Re: [graylog2] Re: Multiline message problems

[Jan Doberstein]

Hej Andy,

maybe you should separate the multiple messages you have by type into different 
log files to be able to have one pattern for every logfile.

I didn’t dig into NXLog that deep but again - someone in the NXLog community 
might help with that. 

/jd

From: Andrew Badera <and...@badera.us>
Reply: graylog2@googlegroups.com <graylog2@googlegroups.com>
Date: 17. Februar 2017 at 11:58:37
To: graylog2@googlegroups.com <graylog2@googlegroups.com>
Subject:  Re: [graylog2] Re: Multiline message problems  

Hi Jan,

Thanks for the reply.

Before I share our million different log messages, can we discuss on the basis 
that a single regex won't capture our messages? We have multiline exceptions, 
multiline SQL statements, multiline various other types of messages. If NXLog 
multiline handling is stronger, is there anything I may have missed in terms of 
NXLog setup? Are there other alternatives (other than decorating our messages) 
I haven't considered, or obviously missed?

Thanks-
--ab


On Fri, Feb 17, 2017 at 2:49 AM, Jan Doberstein <j...@graylog.com> wrote:
Hej Andy,

if you want help with the multiline detection of filebeat, we would need to 
have some information about your logfile. examples welcome.

with your question about nxlog the limit for one message is reached - you would 
need to configure this limit. But for this the NXLog Community might be the 
best place to ask.

regards
Jan

On Thursday, February 16, 2017 at 11:16:55 PM UTC+1, Andy Badera wrote:
Hello all-

Windows app server into Graylog 2.1.0.

Like many, we have multiline log messages. There is presently no clearly 
defined syntax around these messages, no end delimiter.

I'm able to flow messages in using filebeat, but I can't capture multiline 
messages properly. I believe per a Graylog blog entry, I need a regex that 
matches the entire message. I don't think this is feasible with our 
widely-varied messages. We do have a well-defined phrase that starts every 
message, but I'm not sure how I would define the end of and capture the varied 
messages.

I've tried NXLog outputting to the system input of GELF TCP. I suspect NXLog 
has better multiline handling, but I can't flow messages reliably using NXLog - 
I get shut down repeatedly by the string size limit error in nxlog.log:

2017-02-16 17:13:06 INFO connecting to 10.100.15.196:12201
2017-02-16 17:13:06 INFO reconnecting in 1 seconds
2017-02-16 17:13:06 ERROR oversized string, limit is 1048576 bytes

Is there any way for me to correct this string size limit issue using NXLog CE?

Any other alternatives I'm not considering? Anything I'm doing obviously wrong, 
or missed?

Thanks in advance!
--ab

--
You received this message because you are subscribed to a topic in the Google 
Groups "Graylog Users" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/graylog2/hhVs0N5d9tQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/84085e67-c94c-4a41-a045-164452b77be7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google 
Groups "Graylog Users" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/graylog2/hhVs0N5d9tQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAAD%3DdiqqeCrJhmuDkEcNXOjwsNUeYOWs7OVzE3hagLLxH8MCLA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
— 
Jan Doberstein
Support Engineer

Phone:  +49 40 609452029
Fax:  +49 40 609452030

TORCH GmbH - A Graylog company 
Poolstraße 21
20355  Hamburg, Germany 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.58a6e241.3de586f9.ad4%40graylog.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

[graylog2] Re: How to upgrade Graylog 2.1 > 2.2 ?

[Jan Doberstein]

Hej Henri,

this will be the best method for upgrading your environment.

with kind regards
Jan

On Thursday, February 16, 2017 at 7:18:24 PM UTC+1, Henri Volotinen wrote:
>
> Hi,
>
> So rolling upgrade is not supported? Good to know, because I was going to 
> upgrade our production setup (with 3 graylog-server nodes version 2.1.3) 
> using the rolling upgrade method.
>
> So basically the upgrade steps are in my scenario are:
> 1) Shutdown all (three) graylog-server nodes
> 2) Upgrade all (three) graylog-server nodes to version 2.2.0
> 3) Start the master node and wait for it to do some indexing magic to the 
> Elasticsearch cluster until it fully starts up
> 4) Start the other two non-master nodes
>
> Is this the correct way to do the upgrade?
>
> Thanks!
>
> Br,
> Henri
>
> On Thursday, 16 February 2017 12:08:36 UTC+2, Jochen Schalanda wrote:
>>
>> Hi,
>>
>> On Thursday, 16 February 2017 10:34:07 UTC+1, jtkarvo wrote:
>>>
>>> Is is possible to do a rolling upgrade to a graylog cluster (from 2.1 to 
>>> 2.2)?  If so, should I upgrade master first or non-master nodes first?
>>>
>>
>> Due to some changes in the index management it's not possible to do a 
>> rolling upgrade from Graylog 2.x to Graylog 2.2.0.
>>
>> You should upgrade and start the master node first, then the upgrade and 
>> start the secondary nodes.
>>
>> Cheers,
>> Jochen
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e72f951e-48ff-41e4-ac20-0f1049cf10fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Multiline message problems

[Jan Doberstein]

Hej Andy,

if you want help with the multiline detection of filebeat, we would need to 
have some information about your logfile. examples welcome.

with your question about nxlog the limit for one message is reached - you 
would need to configure this limit. But for this the NXLog Community might 
be the best place to ask.

regards
Jan

On Thursday, February 16, 2017 at 11:16:55 PM UTC+1, Andy Badera wrote:
>
> Hello all-
>
> Windows app server into Graylog 2.1.0.
>
> Like many, we have multiline log messages. There is presently no clearly 
> defined syntax around these messages, no end delimiter.
>
> I'm able to flow messages in using filebeat, but I can't capture multiline 
> messages properly. I believe per a Graylog blog entry, I need a regex that 
> matches the entire message. I don't think this is feasible with our 
> widely-varied messages. We do have a well-defined phrase that starts every 
> message, but I'm not sure how I would define the end of and capture the 
> varied messages.
>
> I've tried NXLog outputting to the system input of GELF TCP. I suspect 
> NXLog has better multiline handling, but I can't flow messages reliably 
> using NXLog - I get shut down repeatedly by the string size limit error in 
> nxlog.log:
>
> 2017-02-16 17:13:06 INFO connecting to 10.100.15.196:12201
> 2017-02-16 17:13:06 INFO reconnecting in 1 seconds
> 2017-02-16 17:13:06 ERROR oversized string, limit is 1048576 bytes
>
> Is there any way for me to correct this string size limit issue using 
> NXLog CE?
>
> Any other alternatives I'm not considering? Anything I'm doing obviously 
> wrong, or missed?
>
> Thanks in advance!
> --ab
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/84085e67-c94c-4a41-a045-164452b77be7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Archive data in free version of graylog?

[Jan Doberstein]

Hej Dan,

you write that you like to have it in a file for 3 years. 

Graylog use Elasticsearch to store the events as Richard already said, you 
can look into the Enterprise Archiving which will give you after a 
configured time the Data in a plain text file.

with kind regards
Jan

On Wednesday, February 15, 2017 at 11:58:11 PM UTC+1, Dan Hoffmann wrote:
>
> I'm looking to keep on file 3 years of data.
> Is there a way to archive?
>
> I am just learning with graylog so any help is appreciated.
>
> Thanks,
> Dan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5308450a-770e-417e-90b0-9613a4bcb4ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] [ANN] New Graylog Forum

[Jan Doberstein]

Hej Richard,

we discussed this in the Team and made the decision to start with a clean 
installation. 

To answer your question short, no we will not copy over the content.

regards
Jan

On Thursday, February 16, 2017 at 2:56:04 AM UTC+1, Richard S. Westmoreland 
wrote:
>
> Hello,
>
> Are you going to copy the google group threads into the forum?
>
>
>
> On Feb 16, 2017, at 4:23 AM, Taylor Rhoades  
> wrote:
>
> We're excited to announce that we will be moving to a new forum! Starting 
> today, you will be able to sign up for the Graylog Forum 
> , which we will begin to use on February 
> 21st. This means you can continue to post your questions here up until 
> February 21st, then our Google Groups mailing list will be set to 
> read-only. The reasoning behind the move was due to the fact that the 
> Google Groups UI is far less than optimal. In particular, searching through 
> and finding information was tedious. With our new forum, we want this 
> community to not only offer fast help in case of any questions but also for 
> content to be easily searchable and consumable. 
>
> Please read our full announcement here 
> ! We 
> hope you enjoy the new forum and we will do our best to make this 
> transition as smooth as possible! 
>
> Thank you!  
> The Graylog Team
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+u...@googlegroups.com .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/0cf96c46-6195-484c-bf1c-385bb9947fc8%40googlegroups.com
>  
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1c9f96e0-d675-4d03-884f-9af34325c53f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: cannot start AMQP input

[Jan Doberstein]

Hej Jiri,

according to your provided logfile something is wrong with your 
configuration. You should check all settings and if Graylog is able to 
connect to the AMQP Server on the configured Port.

