the lines
>> already comes with the ANSI escape color sequence but are shown in cyan on
>> Graylog.
>>
>> Thanks
>>
>> Tony
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/OYykXsjzobU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/07f4d0f0-92ab-4301-975b-9314603f627c%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CACjATf_monnBLf0cwn2Ae%2BENOOhE092C33j3VEwh%3DWeCUmMqag%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Different color for different status

2016-09-22 Thread Jochen Schalanda 
Hi Tony,

the message decorators currently (as of Graylog 2.1.1) do not support 
changing the HTML markup of messages in the web interface.

Cheers,
Jochen

On Thursday, 22 September 2016 14:21:47 UTC+2, Tony wrote:
>
> Thank you for your answer Jan, but to be honest I don't really know how to 
> do that with decorators. As you can see in the screenshot the lines already 
> comes with the ANSI escape color sequence but are shown in cyan on Graylog.
>
> Thanks
>
> Tony
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/07f4d0f0-92ab-4301-975b-9314603f627c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.0.1 Web Interface Issue

2016-09-22 Thread 'Chris' via Graylog Users 
Hi Jochen,

I couldn't find the 'graylog-ctl' scripts so I wasn't sure where the json 
files has come from on this server. I have been changing the server.conf 
manually but I got to the point where I had spent too much time on this 
server. 

The environment is due to be destroyed and the newly deployed environment 
has an Ubuntu packaged version that is working.

I am happy that I can stand up a Graylog 2.1.1 from scratch so I will bow 
out defeated on this one and look at building a new ami using Graylog 2.1.1 
and Centos 7.

Thank you for all  your input,

Chris. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d6b3cdf6-0373-4cb3-83f6-66056f8d3012%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Different color for different status

2016-09-22 Thread Tony 
Thank you for your answer Jan, but to be honest I don't really know how to
do that with decorators. As you can see in the screenshot the lines already
comes with the ANSI escape color sequence but are shown in cyan on Graylog.

Thanks

Tony


2016-09-18 11:51 GMT+01:00 Jan Doberstein :

> Hi Tony,
>
> I have a question. Is it possible have different color for different entry
> status in Tomcat log files?
> For example when I watch the log files in Graylog (Messages) all entries
> are blue and is difficult identify in real time any error or warn, which is
> possible with tail -f in a console terminal. So I would like to see Yellow
> for Warn, Red for Error, Green for INFO.
> Is it possible?
>
> I guess that the Message Decorators are what you are looking for:
> http://docs.graylog.org/en/2.1/pages/queries.html#decorators
>
> For the use case you described I did not know a ready to use decorator,
> but you should be able to create your own.
>
>
> with kind regards
>
> Jan
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/OYykXsjzobU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/etPan.57de71b2.56a95827.3a1%40jalogisch.de
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CACjATf-apJmA5Zm6FcQ2GuN0A947QSvO27rSuB2vQkg_fMZS7w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Possible to configure no default access for ldap?

2016-09-22 Thread Björn R . 

Just wanted to say thanks for this solution, helped me a lot as I wanted to 
do the same. Have ldap on, deny access by default and only grant users form 
specific security groups access. This needs to be added as a feature 
request.

Cheers Frank!

Björn

On Friday, January 22, 2016 at 9:05:29 PM UTC+1, Frank wrote:
>
> Never mind, figured it out.
>
> Just changed the user search pattern to check for group membership
>
>
> (&(objectClass=user)(sAMAccountName={0})(|(memberof=CN=Graylog-Reader,OU=Groups,DC=yourdomain,DC=yourdomain)(memberof=CN=Graylog-Admin,OU=Groups,DC=yourdomain,DC=yourdomain)))
>
> Now if the user isn't a member of one of those groups, they can't login to 
> graylog.
>
>
>
> On Friday, January 22, 2016 at 11:48:44 AM UTC-8, Frank wrote:
>>
>> I have ldap and group mappings all configured and working, but I would 
>> like to restrict users that aren't in one of the group mappings to 
>> basically have no access.
>>
>> Is there any way to do this?
>>
>> I don't want to have to move user's AD accounts into a specifc Graylog OU 
>> because we already have a hierarchy in place that I don't want to mess 
>> with, I would just like an option in the LDAP configuration to change the 
>> default role to NONE or no access or something.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/51d85efb-7f92-4082-baaf-826af138c58f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Problem using sidecar with Win2003

