[graylog2] Re: No 'Beats Input' available to receive sidecar data.

2017-02-20 Thread Jochen Schalanda 
Hi Chris,

On Tuesday, 21 February 2017 00:46:35 UTC+1, Chris Thompson wrote:
>
> 2017-02-20_23:31:59.44325 INFO  [CmdLineTool] Loaded plugins: [Anonymous 
> Usage Statistics 1.2.1 
> [org.graylog.plugins.usagestatistics.UsageStatsPlugin]]
>

The Anonymous Usage Statistics plugin 1.2.1 was written for Graylog 1.3.x 
but the Beats plugin only works with Graylog 2.0.0 and higher.

If you're starting from scratch, I'd recommend using the latest stable 
version of 
Graylog: https://www.graylog.org/blog/89-announcing-graylog-v2-2-1

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d058075b-274f-47fb-bf6b-3bb298954317%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: No 'Beats Input' available to receive sidecar data.

2017-02-20 Thread Jochen Schalanda 
Hi Chris,

how exactly did you install (and upgrade) Graylog? It looks like you're 
using an incompatible version of the Beats plugin.

The correct version of the Beats plugin is shipped with Graylog and can 
also be downloaded from 
https://marketplace.graylog.org/addons/22014b12-9358-4056-9402-d3eb69f9560e.

Cheers,
Jochen

On Tuesday, 21 February 2017 00:46:35 UTC+1, Chris Thompson wrote:
>
> I installed the plugin to my Graylog 2.2 appliance (I'm still testing) and 
> restarted the services.
> I keep getting pointed to this doc: 
> http://docs.graylog.org/en/2.1/pages/collector_sidecar.html#step-by-step-guide
> However, the first step in that doc is to make a 'Global Beats Input'. 
> 'Beats' is not an option in my inputs drop down menu:
>
>
> 
> I tried installing the beats plugin (some were saying it ships with 
> Graylog but, it is not in the /opt/graylog/plugin folder on my OVA in any 
> case. 
> Once I install it, when I restart graylog, it fails with this error 
> showing in a loop in /var/log/graylog/server/current:
> 2017-02-20_23:31:57.16373 Java HotSpot(TM) 64-Bit Server VM warning: 
> ignoring option MaxPermSize=256m; support was removed in 8.0
> 2017-02-20_23:31:57.78121 Exception in thread "main" 
> java.lang.NoSuchMethodError: 
> org.graylog2.plugin.Version.from(IIILjava/lang/String;)Lorg/graylog2/plugin/Version;
> 2017-02-20_23:31:57.78211   at 
> org.graylog.plugins.beats.BeatsInputPluginMetaData.getVersion(BeatsInputPluginMetaData.java:52)
> 2017-02-20_23:31:57.78429   at 
> org.graylog2.shared.plugins.PluginLoader$PluginComparator.compare(PluginLoader.java:112)
> 2017-02-20_23:31:57.78448   at 
> org.graylog2.shared.plugins.PluginLoader$PluginComparator.compare(PluginLoader.java:103)
> 2017-02-20_23:31:57.78667   at 
> java.util.TimSort.countRunAndMakeAscending(TimSort.java:355)
> 2017-02-20_23:31:57.78829   at java.util.TimSort.sort(TimSort.java:220)
> 2017-02-20_23:31:57.78948   at java.util.Arrays.sort(Arrays.java:1512)
> 2017-02-20_23:31:57.79100   at 
> com.google.common.collect.ImmutableSortedSet.construct(ImmutableSortedSet.java:428)
> 2017-02-20_23:31:57.79185   at 
> com.google.common.collect.ImmutableSortedSet$Builder.build(ImmutableSortedSet.java:562)
> 2017-02-20_23:31:57.79421   at 
> org.graylog2.shared.plugins.PluginLoader.loadPlugins(PluginLoader.java:56)
> 2017-02-20_23:31:57.79605   at 
> org.graylog2.bootstrap.CmdLineTool.loadPlugins(CmdLineTool.java:264)
> 2017-02-20_23:31:57.79609   at 
> org.graylog2.bootstrap.CmdLineTool.installPluginConfigAndBindings(CmdLineTool.java:229)
> 2017-02-20_23:31:57.79739   at 
> org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:151)
> 2017-02-20_23:31:57.79901   at 
> org.graylog2.bootstrap.Main.main(Main.java:44)
> 2017-02-20_23:31:58.82676 It looks like you are trying to access MongoDB 
> over HTTP on the native driver port.
> 2017-02-20_23:31:58.83689 Java HotSpot(TM) 64-Bit Server VM warning: 
> ignoring option PermSize=128m; support was removed in 8.0
> 2017-02-20_23:31:58.83691 Java HotSpot(TM) 64-Bit Server VM warning: 
> ignoring option MaxPermSize=256m; support was removed in 8.0
> 2017-02-20_23:31:59.44325 INFO  [CmdLineTool] Loaded plugins: [Anonymous 
> Usage Statistics 1.2.1 
> [org.graylog.plugins.usagestatistics.UsageStatsPlugin]]
> 2017-02-20_23:31:59.56571 INFO  [CmdLineTool] Running with JVM arguments: 
> -Xms1g -Xmx1500m -XX:NewRatio=1 -XX:PermSize=128m -XX:MaxPe
>
> Need to test getting some Windows IIS logs into this thing, help me out 
> please?
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cf580ab1-6d28-4116-8b5b-cd8cc847e681%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: use 1 minute Timerange not working