regards
Jan

On Wednesday, February 15, 2017 at 10:42:20 PM UTC+1, Jiří Kolb wrote:
>
> Hi,
> Trying to add AMQP input to connect with RabbitMQ, but input does not 
> start. Can you please help? Following is graylog server log:
>
> 2017-02-13_12:36:08.35670 2017-02-13 13:36:08,342 ERROR: 
> org.graylog2.shared.inputs.InputLauncher - The 
> [org.graylog2.inputs.gelf.amqp.GELFAMQPInput] input with ID 
> <58a1a833ea84240352ab0c9e> misfired. Reason: Connection refused.
> 2017-02-13_12:36:08.35733 org.graylog2.plugin.inputs.MisfireException: 
> org.graylog2.plugin.inputs.MisfireException: Could not launch AMQP consumer.
> 2017-02-13_12:36:08.36173 at 
> org.graylog2.plugin.inputs.MessageInput.launch(MessageInput.java:156) 
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.36503 at 
> org.graylog2.shared.inputs.InputLauncher$1.run(InputLauncher.java:84) 
> [graylog.jar:?]
> 2017-02-13_12:36:08.36512 at 
> com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
>  
> [graylog.jar:?]
> 2017-02-13_12:36:08.36614 at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
> [?:1.8.0_101]
> 2017-02-13_12:36:08.39847 at 
> java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_101]
> 2017-02-13_12:36:08.40479 at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>  
> [?:1.8.0_101]
> 2017-02-13_12:36:08.40688 at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>  
> [?:1.8.0_101]
> 2017-02-13_12:36:08.40894 at java.lang.Thread.run(Thread.java:745) 
> [?:1.8.0_101]
> 2017-02-13_12:36:08.41575 Caused by: 
> org.graylog2.plugin.inputs.MisfireException: Could not launch AMQP consumer.
> 2017-02-13_12:36:08.43687 at 
> org.graylog2.inputs.transports.AmqpTransport.doLaunch(AmqpTransport.java:179) 
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.43858 at 
> org.graylog2.plugin.inputs.transports.ThrottleableTransport.launch(ThrottleableTransport.java:75)
>  
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.44099 at 
> org.graylog2.plugin.inputs.MessageInput.launch(MessageInput.java:153) 
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.45928 ... 7 more
> 2017-02-13_12:36:08.46113 Caused by: java.net.ConnectException: Connection 
> refused
> 2017-02-13_12:36:08.46239 at 
> java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_101]
> 2017-02-13_12:36:08.46372 at 
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) 
> ~[?:1.8.0_101]
> 2017-02-13_12:36:08.46735 at 
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>  
> ~[?:1.8.0_101]
> 2017-02-13_12:36:08.47077 at 
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) 
> ~[?:1.8.0_101]
> 2017-02-13_12:36:08.47511 at 
> java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_101]
> 2017-02-13_12:36:08.47630 at java.net.Socket.connect(Socket.java:589) 
> ~[?:1.8.0_101]
> 2017-02-13_12:36:08.48921 at 
> com.rabbitmq.client.impl.FrameHandlerFactory.create(FrameHandlerFactory.java:47)
>  
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.52276 at 
> com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:822)
>  
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.52512 at 
> com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:778)
>  
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.53003 at 
> com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:868)
>  
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.53488 at 
> org.graylog2.inputs.transports.AmqpConsumer.connect(AmqpConsumer.java:176) 
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.54119 at 
> org.graylog2.inputs.transports.AmqpConsumer.run(AmqpConsumer.java:108) 
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.55159 at 
> org.graylog2.inputs.transports.AmqpTransport.doLaunch(AmqpTransport.java:176) 
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.57116 at 
> org.graylog2.plugin.inputs.transports.ThrottleableTransport.launch(ThrottleableTransport.java:75)
>  
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.57121 at 
> org.graylog2.plugin.inputs.MessageInput.launch(MessageInput.java:153) 
> ~[graylog.jar:?]
> 2017-02-13_12:36:08.57762 ... 7 more
> 2017-02-13_12:36:08.58163 2017-02-13 13:36:08,361 INFO : 
> org.graylog2.inputs.InputStateListener - Input [GELF 
> AMQP/58a1a833ea84240352ab0c9e] is now TERMINATED
> 2017-02-13_12:36:08.58165 2017-02-13 13:36:08,345 ERROR: 
> com.google.common.eventbus.EventBus.graylog-eventbus - Exception thrown by 
> subscriber method 
> inputStateChanged(org.graylog2.plugin.events.inputs.IOStateChangedEvent) on 
> subscriber org.graylog2.inputs.InputStateListener@47629063 when dispatching 
> event: IOStateChangedEvent{oldState=STARTING, newState=FAILED, 
> 

Re: [graylog2] Problem using sidecar with Win2003

[Jan Doberstein]

Hej Werner,


Due to some legacy software still in process of being migrated, we have a few 
Windows Server 2003 (i386) boxes about.
as you have already opened an issue ( 
https://github.com/Graylog2/collector-sidecar/issues/66 ) I did not need to ask 
for this



/jd


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57e3a639.17f1dde.55a6%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Error - the server returned: 404 - on login

[Jan Doberstein]

Hej Evgueni,


I have graylog2 (2.1) working fine with external elk (elasticsearch) cluster.

But login fails:

  Error - the server returned: 404 - cannot POST 
http://elk.test.com:9000/system/sessions (404)

I can ping elk.test.com.

you got something wrong in your settings. is elk.test.com the URI for your 
Graylog System or your Elasticsearch Cluster?

Please read and check: 
http://docs.graylog.org/en/2.1/pages/configuration/web_interface.html#web-interface

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57e3a5d3.2b26b304.55a6%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Pipeline doesn't drop message unless attached to Default stream

[Jan Doberstein]

Hej Alex,

Yes that was it, thanks.

I never touched that order, so I guess it has been changed/created through 
upgrades. Maybe it would be worth to add this information  (about required 
processing order for pipelines) to pipeline's documentaiton.
This is already part of the documentation: 
http://docs.graylog.org/en/2.1/pages/pipelines/usage.html#configure-the-message-processor

but that might not be prominent enough …



/jd


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57de708b.4b2a8603.3a1%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Pipeline doesn't drop message unless attached to Default stream

[Jan Doberstein]

Hej Alex,

Processing order looks fine to me

https://i.imgur.com/4oIEcvB.png
Try it with the changed order:






/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57db9ef2.6901545d.3a1%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Re: Graylog Kerberos Single Sign-On Configuration

[Jan Doberstein]

Dear Aleksey,

please open a bug report for this: 
https://github.com/Graylog2/graylog-plugin-auth-sso/issues

thank you


Von: Aleksey Chudov 
Antworten: graylog2@googlegroups.com 
Datum: 15. September 2016 at 09:32:52
An: Graylog Users 
Betreff:  [graylog2] Re: Graylog Kerberos Single Sign-On Configuration  

Dear Graylog developers,

Should I register a bug or a feature request on this issue?

Aleksey


On Thursday, September 8, 2016 at 2:23:00 PM UTC+3, Aleksey Chudov wrote:
Hi,

Thanks for SSO Authentication Plugin for Graylog! 

I'm trying to setup Kerberos Single Sign-On to Graylog 2.1 on my Apache HTTP 
Server proxy.

My current Apache HTTP Server proxy configuration:

    
        SSLRequireSSL
        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/;
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    

First of all I've created user ad...@example.com via Graylog WEB UI 
/system/authentication/users and configured SSO Plugin 
/system/authentication/config/sso to trust X-Remote-User HTTP header.

To test SSO plugin works as expected I've added static header to my 
configuration:

    
        SSLRequireSSL
        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/;
        RequestHeader set X-Remote-User "ad...@example.com"
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    

With the above configuration I always login as ad...@example.com without 
prompting for password.

So, the Kerberos part uses mod_auth_gssapi 
https://github.com/modauthgssapi/mod_auth_gssapi

    
        SSLRequireSSL

        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab
        GssapiUseSessions On
        Require valid-user

        RequestHeader set X-Graylog-Server-URL 
"https://graylog.example.com/api/;
        RequestHeader set X-Remote-User %{REMOTE_USER}s

        Session On
        SessionCookieName gssapi_session path=/;httponly;secure;

        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    

With the above configuration Apache HTTP Server authenticates me as 
ad...@example.com but Graylog API session is not authorized

192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET / HTTP/1.1" 
200 500 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET /config.js 
HTTP/1.1" 200 136 "https://graylog.example.com/; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:19 +0300] "GET 
/assets/polyfill.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:20 +0300] "GET 
/assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.052c725323b2a784f7b0.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/; "Mozilla/5.0 (X11; Linux 
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 
Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET 
/assets/plugin/org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin/plugin.org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin.cac9c48526f92b69f0dc.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:21 +0300] "GET 
/assets/plugin/org.graylog.plugins.map.MapWidgetPlugin/plugin.org.graylog.plugins.map.MapWidgetPlugin.2d9b16670c4a97bedae2.js.map
 HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - ad...@example.com [08/Sep/2016:14:05:22 +0300] "GET 
/api/system/cluster/node HTTP/1.1" 200 223 "https://graylog.example.com/; 
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions 
HTTP/1.1" 401 381 "https://graylog.example.com/; "Mozilla/5.0 (X11; Linux 
x86_64) 

Re: [graylog2] Re: LetsEncrypt with Appliance

[Jan Doberstein]

Hej Chris,

Ohh I was missing that bit of info from the docs.  I have it working now though 
I had to briefly disable nginx so I could get the cert in standalone mode.  I'd 
like to add a location to graylog's nginx config for the .well-known directory 
so the renewal won't require stopping the graylog nginx instance but I'm not 
sure how that'll play into graylog-ctl's management?
Personal I had used the DNS Mode with acme.sh - no need to handle the 
.well-known directory.

But that should be possible - but i didn’t try it yet.



/jd




-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57d2bdf8.60173a80.943%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Re: How to use pipeline

[Jan Doberstein]

Hej Jay,

I am aware of this plugin but with this I won't be able to do message routing 
to various streams and customize email alerts or post it to HTTP callback links.
no current available Plugin would help you with this - but you can develop it, 
or pay someone.



/jd


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57d29ddd.7cdb927b.943%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Syslog input: Add source IP field to messages from devices with poor syslog formatting?

[Jan Doberstein]

Hej Michael,

I can use rsyslog to modify the messages or something, but can we get this as 
an option for the Syslog input?
If you use one Input per Accesspoint you can add the Source by input. If you 
are able to identify by something else a pipeline can help you to add this 
field.

/jd




-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57d109c3.6c65936f.943%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Graylog not accepting syslog messages from remote subnets with an other network interface (eth1)

[Jan Doberstein]

Hej Tom,

i’m missing any Information about the Graylog Configuration.

How is your Input configured? - you can configure the Listen IP of the Input … 

Did you modify the Settings of Graylog somewhere? 

Your Questions is about routing and Networking and not direct Graylog related - 
unless you can point to a misbehavior.

As the Information is that in a SYSLOG Setup this is also not working you must 
fix your Networking.

/jd


From: Thomas Vahé 
Reply: graylog2@googlegroups.com 
Date: 2. September 2016 at 09:20:08
To: Graylog Users 
Subject:  [graylog2] Graylog not accepting syslog messages from remote subnets 
with an other network interface (eth1)  

Hi,



I post a message from ecloudbizsolns. See 
https://github.com/Graylog2/graylog2-server/issues/2649

I have the same problem an nobody to give a solution. I think I m alone in this 
case.





Graylog is not receiving syslog messages from remote subnets on an other 
interface than eth0. If NAT is implemented then it works. However this loses 
the source IP.



This could be by design, but I am unable to locate any documentation referring 
to accepting (or not accepting) syslog messages from remote subnets.



Background Info

Devices on other subnets send syslog messages, they are received at Graylog 
(tcpdump confirms this), but never make it into the store. If the firewall 
NAT's those same packets to have the log subnet source IP, then it works 
flawlessly. Other than the real source IP has now been irretrievably lost.



Expected Behavior

Log messages from remote subnets should be processed or a clear, concise and 
obvious error should be generated.



Current Behavior

Log messages from remote subnets are silently discarded unless NAT'd to appear 
to be from the same subnet.