2016-09-22 Thread Jan Doberstein 
Hej Werner,


Due to some legacy software still in process of being migrated, we have a few 
Windows Server 2003 (i386) boxes about.
as you have already opened an issue ( 
https://github.com/Graylog2/collector-sidecar/issues/66 ) I did not need to ask 
for this



/jd


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57e3a639.17f1dde.55a6%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Error - the server returned: 404 - on login

2016-09-22 Thread Jan Doberstein 
Hej Evgueni,


I have graylog2 (2.1) working fine with external elk (elasticsearch) cluster.

But login fails:

  Error - the server returned: 404 - cannot POST 
http://elk.test.com:9000/system/sessions (404)

I can ping elk.test.com.

you got something wrong in your settings. is elk.test.com the URI for your 
Graylog System or your Elasticsearch Cluster?

Please read and check: 
http://docs.graylog.org/en/2.1/pages/configuration/web_interface.html#web-interface

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57e3a5d3.2b26b304.55a6%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

[graylog2] Re: Graylog 2.0.1 Web Interface Issue

2016-09-22 Thread Jochen Schalanda 
Hi Chris,

On Thursday, 22 September 2016 10:57:20 UTC+2, Chris wrote:
>
> /etc/graylog/graylog-settings.json
>

If you're using the graylog-ctl script 
, 
manual changes in the Graylog configuration file will be overwritten if you 
run graylog-ctl reconfigure.


On Thursday, 22 September 2016 10:57:20 UTC+2, Chris wrote:
>
> Is the external_rest_uri a valid setting?
>

No, at least not in the Graylog configuration file 
. 


Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cb6bdee9-3585-4e94-8e27-b505fc332260%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.0.1 Web Interface Issue

2016-09-22 Thread 'Chris' via Graylog Users 
Hi Jochen,

No reverse proxies in front of Graylog and I updated the settings to look 
like this but the error persists (minus the /api reference):

/etc/graylog/server/server.conf
rest_listen_uri = http://0.0.0.0:12900/
web_listen_uri = http://0.0.0.0:9000/
web_endpoint_uri = http://MY_AWS_RT53_DNS:12900/

/etc/graylog/graylog-settings.json
{
  "timezone": "Etc/UTC",
  "smtp_server": "",
  "smtp_port": 587,
  "smtp_user": "",
  "smtp_password": "",
  "smtp_from_email": null,
  "smtp_web_url": null,
  "smtp_no_tls": false,
  "smtp_no_ssl": false,
  "master_node": "10.0.99.166",
  "local_connect": false,
  "current_address": "10.0.99.166",
  "last_address": "10.0.99.166",
  "enforce_ssl": false,
  "journal_size": 1,
  "internal_logging": true,
  "custom_attributes": {

  }
}

Is the external_rest_uri a valid setting? I am finding more Graylog servers 
in the estate as I investigate, they are running different versions on 
different Linux OS's and they suffer from the same web interface error.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6343b8ff-ceed-4823-ad7d-da0eb988b1db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog Stream Messages Disappearing

2016-09-22 Thread Jochen Schalanda 
Hi Kenneth,

retention currently only works on index-level, not on stream-level.

What exactly do you mean with disappears? Can you still find the message 
via the universal search? Is the index containing the message still 
available?