2017-02-20 Thread Jochen Schalanda 
Hi,

what exactly do you mean with "both of them don't work"?

How did you configure the alert conditions?
What did you expect to happen?
What did actually happen?

Cheers,
Jochen

On Monday, 20 February 2017 16:20:43 UTC+1, vadimv Vatlin wrote:
>
> Hello. 
>
> I have some strange problem. 
>
> I try to use 1 minute time range in alerts and dashboard count widget, and 
> both of them don't work. 
>
> Timerange:{ "type": "relative", "range": 60 }
> server.conf:alert_check_interval = 30 
>
> what is the problem?  
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e251d1a9-f1de-4974-8b4c-089e583c01bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Global kafka input doesn't work.

2017-02-20 Thread Jochen Schalanda 
Hi Art,

are there any error messages in the logs of your Graylog nodes?

Cheers,
Jochen

On Friday, 17 February 2017 00:30:39 UTC+1, Art Star wrote:
>
> Hey guys, 
>
> I'm trying to configure two graylog servers to read from the same topic in 
> kafka. But when I choose global input, only one of my servers can read from 
> kafka. 
> I'm wondering if it is something that I'm doing wrong or it's not possible 
> as of now. 
>
> Thanks
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ec61f2c8-c077-4745-9850-0ce0483e133d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Remove field using extractos

2017-02-20 Thread Jochen Schalanda 
Hi Rui,

On Tuesday, 14 February 2017 16:24:55 UTC+1, Rui Goncalves wrote:
>
> What am I missing? I think there must be something that I'm missing, 
> because we can route the same message to multiple streams.
>

This sounds like an incorrect message processor order. Check the order of 
your message processors on the System / Configurations page.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6934a62f-2494-46c1-ac6d-1f2a9770bedb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [INFO] Google Group shutdown on Feb 21, 2017

2017-02-20 Thread Jochen Schalanda 
Hi everyone,

just a timely reminder that this Google Group will be set to read-only on 
Feb 21, 2017 and will be replaced by the official Graylog Community Forums 
.

If you have any open threads on this mailing list, please create a 
corresponding topic on the Graylog Community Forums.


Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bcc18234-2656-425e-85c2-0f4501103bf9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: graylog 2.2.0 ssl error

2017-02-19 Thread Jochen Schalanda 
Hi Adi,

I'm not sure what you intended to do with these JVM settings, but they're 
for the Maven build system and not Graylog.