Possible Solution

NAT'ing the remote subnet to the Graylog subnet allows the messages to be 
received, however the source IP is lost forever.



Steps to Reproduce (for bugs)

Send any syslog message from a remote subnet under an other interface than eth0 
- it will not be received. NAT that same traffic and it works.



Context

Want to accept logs from devices on subnets other than the subnet to which 
Graylog is directly connected.



My Environment

Current 2.0.3 VM on VirtualBox, imported from OVA



2 NIC's: one for mgmt, one for receiving logs (dedicated logging subnet)
Time is synchronised correctly across all devices
Firewall and NAS appliances have connectivity to log subnet and logs are 
received correctly.

Graylog Version: Out of the box 2.1.0 OVA
Elasticsearch Version: Out of the box 2.1.0 OVA
MongoDB Version: Out of the box 2.1.0 OVA
tcpdumps

tcpdump -ni eth1 -Xvvvs0 port 514
Note: 10.10.30.253 is a wifi AP, 10.10.70.25 is graylog server

This message is not ingested by Graylog:

11:00:17.674727 IP (tos 0x0, ttl 63, id 35326, offset 0, flags [DF], proto UDP 
(17), length 97)
10.10.30.253.2052 > 10.10.70.25.514: [udp sum ok] SYSLOG, length: 69
Facility user (1), Severity info (6)
Msg: Aug 10 11:00:22 syslog: klogd : klog daemon successfully started\0x0a
0x: 3c31 343e 4175 6720 3130 2031 313a 3030
0x0010: 3a32 3220 7379 736c 6f67 3a20 6b6c 6f67
0x0020: 6420 3a20 6b6c 6f67 2064 6165 6d6f 6e20
0x0030: 7375 6363 6573 7366 756c 6c79 2073 7461
0x0040: 7274 6564 0a
0x: 4500 0061 89fe 4000 3f11 3864 0a0a 1efd E..a..@.?.8d
0x0010: 0a0a 4619 0804 0202 004d fa0b 3c31 343e ..F..M..<14>
0x0020: 4175 6720 3130 2031 313a 3030 3a32 3220 Aug.10.11:00:22.
0x0030: 7379 736c 6f67 3a20 6b6c 6f67 6420 3a20 syslog:.klogd.:.
0x0040: 6b6c 6f67 2064 6165 6d6f 6e20 7375 6363 klog.daemon.succ
0x0050: 6573 7366 756c 6c79 2073 7461 7274 6564 essfully.started
0x0060: 0a .

Yet, this one is received once the packet has been NAT'd to the log subnet 
(10.10.70.x/24):

11:02:39.217112 IP (tos 0x0, ttl 63, id 55700, offset 0, flags [DF], proto UDP 
(17), length 101)
10.10.70.1.2052 > 10.10.70.25.514: [udp sum ok] SYSLOG, length: 73
Facility user (1), Severity info (6)
Msg: Aug 10 11:02:44 syslog: syslogd : syslog daemon successfully stopped\0x0a
0x: 3c31 343e 4175 6720 3130 2031 313a 3032
0x0010: 3a34 3420 7379 736c 6f67 3a20 7379 736c
0x0020: 6f67 6420 3a20 7379 736c 6f67 2064 6165
0x0030: 6d6f 6e20 7375 6363 6573 7366 756c 6c79
0x0040: 2073 746f 7070 6564 0a
0x: 4500 0065 d994 4000 3f11 c1c5 0a0a 4601 E..e..@.?.F.
0x0010: 0a0a 4619 0804 0202 0051 dbfe 3c31 343e ..F..Q..<14>
0x0020: 4175 6720 3130 2031 313a 3032 3a34 3420 Aug.10.11:02:44.
0x0030: 7379 736c 6f67 3a20 7379 736c 6f67 6420 syslog:.syslogd.
0x0040: 3a20 7379 736c 6f67 2064 6165 6d6f 6e20 :.syslog.daemon.
0x0050: 7375 6363 6573 7366 756c 6c79 2073 746f successfully.sto
0x0060: 7070 6564 0a pped.



If I remove the NAT rule at the firewall then it stops ingesting again. (Note: 
the firewall is passing the traffic whether NAT'd or not. The only difference 
is that the NAT'd messages are ingested by Graylog and the 

Re: [graylog2] Autmatically parsed fields in Syslog TCP/UDP input

[Jan Doberstein]

Hej Markus,


I filed an enhancement in github ( 
https://github.com/Graylog2/graylog2-server/issues/2739 ) but that was closed 
quickly with the "tip" to just use Raw Text Input - which isn't a solution 
because that Input is lacking Syslog fields i need ( level, facility, ... ).
take a look what other already do: 
https://marketplace.graylog.org/addons?search=vmware 

personal i would use the „raw input“ and extract the fields i like to see with 
the give groks in the marketplace - or take a google / github search. I was 
able to identify different resources that can help you with this.



/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57c01b36.bb31434.ae4f%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Removing a Graylog node from the cluster

[Jan Doberstein]

Hej Steve,

I've been unable to find any documentation around this. How do I completely 
remove a graylog node from the cluster?
I would stop all inputs on this node and after no messages left in the journal 
just shutdown the node.

with kind regards

Jan



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57be8ed7.74c75eb3.ae4f%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Starting graylog2-server redirecting stderr to stdout

[Jan Doberstein]

Hej Charmant,

i download the latest graylog ova, is fonctionne correctely, but i want to send 
windows log to graylog. I want to know :
what input i can configure to graylog server?
what configuration i can put in winlogbeat or graylog collector?
why to install graylog plugin beats?

Please step by step please. i'am a novice!
sorry to have that said, but that is something i will not explain on this 
mailing list. You need to understand what you are doing and not just follow a 
step-by-step guide.

Please get a local consultant who can assist you in this. 

thank you

Jan



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57bb1a06.5f177c05.7f2c%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Syslog severity mapper decorator

[Jan Doberstein]

Hej Jason,

thank you for this hint.

FYI I get 'permission denied' trying to access the decorator documentation on:

http://docs.graylog.org/en/2.1/pages/decorators.html


Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57bb1977.3d541d5f.7f2c%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Re: graylog2 trimmed mean percentage?

[Jan Doberstein]

Hej Yiannis,

Any help with that ?
Sorry what you like to get is currently not possible. Fixed values would be 
possible to trim with pipelines. But you would like to have this dynamic. That 
is not possible. Maybe in the future, but that sounds like a function on field 
values. I do not know any open source product that have this available.



with kind regards

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57bb193e.175c10b.7f2c%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Re: Parsing Linux audit log messages

[Jan Doberstein]

Hej Aleksey,

I want to achieve two goals:
1. Extract name=value pairs from audit records ‒ this can be solved by using 
key=value extractor
2. Aggregate complete audit event (three audit records) into a single message ‒ 
I don't know how to solve this problem
the second is - at the moment not possible with Graylog. 

You would need to write your own plugin that perform this merge for you.

with kind regards

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57bb1853.55fffe9f.7f2c%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Syslog severity mapper decorator

[Jan Doberstein]

Hej Marcus

That whats what I hoped for, but to me it looks like nothing has changed at 
all. Everything is like it was with 2.0 and/or 2.1beta2. I must be kind of 
too blind to see ;) 

>From my understanding I could still search for something like: 
level:<4 AND message:foo 

But I would expect to see in the search window of my message a decorated view 
of my messages with ERROR, WARNING, FATAL instead of the kind of raw numbers. 
that is what they are used for. 

You need to choose source and target field (when just use the severity mapper). 
We are a little behind providing documentation but it will be present as soon 
as possible.

Give the new beta.4 a try, we had fixed many issues.



/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57b71092.1d770716.5c18%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Starting graylog2-server redirecting stderr to stdout

[Jan Doberstein]

Hej Charmant,



I can have a web link, who show me why to install a latest version of graylog2 
step by step on ubuntu 14.04 amd64 or more ?
Or a web link to download a vmdk (vm ware machine who run graylog2?
Help me please!!
did you tried one of the described installation in the graylog documentation?

http://docs.graylog.org/en/2.0/pages/installation.html



regards

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57b7113e.4dfd5474.5c18%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Syslog severity mapper decorator

[Jan Doberstein]

Hej Marcus,

Do you have a slightly more elaborate example? As I wrote, in the search  
results all logevents still show up with level: 6 and no names. 

The decorator do not manipulate the data, it changes only the view in the 
search.


Generating the quick values for level show (in my case) just 5 and 6, no named 
values like NOTICE or INFO. 
What you like to use - as i understand the request - is a pipeline that changes 
the values permanent and now only while viewing.

Does that describe what you like to get in the end?

regards

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57b587c3.11691d3b.5c18%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Starting graylog2-server redirecting stderr to stdout

[Jan Doberstein]

Hej Charmant,

with the given Information nobody is able to help you.


I try to start graylog2 but i see an error

Starting graylog2-server redirecting stderr to stdout

I need Help please


- How did you start Graylog?

- What Version of Graylog?

- How did you install Graylog?

- What OS?

- what is your exact problem?



to name only some



regards

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57b58675.31e51e05.5c18%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Question about Clustered setup

[Jan Doberstein]

Hej Jamie,
On to my question.  I have a graylog server that is only doing graylog and 
mongodb that I spun up from the ova.  I have setup two seperate ova instances 
to be elasticsearch nodes only.  My question is, when the logs come in to the 
graylog server (Just from windows at the moment) are they stored on the graylog 
server, or do I need to add space to the elasticsearch nodes?  I am getting 
confused about elasticsearch in this equation and the indices page.  Even after 
reading info in Elasticsearch's home website it's still fuzzy after I read it.  
Just want to ensure that I have the correct amount of hard drive space for each 
node in the cluster.  FYI: I have expanded the graylog server's HD to 100gigs 
since I figured that's where the logs are being kept.  Just wanting to make 
sure that I am right in this assumption.



In the Setup, you describe the Messages will be stored on the Elasticsearch 
nodes.

Think of them like Database Server where the Content is stored and the Graylog 
Server is the Application that requests the Information from the Database. 
Additional Graylog does the processing of the Messages before they are inserted 
into the Database.

That means you need some storage on your Graylog System for the Journal ( which 
is a queue that is used if you have any issues with your Elasticsearch setup ) 
but most of the space is needed for the Data directory of your Elasticsearch 
Nodes.

kind regards

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57b5826f.adf33c6.5c18%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Syslog severity mapper decorator

[Jan Doberstein]

Hej Marcus,

in the graylog 2.1-beta3 announcement there is this announcement about the 
syslog severity mapper decorator, but I am unable to find a place where to 
configure this. 