Cheers,
Jochen

On Thursday, 22 September 2016 05:03:45 UTC+2, Kenneth Gyan wrote:
>
> I have setup host devices consisting of routers and switches and the logs 
> are been collected in the input with no issues. I have setup a stream to 
> capture syslog messages with level 0-4. Whenever this condition is met, and 
> it captures the syslog message in the stream, after some time (about a 
> couple of hours), the message/s in the stream just disappears and I am 
> trying to figure out why this is happening. Could it be a stream retention 
> time that needs to be set? Any assistance on this will be helpful. Thank 
> you. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bcd4c140-bc3e-4f8b-b3f4-f139d089e125%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Broken Streams?

2016-09-22 Thread Jochen Schalanda 
Hi,

what's the exact alert condition you're using?

Kindly include some example messages, too.

Cheers,
Jochen

On Wednesday, 21 September 2016 18:29:00 UTC+2, Nathan Mace wrote:
>
> Recently upgraded to 2.1 and just noticed this behavior.
>
> I have a stream that matches against two rules:
>
> EventID = 4625
> AND
> TargetUserName NOT EXACTLY "XX"
>
> If a log matches both of those, send an email.  The emails are not being 
> sent.  Looking into it, if I force a failed login attempt it generates a 
> message that should match the stream.  I go manually find the message and 
> in the details off to the side it does say it was routed into the stream. 
>  Additionally, if I copy the message ID and load it into the stream it 
> gives two green lines and says it should match.  Also, I can click on the 
> title of the stream that takes me to the search screen with the rules of 
> the stream applied, and the message shows up there as well.  I tried 
> deleting and re-creating the stream, that did not help either.
>
> Sending a test email from the stream is successful.
>
> Any ideas?  These are Windows event logs, but I don't think that matters. 
>  Thanks.
>
> Nathan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b508a65d-1c0d-4848-b65b-bd24a040d8ff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog configuration of filebeat and graylog collector sidecar

2016-09-22 Thread Kunal Patil 
Hello

After adding beat input in web issue has been solved






*REGARDS:KUNAL VIKAS PATIL9860265594*

On Thu, Sep 22, 2016 at 12:25 PM, Kunal Patil 
wrote:

> Hello
>  do we need logstash in service in graylog server for reciving the logs
> send by beats
> as genarated configuration shows below details
>
> filebeat:
>   prospectors:
>   - document_type: log
> fields:
>   gl2_source_collector: 29a42246-401d-4097-8c52-22fff9b6869c
> ignore_older: 10s
> input_type: log
> paths:
> - /var/log/httpd/scalphanv2.justbuylive.in-access_log
> scan_frequency: 0
> tail_files: false
>   - document_type: log
> fields:
>   gl2_source_collector: 29a42246-401d-4097-8c52-22fff9b6869c
> ignore_older: 0
> input_type: log
> paths:
> - /var/log/httpd/adminalphanv1.justbuylive.in-access_log
> scan_frequency: 10s
> tail_files: true
> output:
>   logstash:
> hosts:
> - graylogip:5044
>
>
>
>
>
>
>
> *REGARDS:KUNAL VIKAS PATIL9860265594*
>
> On Thu, Sep 22, 2016 at 6:11 AM, Werner van der Merwe <
> wernervdme...@gmail.com> wrote:
>
>> Hi Kunal,
>>
>> Kindly paste your configs, from what I can make out in the screenshot,
>> your newline identifier is not set correctly. The %{host} is more than
>> likely from incorrectly parsing the logs.
>>
>> If you're willing to try NXLog, they have snipets for the config in their
>> doco:
>> https://nxlog.org/documentation/nxlog-community-edition-
>> reference-manual-v20928#processing_parsers_combined_log_format_example
>>
>> What might help, NXLog (or beats) is the application that ships logs to
>> Graylog. Sidecar is an extension of Graylog allowing you to centralise,
>> manage and distribute profiles to enable easier collection of logs.
>> Thus, if you use sidecar, you don't have to worry about the config of
>> NXLog (or beats), as that will be supplied by Sidecar.
>>
>> Sidecar on the client side, you select snippets as elements in the 'tags'
>> array. But adding a tag in that array assumes you've created a
>> configuration in Graylog and assigned a tag with similar name to the config
>> element.
>>
>> On your client, you are calling the apache tag, which is correct. Just
>> ensure you have a configuration matching that tag.
>> In Graylog, browse System -> Collectors, then click the "Manage
>> Collectors" button.
>> This will present you with your different configurations, ensure one of
>> them at least has the apache tag allocated to it.
>>
>> If it does, you only need to worry about the configuration within that
>> entry. From what I see I am expecting the parser is not correctly
>> configured.
>>
>>
>> On Thursday, September 22, 2016 at 8:27:34 AM UTC+12, Kunal Patil wrote:
>>>
>>> Hello
>>>
>>> I have read the document previous issue has been resolved
>>> i m getting data but some data  come under %{host} source filed
>>> I have configured apache logs as shown in documentation
>>>
>>> please refer attached screenshot
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *REGARDS:KUNAL VIKAS PATIL9860265594*
>>>
>>> On Thu, Sep 22, 2016 at 1:20 AM, Marius Sturm 
>>> wrote:
>>>
 Kunal,
 please read the Sidecar documentation first. You have to create a
 configuration in the Graylog web interface and tag it with the same tag
 like you started the Sidecar instance. There is a step-by-step guide even
 with screenshots here: http://docs.graylog.org/en/2.1
 /pages/collector_sidecar.html#step-by-step-guide