Please refer 
to http://docs.graylog.org/en/2.2/pages/configuration/https.html for 
information about using HTTPS in Graylog.

Cheers,
Jochen

On Sunday, 19 February 2017 15:23:05 UTC+1, Adi Spivak wrote:
>
> i upgraded to graylog 2.2 and now i keep getting ssl related errors.
> it worked on graylog 2.1 with this added flags: 
> -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true 
> -Dmaven.wagon.http.ssl.ignore.validity.dates=true
> now they do not help, ports are not comming up, and i keep getting ssl 
> related errors:
> javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
> unable to find valid certification path to requested target
>
> can anyone help me please?
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/513de1e8-c899-482c-9dc2-64371671f454%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: graylog not working after upgrading to v2.2.0 from 2.1.2

2017-02-19 Thread Jochen Schalanda 
Hi Marsel,

there seem to exist multiple issues in your setup.

   1. Make sure to only use compatible plugins with your version of 
   Graylog. For example the Threat Intel plugin is currently not compatible 
   with Graylog 2.2.0.
   2. Make sure to create a custom index mapping. For example the 
   "EventDate" field seems to have been a date before but now cannot be 
   properly indexed. 
   See 
http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html#custom-index-mappings
 
   for details.
   3. The messages you're receiving on your Syslog input don't conform to 
   the syslog standard. You can use a Raw/plaintext input and some extractors 
   instead.

Cheers,
Jochen

On Friday, 17 February 2017 21:52:56 UTC+1, Marsel Qako wrote:
>
> Hi,
>
> I have two graylog servers clustered. One is configured as the master with 
> full configuration the other as bakend-server. I upgraded both virtual 
> appliances from 2.1.2 to 2.2.0. Before the upgrade everything was working 
> fine. Now i have multiple errors and no logs show when searching. 
>
> Every 20 seconds the page will reload and for a second and "server 
> currently unavailable" page will show. 
>
> The pages are blank under /system/indices, or streams, or alerts. But some 
> like dashboards, or sources, or input work fine
>
>
> 
>
>
> I get the following errors in the logs. I'm not sure what changed with the 
> new version, but it used to parse this logs with no problem. 
>
> 2017-02-17_19:58:39.81255 [3053]: index [graylog_447], type [message], id 
> [fa52e365-f54a-11e6-8af1-005056a7396f], message 
> [MapperParsingException[failed to parse [EventDate]]; nested: 
> IllegalArgumentException[Invalid format: "2017/02/17" is malformed at 
> "/02/17"];]
>
> payloadSize=156, timestamp=2017-02-17T20:08:41.486Z, remoteAddress=/
> 1.1.1.1:1030} on input <57239495e765a00aa151081e>.
> 2017-02-17_20:31:14.33021 2017-02-17 12:31:14,329 ERROR: 
> org.graylog2.shared.buffers.processors.DecodingProcessor - Error processing 
> message RawMessage{id=e08a52e1-f54c-11e6-9231-005056a7396f, 
> journalOffset=9857804159, codec=syslog, payloadSize=156, 
> timestamp=2017-02-17T20:08:41.486Z, remoteAddress=/10.4.1.110:1030}
> 2017-02-17_20:31:14.33105 java.lang.IllegalArgumentException: Invalid 
> format: "19293274:" is malformed at ":"
> 2017-02-17_20:31:14.33584   at 
> org.joda.time.format.DateTimeFormatter.parseDateTime(DateTimeFormatter.java:945)
>  
> ~[graylog.jar:?]
> 2017-02-17_20:31:14.33727   at 
> org.joda.time.DateTime.parse(DateTime.java:160) ~[graylog.jar:?]
> 2017-02-17_20:31:14.33762   at 
> org.joda.time.DateTime.parse(DateTime.java:149) ~[graylog.jar:?]
> 2017-02-17_20:31:14.33811   at 
> org.graylog2.syslog4j.server.impl.event.SyslogServerEvent.parseDate(SyslogServerEvent.java:108)
>  
> ~[graylog.jar:?]
> 2017-02-17_20:31:14.33955   at 
> org.graylog2.syslog4j.server.impl.event.SyslogServerEvent.parsePriority(SyslogServerEvent.java:136)
>  
> ~[graylog.jar:?]
> 2017-02-17_20:31:14.34209   at 
> org.graylog2.syslog4j.server.impl.event.SyslogServerEvent.parse(SyslogServerEvent.java:152)
>  
> ~[graylog.jar:?]
> 2017-02-17_20:31:14.34211   at 
> org.graylog2.syslog4j.server.impl.event.SyslogServerEvent.(SyslogServerEvent.java:50)
>  
> ~[graylog.jar:?]
> 2017-02-17_20:31:14.34212   at 
> org.graylog2.inputs.codecs.SyslogCodec.parse(SyslogCodec.java:123) 
> ~[graylog.jar:?]
> 2017-02-17_20:31:14.34398   at 
> org.graylog2.inputs.codecs.SyslogCodec.decode(SyslogCodec.java:91) 
> ~[graylog.jar:?]
> 2017-02-17_20:31:14.34595   at 
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146)
>  
> ~[graylog.jar:?]
> 2017-02-17_20:31:14.34625   at 
> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87)
>  
> [graylog.jar:?]
> 2017-02-17_20:31:14.34929   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:79)
>  
> [graylog.jar:?]
> 2017-02-17_20:31:14.34963   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:45)
>  
> [graylog.jar:?]
> 2017-02-17_20:31:14.35012   at 
> com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
> 2017-02-17_20:31:14.35134   at 
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>  
> [graylog.jar:?]
> 2017-02-17_20:31:14.35179   at java.lang.Thread.run(Thread.java:745) 
> [?:1.8.0_101]
>
> /elasticsearch/current
>
> 17_20:33:58.10920 [2017-02-17 12:33:57,437][DEBUG][action.bulk 
>  ] [Morg] [graylog_447][2] failed to execute bulk item (index) index 
> {[graylog_deflector][message][79384092-f54f-11e6-969d-005056a71aa5], 
>