Just give it a try and you will notice how it work



regards

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57b57e74.5be730fd.5c18%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Extractor not running on inputs that should match

[Jan Doberstein]

Hi Phil,


the Grok pattern need to match the hole line and in your case it does not.

An example Grok pattern:
%{HOSTNAME:source_unit} diskmonitor\:%{GREEDYDATA:UNWANTED}partition 
%{WORD:partition} has only %{POSINT:percent_free}

And an example input message:

ip-10-244-63-14 diskmonitor: 011d0004:3: Disk partition
var
has
only 12% free


regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.57a1b169.483d4a3.37e%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Elasticsearch 5?

[Jan Doberstein]

Hej Michael,


The docs say Elasticsearch 2.1 or greater is required. Does that mean
Elasticsearch 5 is supported now?

can you please point to the document where you read this.

thx

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbFni3aTyswAkCLH4pfrYiA6Hh4n4CszSsaEePxifaA6g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Incoming logs incorrectly formatted

[Jan Doberstein]

Hej Joshua,

i would change the output from syslog to gelf in your nxlog configuration -
then you need to create a gelf input on graylog. This should solve some of
your Problems and the Fields will be separated.


Von: Joshua Walderbach  
Antworten: graylog2@googlegroups.com 

Datum: 26. Juli 2016 at 23:30:53
An: Graylog Users  
Betreff:  [graylog2] Incoming logs incorrectly formatted

I have a Log directory at C:\Logs and in that directory are say 5 different
logs, per day, by application.  ex. app1-07262016.log, app2-07262016.log,
etc...  I want to watch these logs and send them over to Graylog.

I have nxlog installed on the Windows server along with sidecar.  I've
setup a Syslog/UDP input and it's collecting info from these logs.  However
the formatting isn't allowing for accurate searching.  For example,
everything is in the message:


In this example I'm unable to search for instances where the "level" =
something.  This one shows Debug but I'd want to eventually setup alerts
for "level=Fatal".  I assume that this is a result of how I've setup the
nxlog.conf or created the input.  The raw logs, as they are now, are pumped
into Splunk and I can easily search for host=something level=Fatal and
create an alert on that query.


nxlog.conf which I cobbled together from various online sources:

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log



 Module xm_syslog




 Module im_file
 File 'c:\\Logs\\*.log'
 SavePos TRUE
 ReadFromLast TRUE
 Recursive TRUE
 PollInterval 1




 Module om_udp
 Host XXX.XXX.XXX.XXX
 Port 
 Exec to_syslog_bsd();



 Path ivx => out
 


Any tips or ideas?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/f0acb92f-3175-42a9-973e-bfd1685e0faf%40googlegroups.com

.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZJoPzGx-b6LmuPg046ZRG3snejbXw-4Y11e%3D0Ex3e%2BGw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Feature request - SSL validator as an option

[Jan Doberstein]

Hej Mathieu,


I have upgraded my platform to Graylog 2.0.3 and changed some 
configuration items and my reverse proxies to use both the web interface 
and the REST one. 

As a consequence the web interface now uses a signed SSL certificate 
(https://graylog.example.com) and the webservices gateway does not 
(self-signed one, https://graylog-ws.example.com).

wouldn’t help this in your situation?

http://docs.graylog.org/en/2.0/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store


With kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.5795e60d.39274516.a87%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] Graylog slow processing.

[Jan Doberstein]

Hej Hema,


On 14. Juli 2016 at 21:05:58, Hema Kumar (vhs...@gmail.com) wrote:
> I am left with no options, any suggestions would be great.

i guess you did not see the second part of my last message

> On Monday, July 11, 2016 at 1:27:46 PM UTC+5:30, Jan Doberstein wrote:
> > Did you checked the heap usage of the nodes? Maybe this could be a
> > bottleneck. You can find this in the Webinterface and the Node
> > overview.

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZOPj8nRa4Z_Zvk1zFRF09ebp4WKjNjPtf6hiTAd%3DAXHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog slow processing.

[Jan Doberstein]

Hey Hema,


On 8. Juli 2016 at 14:10:50, Hema Kumar (vhs...@gmail.com) wrote:
> I am using graylog 1.3.3 with ES 1.7.5, from yesterday we are seeing the
> process buffer filled up on the master node and the outgoing process is too
> slow than normal, I have tried restarting GL and ES but did not fix the
> issue, below are the log warn and errors we see that repeats continuously.

Only to have it said - did you consider updating to 2.x version in the
near future?


> Could you please help me on this, i have been breaking my head since
> yesterday.

Did you checked the heap usage of the nodes? Maybe this could be a
bottleneck. You can find this in the Webinterface and the Node
overview.

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZszqF1srP_ZDc6W8u%2Bad-O7L42_%2Bp_-zL8pSi5owrbMg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog Does not work on AWS

[Jan Doberstein]

Hej,


On 4. Juli 2016 at 20:00:26, 123Dev (hr...@123loadboard.com) wrote:
> First and foremost, that statement was not meant as a knock on Graylog
> documentation, in fact I'm impressed how fast and frequent the docs are
> updated and kept current.

thank you for this, i will forward it to the dev team!

> Given all the configuration / distribution varieties, it is a
> understandably impossible to have flawless documentation.
> Seriously you guys have been amazing with the development and documentation
> Graylog.

we try to improve not only the product, the surroundings are important as well.

> Having said that, we ourselves still struggle getting the REST API part of
> the setup working correctly, even after experimenting lots of configuration
> options and reading many forum / issue tickets.

that is why we will do a change here in the next release. if
everything is working as we had planed the next version should easy
that up.

— spoiler -

all components use the same port and routing is done by url

- spoiler -

after this is ready we will work on the documentation and try to cover
aws production setups too.

but it would be helpful if you submit your findings as issues or even
better as pull request for the documentation

https://github.com/Graylog2/documentation

thank you
jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbMJkumdexmseo1jpVZy__nCQ-gC9s88h8UjBBNB2OEdA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to configure elsaticsearch cluster for graylog

[Jan Doberstein]

Hej,


On 4. Juli 2016 at 11:27:29, sangh (sanhegi.ma...@gmail.com) wrote:
> i have 2 graylog server and i want to deploy a cluster of three
> elasticsearch so the 2 server can use it. Most article explain how to set
> up graylong server along with elastic search on the same machine. Like
> this one
> http://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch

Are you searching such a description how to setup elasticsearch cluster?
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-production-elasticsearch-cluster-on-ubuntu-14-04

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLaPPz0E_tmbZxWYQcfaha5v_yuZU_ZySdYgk0Fz6nsPsw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to configure elsaticsearch cluster for graylog

[Jan Doberstein]

Hej

On 4. Juli 2016 at 09:31:03, sangh (sanhegi.ma...@gmail.com) wrote:
> for those who deployed bigger production setup for several graylog node.
> Can they show how did they install elasticsearch cluster

what is your question exactly? that most people use the Distribution
Package is not what you like to hear or?

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZ_zjgJuJHJdncX2BUXGj0%2BOjkKQjr2kbhJ7Xa2rMkqvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Expand Hard Drive in OVA

[Jan Doberstein]

Hej Jamie,


On 1. Juli 2016 at 21:38:45, Jamie P (jamiecpar...@gmail.com) wrote:
> I have been researching on how to expand the hard drive in the OVA. I am
> needing to extend it to 100G from the 20G minimum, and I keep running into
> brick walls trying to do this. Some of the links that I keep clicking on
> go to articles that are no longer on the web. Any direction to a document
> or website on how to do this would be much appreciated.

something like this document from the graylog documentation?

http://docs.graylog.org/en/2.0/pages/configuration/graylog_ctl.html?highlight=extend#extend-disk-space

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZ8bZmt6%3DkHnA_igOP9LTDhdTsnGhb94U5qHeiGGGJZMQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog Does not work on AWS

[Jan Doberstein]

Hej


On 30. Juni 2016 at 16:09:28, 123Dev (hr...@123loadboard.com) wrote:
> REST API access part is a bit flaky and I agree it can benefit from better
> documentation / code, but Graylog folks have always been proactive and I
> constantly see doc and code updates.

could you please give us a hint what part of the documentation could be better?

Only if we see caveats we can work on them

Thank you
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZWJKgbLW5Z40zjgigLQOoqKjPzqqq30r0Okshh0s8qRA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog 2.x with separate UI servers?

[Jan Doberstein]

Hej Jan


On 28. Juni 2016 at 22:06:20, Jan (jan.lemmerm...@gmail.com) wrote:
> Thank you for the draft. That is what I was going for unless there would
> have been any other options.
> Based on the draft I have another question: Does the Graylog-Master needs
> to be on one of the UI-hosts
> or can it be one of the hosts used for receiving the log-data?

It is possible, sure. but it does not harm to have it in that place.
Maybe future Version need this in that place.

The point here, it does the housekeeping in the cluster.

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLYhaOmb%3DbV_3H2hnUZ9ELdeznHtKzOXGW9DaPxQXPr9fw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog 2.x with separate UI servers?

[Jan Doberstein]

Hej Jan,


On 28. Juni 2016 at 12:45:40, jan.lemmerm...@gmail.com
(jan.lemmerm...@gmail.com) wrote:
> Would I need to put all four graylog machines in one "Graylog Cluster"? Or
> do I need to split the Collector-Hosts from the UI-Hosts but point
> them to the same MongoDB and Elasticsearch-cluster? (I would configure one
> of the Collector-Hosts as "master", all the other hosts as "is_master =
> false" and
> enable the WEB-Interface only on the two UI-hosts).

You need to have all Graylog System in the same “cluster” - that means
all Server need to talk to the same mongodb instance, need to be able
to talk to each other graylog api listen uri and need to be able to
connect to the elasticsearch cluster.

The Web Interface on the “Collector” Hosts can be disabled:
https://github.com/Graylog2/graylog2-server/blob/master/misc/graylog.conf#L84-L86

However you design your Network, i had attached a draft how the
components need to communicate!

hope that helps you

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbfaGXOhX5ObnoJ6QbKsEFOa2mb5wFxuf%3D5k3i98T79_A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Future Elasticsearch Update

[Jan Doberstein]

Hej Gabriele,



On 28. Juni 2016 at 10:53:12, Gabriele Abbate (gabry.abbat...@gmail.com) wrote:
> I heard that from version 5.0 all elk products will be aligned and released
> together.
> I'd like to know if graylog future update will be compatible with latest
> elasticsearch versions.

As Graylog is not made by Elastic it will not be ‘in line’ with elk products.