 Cheers,
 Marius


 On 21 September 2016 at 20:52, Kunal Patil 
 wrote:

> hello
> Thanks for the quick reply and solution as you guys suggested i m
> trying to implement filebeat with help of documentation but i m getting
> below error on web gui please check ad revert
>
> Sidecar
> Tags:apacheIP:
> CPU Idle:99.47%Load:0.06Volumes > 75%:
> --
>  *Status*: No configuration found for configured tags!
> Backends
>  *Filebeat*: Collector exits immediately, this should not happen!
> Please check your collector configuration!
>
>
>
>
>
>
> *REGARDS:KUNAL VIKAS PATIL9860265594*
>
> On Wed, Sep 21, 2016 at 9:22 PM, Jochen Schalanda 
> wrote:
>
>> Hi Kunal,
>>
>> nxlog and Filebeat are two different log shippers, each with its own
>> advantages and disadvantages, which are supported by the Graylog 
>> Collector
>> Sidecar.
>>
>> Both, nxlog and Filebeat, do support multiline messages:
>>
>>- https://www.elastic.co/guide/en/beats/filebeat/1.3/multiline
>>-examples.html
>>- https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#x
>>m_multiline
>>
>> It's up to you which log shipper you want to use in the end and how
>> you configure it.
>>
>> Cheers,
>> Jochen
>>
>> On Wednesday, 21 September 2016 17:43:44 UTC+2, Kunal Patil wrote:
>>>
>>> I m little conf

[graylog2] Re: Error - the server returned: 404 - on login

2016-09-22 Thread Jochen Schalanda 
Hi Evgueni,

please post your Graylog configuration and tell us more about your network 
setup (e. g. on which systems Graylog and Elasticsearch are running).

Cheers,
Jochen

On Wednesday, 21 September 2016 21:40:05 UTC+2, Evgueni Gordienko wrote:
>
> Hi,
>
> I have graylog2 (2.1) working fine with external elk (elasticsearch) 
> cluster.
>
> But login fails:
>
>   Error - the server returned: 404 - cannot POST 
> http://elk.test.com:9000/system/sessions (404)
>
> I can ping elk.test.com.
>
> server-status.txt shows:
> connecting to: test
> {
> "host" : "elk",   ... etc
>
> Any Ideas where to look in logs and how to fix?
>
> Thanks,
> Evgueni
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3086a208-ab36-4c52-bffb-edb6041cd587%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.