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLb0bJuNOcfbdkHhVSH93UWc4a%2BToR%3DRt33vu%2ByjOuuPRQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Colors in Charts and Data Table

[Jan Doberstein]

Hej Josh,


On 28. Juni 2016 at 07:22:45, 'Joshua Humpich' via Graylog Users
(graylog2@googlegroups.com) wrote:
> is there a way to manipulate the colors of a pie charts or data table views?
> At the moment my application log levels (info, debug, trace, error) got bad
> colors for the chart.
> The idea is to tell graylog which log level wich color gets or something.

At the moment this is not possible.

Just create a feature request for this
https://github.com/Graylog2/graylog2-server/issues

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLYrDQiiVyUv8uqgHwA76oRgU%2BroB9kFarbFEhCtyCUbew%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Need some help disabling ciphers and algorithms

[Jan Doberstein]

Hej Ragnar,



On 25. Juni 2016 at 14:13:32, Ragnar (invalid.nore...@gmail.com) wrote:
> Steps Tried:
> 1. Created a security.properties file using the exact example
> (un-commenting out the relevant lines) and put it in the
> /opt/graylog/server directory
> 2. Ran the command java
> -Djava.security.properties=/opt/graylog/server/security.properties -jar
> /opt/graylog/server/graylog.jar server
>
> Received an error staying that etc/graylog/server/server.conf didn't exist
> so I created it
>
> 3. Ran the command java
> -Djava.security.properties=/opt/graylog/server/security.properties -jar
> /opt/graylog/server/graylog.jar server again and now I get the error:

> Any ideas?

you need to add as additional startup parameter to graylog!

as you use graylog OVA image i had created this issue:
https://github.com/Graylog2/omnibus-graylog2/issues/31

because this is not save possible.

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLb4v0JHLz5acB2A6s6dYqH31fNUU_Y3OM8PVijFYhCD3w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Having some difficulties with 3 node graylog cluster

[Jan Doberstein]

Hej Yiannis,




On 24. Juni 2016 at 16:19:01, Yiannis (k...@stoiximan.gr) wrote:
> the setup is really straight forward and never thought that i will have
> difficulties but….

you are faced a strange issue. That looks like a corner-case.

>
> On Friday, June 24, 2016 at 10:42:21 AM UTC+2, Jan Doberstein wrote:

> That is my starting papameters for all graylog server
> GRAYLOG_SERVER_JAVA_OPTS=
> "-Xms8g -Xmx8g -XX:NewRatio=1 -server -XX:+ResizeTLAB
> -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled
> -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC
> -XX:-OmitStackTraceInFastThrow"
>

> > > My 2 biggest problem are:
> > >
> > > 1) Most of the times when i press the search button (and only the search
> > > button displayed in the image)
> > >
> > > seems to me that my browser goes again from the login screen (to send
> > again
> > > the user credential) before rendering the results
> >
> > Can you please look into your log files of graylog when this happens
> > to you - it should be possible to get an idea why this happen just by
> > look at the log file during this ‘event’.

> When the log lever is INFO nothing appears in the log during this ‘event’,
> when i change to DEBUG or TRACE i really can't get the idea of what is
> happening.

if possible can you upload such logs somewhere - just because this is
something Graylog related and not Elasticsearch or Mongo.
This would be really helpful to help.



> > > 2) Every now and then, i get a strange error (when mostly when using
> > > firefox) from webs interface api server like the following
> > > (no errors on shown in the graylog server logs)
> >
> > Are you sure that you read
> >
> > http://docs.graylog.org/en/2.0/pages/configuration/web_interface.html#overview
> >
> > and set all Configurations to that?
> >
> > Even if you run the Web Interface only on one Node the API of all
> > Nodes need to be reachable by your browser.
> >
> >
> I believe i did

> and yes the API of all Nodes is reachable from my browser.

It could be that you are faced the issue Jason mentioned in his Mail -
maybe you can give us some Information that we are able to reproduce.

thx
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZWZfxDH4Yk9%3DzwsG7YE9f54z6Y%3DkkG32QaAdxBd6-wrQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Having some difficulties with 3 node graylog cluster

[Jan Doberstein]

Hej Yiannis,



On 24. Juni 2016 at 01:18:39, Yiannis (k...@stoiximan.gr) wrote:
> I 've installed and configured a 3 node graylog (2.0.3) "cluster". On 3
> R610 (16 cores total) servers with 72GB of RAM (Every nodes has installed
> mongo, elastic and graylog)

i guess you have set in one graylog.conf *is_master = true* and on two
others *is_master = false*, additional i guess you have setup a
replica set for your mongodb (
https://docs.mongodb.com/manual/reference/replica-configuration/ ) and
that you are using the same cluster.name in your the elasticsearch
configuration.

Additional i would suggest to raise the Heap for elasticseaerch to
31GB and for Graylog to 5GB.


> My 2 biggest problem are:
>
> 1) Most of the times when i press the search button (and only the search
> button displayed in the image)
>
> seems to me that my browser goes again from the login screen (to send again
> the user credential) before rendering the results

Can you please look into your log files of graylog when this happens
to you - it should be possible to get an idea why this happen just by
look at the log file during this ‘event’.



> 2) Every now and then, i get a strange error (when mostly when using
> firefox) from webs interface api server like the following
> (no errors on shown in the graylog server logs)

Are you sure that you read
http://docs.graylog.org/en/2.0/pages/configuration/web_interface.html#overview
and set all Configurations to that?

Even if you run the Web Interface only on one Node the API of all
Nodes need to be reachable by your browser.


regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLaH8XtRdRmCVkOnuvwn28kseP8wsrN1iZqc8JP1WMjmwg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Additional DateTime column sourced as epoch time

[Jan Doberstein]

On 23. Juni 2016 at 19:48:30, craig.hanc...@uptake.com
(craig.hanc...@uptake.com) wrote:
> I am trying to get graylog to interrupt a field I am sending over a field
> that I would like to interpret as a timestamp however the issue that I am
> having is that it is coming across as UNIX epoch
>
> 1) Is there an operation I can do on the graylog to convert this as a
> datetimestamp
> 2) Once converted is there a way to have this data searchable as a
> datetimestamp just like the current timestamp variable


I just copy over the Conversation we had in IRC about this:

[19:40:18]  hello all
[19:41:24]  I am trying to get graylog to interrupt a field I
am sending over a field that I would like to interpret as a timestamp
however the issue that I am having is that it is coming across as UNIX
epoch
[19:41:49]  1) Is there an operation I can do on the graylog
to convert this as a datetimestamp
[19:42:18]  2) Once converted is there a way to have this
data searchable as a datetimestamp just like the current timestamp
variable
[19:52:08]  ghanima: yes and yes
[19:52:49]  jalogisch: I am all ears on how to approach this
but I am not sure where to start
[19:53:14]  How can I convert the epoch to a datetime within graylog
[19:53:40]  how does a log that contains this look like?
[19:54:30]  jalogisch: the entries are being pulled from a file
[19:54:34]  sample entry looks like this
[19:54:35]  16/06/20 22:30:56 WARN InfluxDBQuarantineHandler:
Message quarantined! Reason: Invalid - reading time ahead of current
clock time, Msg:
47314fd5-5468-4d9e-b051-30015a474916.fb55df42de304c6a57421da3218a7c54-CAT.03f72667-15dd-4587-a180-c248a06bde4e.02ed558e-73ab-4807-876c-d0b69b255645
1466490475000 171984.0
[19:54:43]  first option, extract via grok
http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#using-grok-patterns-to-extract-data
and create a new field that gets converted into a timestamp
[19:55:22]  in the format you like to have
[19:55:40]  I have configured on the graylog side a grok
filter %{DATESTAMP:insertdate} %{WORD:logstatus} %{WORD:influx}:
(?[a-zA-Z]*\s[a-zA-Z]*)! (?.*), Msg:
(?\w*-\w*-\w*-\w*-\w*).(?\w*-CAT).(?\w*-\w*-\w*-\w*-\w*).(?\w*-\w*-\w*-\w*-\w*)
%{NUMBER:metrictimestamp} (?.*)
[19:56:26]  I want this field 1466490475000 which is the 3rd
to last be converted to MM/DD/YY hh:mm:ss Z
[19:58:09]  jalogisch: does that make sense
[19:58:50]  second option is to use the
http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#the-standard-date-converter
date converter after extraction
[20:00:01]  looks  valid
[20:03:02]  replace %{NUMBER:..} with
%{NUMBER:metrictimestamp:timestamp;date;dd/MMM/:HH:mm:ss Z}
[20:03:31]  that should do the trick - as written a few
lines above 
http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#using-the-json-extractor
[20:03:53]  means you need to scroll up a few lines to have
this information
[20:04:55]  jalogisch: what about all the data that has been
index is there a way to re-process that data
[20:05:21]  not within graylog
[20:05:50]  you would need to modify direct in
elasticsearch or export the data and send it again to graylog
[20:07:26]  jalogisch: in my grok pattern %{DATESTAMP:insertdate}
[20:07:52]  can I trust that this will store this data as a
date timestamp and its searchable as such or is there another
conversion that needs to be done
[20:09:14]  read the docs - it is explained. for date you
can grep, store in a new field and convert with one grok
[20:09:33]  but you need to specific the format you like to
have as a result
[20:15:37]  jalogisch: so unless I misread you posted this is
what happens
[20:15:41]  when I apply this grok
%{NUMBER:metrictimestamp;date;/dd/:HH:mm:ss Z}
[20:15:46]  I get this error
[20:16:05]  java.text.ParseException: Unparseable date: "146621064"
[20:17:01]  jalogisch: I tried both NUMBER and DATA
[20:22:25]  i see - and checked the configuration
[20:22:45]  SimpleDateFormat is the range for this conversion
[20:23:01]  and that does not see epoch as a valid date format
[20:23:37]  can you please fill an issue
https://github.com/Graylog2/graylog2-server/issues that this get
corrected
[20:26:11]  and to solve your issue you will need to try
the Flexibly parse date extractor with a copy input extractor that
contains the data

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLYZ-BzNqRNDG5x%2B%3DKRCKrXvT2k3d6ak_Kc5YBLaDJfk%3Dg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: RPM update from 2.0.2 to 2.0.3 breaks Graylog

[Jan Doberstein]

Hej SHon,

all what you describe looks like a bug, can you please open a ticket
https://github.com/Graylog2/graylog2-server/issues that the issue can
be fixed.

thank you
Jan


On 23. Juni 2016 at 19:11:37, Shon Nixon (shon.ni...@gmail.com) wrote:
> Decided to run nxlog solo with the correct information and still get the
> same problem:
>
>
> 2016-06-23T12:58:18.248-04:00 ERROR [GelfCodec] Could not parse JSON, first
> 400 characters: `�)�V���C�
>
> �a?�n
> �n�r��埯o}ۍvdY>_"~g��rgИ:�
> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('`'
> (code 96)): expected a valid value (number, String, array, object, 'true',
> 'false' or 'null')
> at [Source: `�)�V���C�
> �a?�n
> �n�r��埯o}ۍvdY>_"~g��rgИ:�; line: 1, column: 2]
> at
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272)
> ~[graylog.jar:?]
> at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
> [graylog.jar:?]
> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139)
> [graylog.jar:?]
> at
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
> [graylog.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
> 2016-06-23T12:58:18.253-04:00 ERROR [DecodingProcessor] Unable to decode
> raw message af0450e2-3963-11e6-ae65-005056937893 (journal offset 84466333)
> encoded as gelf received from /10.100.150.89:34338.
>
>
>
> Then took HAProxy out of the picture and pushed to one of the servers
> directly and STILL get the same problem:
>
>
> 2016-06-23T13:01:41.359-04:00 ERROR [GelfCodec] Could not parse JSON, first
> 400 characters: �p]3
> b�Q��F!��0�и
> i�D��
> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�'
> (code 65533 / 0xfffd)): expected a valid value (number, String, array,
> object, 'true', 'false' or 'null')
> at [Source: �p]3
> b�Q��F!��0�и
> i�D��; line: 1, column: 2]
> at
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272)
> ~[graylog.jar:?]
> at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
> [graylog.jar:?]
> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139)
> [graylog.jar:?]
> at
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
> [graylog.jar:?]
> at java.lang.Thread.run(Thread.java:745) 

Re: [graylog2] Exception in thread "elasticsearch[graylog2-server][generic][T#1]"

[Jan Doberstein]

Hej Anant,


On 23. Juni 2016 at 16:34:21, Anant Sawant (sawantanan...@gmail.com) wrote:
> This is the first time this issue has occurred. Could you please tell me
> how can I check and increase heap size for graylog server, I searched but
> got nothing for graylog server about how to increase the heap size.

it depend how you had installed graylog. in your startup script you
can place additional java opts and you need to raise the heap at this
location.

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbSM8R7WTAAin_3EUw3dHoXVDoPpJ3XweDgsvPqLT45xg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] converters in grok pattern

[Jan Doberstein]

Hej,



On 23. Juni 2016 at 09:22:40, Андрей Грошев (greenx...@gmail.com) wrote:

> And for example request http_code:<204 don't worked.
> I found example define pattern as %{INT:http_code;int} (a semicolon, not a
> colon as in elastic)
> And it worked, index mapped in elastic as:
>
> "http_code": {
> "type": "long"
> }


> where exists manual as right use grok patter in graylog with converters?

i guess you are asking for this documentation link:

http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#using-grok-patterns-to-extract-data

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLaT%2B3LcQtRAPQtGfc3Q-5r38aCAZfq_crLj%2Bnsrpv0azg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Exception in thread "elasticsearch[graylog2-server][generic][T#1]"

[Jan Doberstein]

Hej Anant,


On 23. Juni 2016 at 09:40:05, Anant Sawant (sawantanan...@gmail.com) wrote:
> Graylog server is throwing following error. Exception in thread


> Exception: java.lang.OutOfMemoryError thrown from the
> UncaughtExceptionHandler in thread
> "elasticsearch[graylog2-server][generic][T#10]"
> Exception in thread "eventbus-handler-8" Exception in thread
> "restapi-boss-0" Exception in thread "eventbus-handler-9"
> Exception: java.lang.OutOfMemoryError thrown from the
> UncaughtExceptionHandler in thread "eventbus-handler-8"
>
> Exception: java.lang.OutOfMemoryError thrown from the
> UncaughtExceptionHandler in thread "restapi-boss-0”


Does this happen from one day to the other? Did you check you Memory
usage and the Heap of the Graylog server?

Would it be possible for you to Update to the latest 1.3.5 release or
Update to the most current 2.0.3 Version?


> Is the issue related to the Graylog server or elasticsearch??
>
> Using Graylog 1.1.6 and elasticsearch 1.7.2 on CentOS release 6.7.

This is related to Graylog - as you can see it gives and out-of-memory-error

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZL%2B0TojRDi-9vpRKUZvCKbY8d%3DUJM70dQg6GUKLp7xTw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] NXlog and Graylog Collector Sidecar on SUSE Linux Server

[Jan Doberstein]

Hi,

On 23. Juni 2016 at 11:16:16, sailing-lin (saito...@gmail.com) wrote:
> I try to install NXlog and Graylog Collector Sidecar on my SUSE Linux
> Server Enterprise 11. But there is no rpm package for SUSE, does anyone
> know how to use these two package on SESUE?

just install the present rpms or use the .tgz

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZ4DLksrcEAir0TSAhoTW9vmYcgMb_p%3Dja1kSiM1V%2B_0g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Stream Stopped - Audit Stream Activity

[Jan Doberstein]

Hi Michael,



On 21. Juni 2016 at 13:34:22, Michael Brosnan (brosnan.mich...@gmail.com) wrote:
> I know have found the error. Any idea what might have caused this?
>
> "WARN [StreamFaultManager] Processing of stream failed
> to return within 2000ms"

i guess that your elasticsearch is under load or not fast enough
during this time.

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbwGEzdE1%3Da9fA_pJcODzXnpAE95VZbqakUPEkuqYo4gw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] server not running even though graylog-ctl says it is

[Jan Doberstein]

Hej,


On 20. Juni 2016 at 16:37:48, 123Dev (hr...@123loadboard.com) wrote:
> > What happens if you kill the curl and try to restart graylag-server?
> >
>
> Aha, Thanks for pointing that out
> Graylog server starts
> The entire steps below.
>
> It looks like Graylog-Server is trying to a local mongo db for 10 minutes
> before timing out.
> Why is that, could that be a bug?
> This is the setting in graylog.conf
>
> # MongoDB Configuration
> mongodb_uri = mongodb://10.20.1.229:27017/graylog
>
>
>
> Why is it trying localhost?

did you check your /etc/hosts for this IP? Are you able to ping/telnet
from the graylog Server? Did you check if mongodb_uri is set twice?

how did you configure that this second server is a slave?

> This instance of Graylog-Server is a slave / secondary server that connects
> to the master's mongo db.
> If this is a bug in Graylog, kindly re-open this
> ticket.
> Otherwise please let me know what I should do to avoid this 10 minute test
> to localhost.

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbCineQo5KrUAJ6nC5K1WL0t8UEuedPw2N0sF87hEFKyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Stream Stopped - Audit Stream Activity

[Jan Doberstein]

Dear Michael,

what is your last action you had done?

What can you find in your graylog server log file?

regards
Jan


On 21. Juni 2016 at 13:02:36, Michael Brosnan (brosnan.mich...@gmail.com) wrote:
>
> When I click "Start Stream", I get "Resuming Stream failed with status:
> Unauthorized"
>
> On Tuesday, June 21, 2016 at 11:55:36 AM UTC+1, Michael Brosnan wrote:
> >
> > Hi all,
> >
> > I have a stream that (seemingly) paused by itself. Any reason why this
> > might happen on graylog 1.3?
> >
> > Also, is there a way to search the activity history of streams ... e.g
> > identify if a stream had been stopped by a user - has a stream some
> > identifier?
> >
> > Thank you.
> >
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/4e0210b0-9023-4804-963a-8dbf6624b4c8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZ-FtSEw0VK53z_apJ%2BbfRGwM%3DVBTvGb75feQ-31YWQ2Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Input Failed to Start

[Jan Doberstein]

Hej Justin,

did you check if any other Input run on the same port?

with kind regards
Jan

--
| http://jalogis.ch/bio | W3W sticks.flanks.pulse
| -
| get trusted and secure VPN services http://jalogis.ch/vpnsh

On 17. Juni 2016 at 17:28:35, Justin Reid (jusmr...@gmail.com) wrote:
> Hi Jochen,
> Thank you very much for replying. I have the bind port set to 5140. Still 
> same error.
>
> Could the "permission denied" part of the error message mean that it is 
> having permission
> writing to a file ?
>
> Thanks Again,
> Justin
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/513bb8b8-7243-4436-8875-7cb7677c7f48%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbT95Udt4PxYzqK9DFtucqxjdcLhN-WEvDgQae%2BAyvdZg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] server not running even though graylog-ctl says it is

[Jan Doberstein]

Hej,

what happens if you reboot the Server? What happens if you restart the Service?

What happens if you kill the curl and try to restart graylag-server?

with kind regards
Jan

--
| -
| get trusted and secure VPN services http://jalogis.ch/vpnsh

On 17. Juni 2016 at 19:15:20, 123Dev (hr...@123loadboard.com) wrote:
>
>
> We've upgraded our production system (AWS images) from 1.3.x to 2.0.2
> On the primary server the Graylog Server is fully operational
> Whereas on the secondary server, the process is running (or it seems), but
> it's not writing anything to the logs and it does not appear in the UI as a
> node.
>
>
> On the trouble server
> sudo graylog-ctl status shows
>
>
> run: elasticsearch: (pid 1036) 480s; run: log: (pid 1032) 480s
> run: etcd: (pid 1033) 480s; run: log: (pid 1028) 480s
> run: *graylog-server: (pid 1029)* 480s; run: log: (pid 1024) 480s
> run: nginx: (pid 1025) 480s; run: log: (pid 1022) 480s
>
>
>
> As seen graylog-server is running with pid 1029
>
> But if we check the processes with pid 1029
>
>
> ps -elf | grep 1029 shows
>
>
> 0 S root 1029 1018 0 80 0 - 1110 - 21:26 ? 00:00:00 /bin/sh ./run
> 0 S root 1039 1029 0 80 0 - 2154 - 21:26 ? 00:00:00 timeout 600 bash -c until 
> curl -s http://127.0.0.1:27017;
> do sleep 1; done
> 0 S ubuntu 2638 2524 0 80 0 - 2616 pipe_w 21:35 pts/0 00:00:00 grep 
> --color=auto 1029
>
>
>
>
> Which clearly is *not *the graylog-server process
>
>
> If we check the same thing on the primary server where everything is
> working fine,
> sudo graylog-ctl status shows
>
>
> run: elasticsearch: (pid 12071) 1318s; run: log: (pid 1037) 333246s
> run: etcd: (pid 12090) 1317s; run: log: (pid 1035) 333246s
> run: *graylog-server: (pid 12125)* 1312s; run: log: (pid 1038) 333246s
> run: mongodb: (pid 12132) 1311s; run: log: (pid 1036) 333246s
> run: nginx: (pid 12134) 1311s; run: log: (pid 1039) 333246s
>
>
>
> ps -elf | grep 12125 shows
>
>
> 4 S graylog 12125 1031 28 80 0 - 1169685 - 21:13 ? 00:06:14 
> /opt/graylog/embedded/jre/bin/java
> -Xms1g -Xmx1500m -XX:NewRatio=1 -server -XX:+ResizeTLAB 
> -XX:+UseConcMarkSweepGC
> -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC
> -XX:-OmitStackTraceInFastThrow -jar 
> -Dlog4j.configurationFile=file:///opt/graylog/conf/log4j2.xml
> -Djava.library.path=/opt/graylog/server/lib/sigar/ 
> -Dgraylog2.installation_source=unknown
> /opt/graylog/server/graylog.jar server -f /opt/graylog/conf/graylog.conf
> 0 S ubuntu 17847 1419 0 80 0 - 2615 pipe_w 21:35 pts/1 00:00:00 grep 
> --color=auto 12125
>
>
>
>
>
> Clearly the graylog-server is running.
>
> So my questions are:
>
> - Why graylog-ctl thinks that graylog-server is running
> - Why graylog-server is not running?
> - How can we narrow down the root issue? with graylog-server not
> running, there the log files are not updated, hence no clue what is going
> on.
> - Are there higher level logs for the graylog-ctl that would inform us
> what it is going wrong when it is trying to start the graylog-server
>
>
> PS: We noticed that after a long while, the graylog server eventually shows
> up as a node on the UI, and the logs start filling
>
> Looking for errors in the logs, we only noticed the following warning
>
>
> 2016-06-17_17:04:56.90879 2016-06-17 17:04:56,908 WARN :
> org.graylog2.shared.events.DeadEventLoggingListener - Received unhandled
> event of type from event bus
>
>
>
> We're not even certain it had any relevance to the problem of
> graylog-server not starting immediately.
>
>
> Thanks guidance on how to narrow this down is greatly appreciated.
>
> Thanks
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/530ffc00-1742-4eea-994a-d5e95c165e88%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLaZy4rz1e6Q5uXCadpXg3MPdLoiy-BnNuvGXER%2B9FPLiw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to deal with "Uncommited messages deleted from journal"?

[Jan Doberstein]

Hej Joe,

the main problem is - we can’t decide if it is ok for you that you
lost some messages or not.

If loosing messages is fine for you just let it run. If you want to
keep all messages your application an server send over to graylog you
should check your elasticsearch cluster.

This is what the messages said - you need to check your ES Cluster.

/jd


Am 30. Mai 2016 um 13:24:59, Joe K (roman.r...@gmail.com) schrieb:
> My Setup is very straightforward - Installed Graylog 2.0 EC2 image on
> amazon AWS.
> Graylog image is all-in-one image with Elasticsearch and Graylog server.
> When I asked previously in this forum if this a Graylog -specific problem I
> got no response. So I am asking as if it's not specific to Image.
>
> On Monday, May 30, 2016 at 11:25:55 AM UTC+3, Jan Doberstein wrote:
> >
> > Hej Joe,
> >
> > Am 28. Mai 2016 um 13:39:44, Joe K (roman.roan=40gmail.com) schrieb:
> > > We have message in console: * =22Uncommited messages deleted from journ=
> > al=22*
> > > =20
> > > > Uncommited messages deleted from journal
> > > > Some messages were deleted from the Graylog journal before they could=
> > be
> > > > written to Elasticsearch. Please verify that your Elasticsearch clust=
> > er is
> > > > healthy and fast enough. You may also want to review your Graylog jou=
> > rnal
> > > > settings and set a higher limit. (Node: f12..
> > > =20
> > > =20
> > > =20
> > > And is this bad=3F Can be left as is=3F
> >
> > It depends of the Information you write to graylog. We can=E2=80=99t deci=
> > de for you.
> >
> > > There's nothing in Help on how to deal with this. Is there any end-user=
> >
> > > information or any hint at all=3F
> >
> > Every possible help is written down in the above statement. As we did not=
> > know your environment and your setup it is not possible to provide a but=
> > ton with =E2=80=9Eto resolve this issue please click here=E2=80=9C.
> >
> > with kind regards
> > Jan
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/ee2d7512-71d2-4864-b8ac-a5c96be64326%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLa2wWczexrHGOq86z7hVs2yBHGwXxzs8%2Bw2HRp2BXsLgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] collector side car + nxlog doesnt forward firewall log

[Jan Doberstein]

Hello Person with no name,


Am 30. Mai 2016 um 09:55:38, sangh (sanhegi.manel=40gmail.com) schrieb:
> the log of the firewall i send them to Machine A.
> I install on Machine A nxlog and collector side car

you know that you can send in syslog direct to graylog, or=3F=C2=A0

http://docs.graylog.org/en/2.0/pages/sending=5Fdata.html=23syslog

> On graylog Web interface, i configure input so i can get log of 0.0.0.0=
.
> However i don't receive the firewall log on the graylog server
> i do receive them on machine A but they are not sent to graylog server.=


You need to check the nxlog configuration first, if the logs are send out=
 then check if the connection between machine a and your graylog server i=
s possible.

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/etPan.574bf818.27d9d633.d228%40jalogisch.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [graylog2] How to limit size of log injected/collected into graylog ?

[Jan Doberstein]

Hej,

Am 30. Mai 2016 um 00:53:15, Nevalystha Pingkan Dumanauw
(nevalystha...@gmail.com) schrieb:
> I am new in Graylog. Actually, my company is planning to use Graylog as a
> log management system. We have installed it in our server, but when we run
> it, Graylog has consumed the server's CPU & memory usage, and it cause
> crash in our server. Is there any way to limit log size that collected in
> Graylog? Or is there a way to limit what is received on the server side?

The load of your System depends of many factors. The amount of Logs is
one central point. But also how many Streams and extractors you are
running will have a impact on your experience.

Without knowledge about your Setup, what Hardware/how many resources
your Graylog Server has. How many Logstreams you pump into the Systems
and more like that we would only look into our oracle bowl.

In general you are able to limit the amount of logs you send to the
system, but you can not limit the amount you receive on the Server.

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZbBj7P3Da-3sELJt_cZeVPNMu0cODH7yLwVX19yeQxEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] ็How to purge LOG on graylog ova 2.0? and How extend root partition?

[Jan Doberstein]

Hej,

you can / need to set the indices rotation in the web interface to
have log rotation.

How you can extend your root partition? It depends on your Setup and
used Software.

But, please follow point 3.1.1 of RFC1855 (https://tools.ietf.org/html/rfc1855)

thank you
Jan



Am 30. Mai 2016 um 05:07:36, ชีระวิทย์ ภูริเดชชัยพัฒน์
(cheraw...@gmail.com) schrieb:
>
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/989cb2c5-1544-4527-ac84-c4e782b3895e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLYxpxRBBvqpyZKoabygoF4Su0L4SMAam%3DjqrVOC12pHbA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] collector side car + nxlog doesnt forward firewall log

[Jan Doberstein]

Hej,

sorry can you please write your question in other words? I did not get it.

thx
Jan


Am 30. Mai 2016 um 09:33:06, sangh (sanhegi.ma...@gmail.com) schrieb:
> I am using collector side car on linux i can get the machine log however i
> don't for the firewall log that i forward to my Nxlog machine ??
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/441a99f9-7c9d-4b1b-a89e-9626fa67b0ac%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLa4rzy%2BM0stpy8zxNPcz%3DD9OTgfGa%3D0_erwwmKXmY%3DXLg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Master Graylog server to gather data from sub office graylog servers

[Jan Doberstein]

Hej Rob,

thanks that you let us now how you solve your issue. if someone else
had the same issue he would be able to find a solution.

have a good day
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLaE8AeMZHDADQBaQD1Rxo_s%3DxxcqzhM4YcOOR53dDM4SA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Master Graylog server to gather data from sub office graylog servers

[Jan Doberstein]

Hej Rob,

you can define on your offsite Office Locations Graylog Server an
output that sends the messages to the Central Office.

In short yes its possible but reaching the goal depend on your setup in detail.

/jd
Am 17. Mai 2016 um 01:28:56, Rob (reenosm...@gmail.com) schrieb:
>
>
> We have several office locations, each office has its own Graylog server
> which is working great.
>
>
> We want to set our head office to collect all the logs/messages that are
> stored on the sub office Graylog servers.
>
>
> So in effect each sub office Graylog server will store only its own sub
> office messages but the head office will store all messages from every sub
> office.
>
>
> Can this be done by only having the Graylog servers in the sub office send
> its messages to the master in Head office? I do not want to have to
> replicate all the individual inputs on the master - just one input that
> comes from each sub office Graylog server.
>
>
> If this is possible can you please advise how I can set this up or point me
> to the doco - I have read through the Graylog docs and can only see a setup
> to have multiple Graylog servers in the same site to share the load.
>
>
> I only need the Head Office to be able to search all sub office messages -
> each individual sub office only needs access to their own messages.
>
>
> I had a look here and possibly this is something that might something I can
> use but the thread never ended with a full solution:
>
>
> https://groups.google.com/forum/#!searchin/graylog2/send$20graylog$20messages$20to$20another$20graylog$20server/graylog2/yZFX7XkLhTU/m6Ku_Eyq29cJ
>
>
> Thank you in advance for your replies.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/db3804a3-5afb-4400-91cb-6eebdd8244b6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLY0s1g8_xdpRo38QijfS11iP0ZJ2hqXdEgMUfc5vsxckA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] how to secure graylog messages

[Jan Doberstein]

Hej Amit,

Am 11. Mai 2016 um 11:17:18, Amit Sharma (amit.sharma=40kaarya.com) schri=
eb:
> What is the configuration required for securing the Graylog messages =3F=

> =20
> at present. i am getting logs from out side network & i need to make lo=
gs
> are secure while transmitting the logs.

depends how you send the logs - i assume via syslog=3F=C2=A0

You can find various ways to secure sending remote data, one example: htt=
p://jalogis.ch/q7wfd

It depends highly how your setup is currently and can not be answered in =
general.

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbVLPC2eHSdir_coFCwj4TEYuL1LUxz3k8gj8jsRFysWw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [graylog2] Measuring Time Difference from two messages.

[Jan Doberstein]

Hej Gabriel,

did you have any possible way to identify the message? So that you are able
to tell that this two messages belongs to each other in a way that can be
recognise by a computer?

Or did you need to know something special to see the correlation between
the messages?

If you are able to provide the answer we might find a way to remove the
darkness.

regards
Jan

2016-01-29 14:42 GMT+01:00 :

> Hi,
>
> Currently I need to measure the time it takes for a message to travel from
> one of our services to the other. The problem here is that I cant simply
> measure the time it took to process the request because there is another
> service in the middle.
> So what i would like is for a way to measure the time difference from two
> messages in the same stream. The messages come from two different sources.
> I haven't been able to figure it out how do i approach this problem. Can I
> accomplish this using graylog? If not does anyone have a suggestions on how
> to do this?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/a2195297-444e-442f-9626-838d73075309%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLa9uP46o_v7xW7xEZW_0QxtbG1EKV4pRr3XnSi3FnM5vQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Timestamp in graylog

[Jan Doberstein]

Hej Skip,

just an idea - based on that what you have written.

If you change the timestamp in gelf, graylog is not able to parse this.
(Reference: https://www.graylog.org/resources/gelf/ )

*timestamp* number

Seconds since UNIX epoch with optional decimal places for milliseconds;
SHOULD be set by client library. Will be set to NOW by server if absent.

I guess that this will explain your findings ...

regards
Jan

2016-01-27 17:26 GMT+01:00 Skip Cole :

> Dear Wonderfull People,
>
> We send gelf messages to graylog to record our usage events. I have
> manipulated the gelf message to have the timestamp we want, but the
> messages are all showing up in graylog at the moment they were received. (I
> dump in 100 messages of events that took place over a 2 week period, and
> they all show up in the graphs at the moment I uploaded them.)
>
> I have been banging my head on this, and I bet there is a simple way
> around it. Any ideas?
>
> Thanks,
> Skip
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/0f677733-078f-4ae1-82d2-423ee7d3b62d%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLYnRSnAx1ZfRq_%2BJBztQZNrH8nLrEKeCQwbizFwUrwzHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Safe to vmotion graylog servers?

[Jan Doberstein]

Dear Frank,

i will not use the phrase "it depends" - but if you did not have a high
load this should work without a problem (my personal experience). But if
you have a high load this might lead to hick ups. To be sure you did not
have any problems you should anyway use a Downtime / Maintenance Window for
such a task.

I know that this might not the answer you like to hear, but without
knowledge about your Hardware, Load and Service Level you need make the
decision on your onw.

regards
Jan
​

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbfM%3D%3Dc1tD%3DSD%3DOb%2BRNeEoWcrxSXa9ea-zpB%3DoENL8czA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] reassembled log

[Jan Doberstein]

Hej Brendan,

did i got it right that you ask how you can direct your Exchange Logs or
any kind of Logfiles into Graylog?

Did you look into the Documentation?
http://docs.graylog.org/en/1.3/pages/sending_data.html
Maybe my GIST for 'normal' Windows can help you in this a little:
https://gist.github.com/jalogisch/5353158

As for the Webserver you mention, it would be very helpful if you give us a
hint what type of Webserver you are talking about and on what kind of OS
this is running.

regards
Jan


2016-01-21 17:48 GMT+01:00 Brendan Lavolée <
delasalle.sio.lavole...@gmail.com>:

> Like an input
>
>
> Le jeudi 21 janvier 2016 16:59:08 UTC+1, Jan Doberstein a écrit :
>>
>> Hej Brendan,
>>
>> could you please explain what you mean with "turn back".
>>
>> Did you like to get specific Logs out of Graylog into a Logfile - means
>> export Logs?
>>
>> regards
>> Jan
>> ​
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/8b33b575-9e99-4bd9-b058-49150a0452ec%40googlegroups.com
> <https://groups.google.com/d/msgid/graylog2/8b33b575-9e99-4bd9-b058-49150a0452ec%40googlegroups.com?utm_medium=email_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// <http://about.me/jandoberstein>jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLb1p3JjyLCmcNNvrR0x0qDkgvRu97hwO4VG4t4FATVnJg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Forwarding logs from SpluUniversal forwarder to Graylog, logs are missing please help

[Jan Doberstein]

​Hej Chandrahasa,

this is like finding - blind - the needle in the haystack.

Did you check your Graylog Logfiles? Did you see any Errors? Does all the
messages arrive at the Graylog Server (maybe tcpdump will help you here) ?
Are the time/date on all Systems in Sync?

Maybe you should think about getting payed support if you are not able to
identify your problem.

regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLb80%2BaRFwndG7Eyztoq_mFoKxwDYEwzhXidKz_JXdwAPA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] reassembled log

[Jan Doberstein]

Hej Brendan,

could you please explain what you mean with "turn back".

Did you like to get specific Logs out of Graylog into a Logfile - means
export Logs?

regards
Jan
​

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLaiEAEHZoDfyURHEZpd5q5rxm_QOj%2BieBChKOLsew-i6w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Forwarding logs from SpluUniversal forwarder to Graylog, logs are missing please help

[Jan Doberstein]

Dear Chandrahasa,

did you check your logfiles?

how many log lines are thrown at the Graylog-Server? Are you sure all
expected lines are forwarded?

Please give us a few more lines about it and the possibility that someone
can help will be much higher.

regards
Jan

2016-01-20 12:39 GMT+01:00 Chandrahasa S :

> Hi,
>
> We have created Graylogy setup ( Graylog web, server and Elastic search).
> No we want to forward Apache logs to graylog setup.
>
> We are using Splunk universal forwarder to forward Apache logs to Graylog
> setup on port 9998. On Graylog console we created stream with port 9998.
>
> Some logs are visible on graylog console, but most of logs are missing.
>
>
> On Tuesday, 12 January 2016 20:19:06 UTC+5:30, Chandrahasa S wrote:
>>
>> We are using Splunk Universal forwarder to forward logs to Graylog, But
>> we logs are missing in graylog.
>> Some time we see timeout of error in splunk log.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/9e70eec6-409d-43fb-a3de-b8b08de3a1b8%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLYEgVhdHiqzvepR9FVgU1q3gp42Po2Wq_bVVU8pa10Raw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] found log messages of 8 hours only

[Jan Doberstein]

Dear Anjit,

as you did not provide more details on your Setup we can just guess and
look into our glass bowl.

You are using the latest OVA / Virtual Machine Template for you Test
Environment. So you are able to use "graylog-ctl set-retention" as it is
described in the Documentation:
http://docs.graylog.org/en/1.3/pages/installation/graylog_ctl.html

have a nice Day
Jan


2016-01-18 3:34 GMT+01:00 Anjit Maharjan :

> Hi. I found log messages of 8 hours only of all input. How can I view all
> logs.
>
> I need logs of 30 days. So, do I need to make any changes in graylog
> config file. Please suggest
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/984ebb09-a795-4821-b419-d61c9b83a958%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLY_nz-3BeBMU%3DX_uz3iLJQO%3DYYgRuL3Hz4HwYRTSokXcA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog crowded

[Jan Doberstein]

Hej Brendan,

thank you for your Mail to the Graylog ML - please provide a Question that
can be answered. Your Message looks more like a Statement.
But as you are not mentioned what type phone send out so much messages and
we are not the vendor of this phone we can't help here.
If you look into the messages you should be able to find the reason for the
amount of messages.

regards
Jan

2016-01-14 9:55 GMT+01:00 Brendan Lavolée :

> look my attachment,
> you can see that I have a firewall and a telephone, except that the phone
> sends message enormously , and ca fulfilled my database
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/f7b94e5c-3147-4550-9b98-69cfa2e3ef7a%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLY9_j6afaOgHVHSUC2xw41CiCew_E%2Bj0k7K66vC_G9BzQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Main page web interface

[Jan Doberstein]

Dear User,

it would be more helpfull if you describe what you want todo where. So if i
look at your Message this could be:

Hej all,

I have cloned the graylog2-server repository from
https://github.com/Graylog2/graylog2-server into my working directory. My
goal was to modify the Web-Navigation bar.
I had found the file main.scala.html which includes ... more description
... Final I'm not able to find out myself how to modify myself the
Navigation.

Did i oversee a Documentation on this Topic?

Please advice me how i would be able to add additional Links/Fields to the
Navigation.

with kind regards
XXX


This is not an actual help, but a request to do not throw just a bunch of
lines into the Forest and expect a cabin in return. If you share what you
like to archive it's fare more easy to assist. Additional someone else can
learn from your questions.

regards
Jan


2016-01-18 7:49 GMT+01:00 :

> Hi,
> I see a file main.scala.html.it includes "@partials.navbar(currentUser)"
> to call navbar of current user.
> When I open navbar.scala.html,I can not see where menu fields
> are.(stream,system,dashboards...).
> Please tell me how to customize navbar.
> Thanks,
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/f00a57a1-1c1a-454f-8d81-5fe10c52d252%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLa0cYEcxVE5waq%2Bns-uXhSbQtxkJ%2BN-NSnxAb3cgegW9g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to increase gateway timeout

[Jan Doberstein]

Dear Toni,

the following questions possible lead to an answer:
- what is your current graylog setup?
- what did you changed latest and when (added new Systems, new Streams, new
Users something like this)
- what is the load of your graylog system?

regards
Jan

2016-01-18 15:47 GMT+01:00 :

> Hi,
>
> can somebody tell us how we could increase the gateway timeout?
> We create a dashboard which worked very well the last week but since today
> we get the error which is attached...
>
> Thanks in advance!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/a0763b58-cda4-4a59-a556-d81bf8b1b255%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZbBCXEjT1FH6UERNa%3D76DxGAazsVoRRQq2r4xqDWOh_w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Forwarding logs from SpluUniversal forwarder to Graylog, logs are missing please help

[Jan Doberstein]

Dear Chandrahasa,

to help you out on this everyone would need more Information on your Setup.
Where and how is your Graylog Setup. What is your Log Stream?

Did you have a Diagram how your setup is so someone else is able to point
to possible problems. Without more Information noone else is able to help
you out.


kind regards
Jan

2016-01-19 7:08 GMT+01:00 chandrahasa s :

> Any one can pls help on this?
>
> On Tuesday, January 12, 2016 at 8:19:06 PM UTC+5:30, Chandrahasa S wrote:
>>
>> We are using Splunk Universal forwarder to forward logs to Graylog, But
>> we logs are missing in graylog.
>> Some time we see timeout of error in splunk log.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/9f8e63bd-8952-444a-a9c4-98bb44ab8432%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
| Voice: +49 173 7100308 | Text: j...@jalogisch.de
| http:// jalogis.ch/bio
|---
| send from my extraordinary device

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLYwDdfeqCYb2ZVHOm2ptyPBF%3DZHCDJUhbfQdYSpaMVXBw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.