[graylog2] Re: Copy input extractor failure

2017-02-19 Thread Jochen Schalanda 
Hi Rayees,

which version of Graylog and Elasticsearch are you running?

Cheers,
Jochen

On Saturday, 18 February 2017 01:46:16 UTC+1, Rayees Namathponnan wrote:
>
> Hi All,
>
> I created “Copy Input” extractor to get key value pair, here is my 
> message, trying to extract *level* and *status* from all the messages 
>
>
>
> 2016-09-28 19:21:52,466 level=INFO tag="run_workflow.py" msg="Run complete 
> for appname=cils, job_date=20160912, status=Passed starttime=Wed Sep 28 
> 19:15:25 2016, endtime=Wed Sep 28 19:21:47 2016, duration=0:6:21, 
> inputs=[{"path": "/esss/srg/20160912_1473688239855_4f29bbb6efdb3c39", 
> "tag": "cilPurge", "stats": {"size": "13.47MB"}}, {"path": 
> "/compressed/cil/20160912", "tag": "cil", "stats": {"size": "580.16MB"}}], 
> outputs=[{"path": "/processed/test/parse//cil", "tag": "cil.output.folder", 
> "stats": {"diffSize": "645.78MB", "newFiles": [], "endSize": "18.93GB", 
> "startSize": "18.30GB"}}]”
>
>
>
> Its failing with below error 
>
> 0]: index [graylog_8], type [message], id 
> [c0e7ea80-f572-11e6-b21e-5254007b267d], message 
> [java.lang.IllegalArgumentException: Document contains at least one immense 
> term in field="level" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped.  Please correct the analyzer to not 
> produce such terms.  The prefix of the first immense term is: '[70, 101, 
> 98, 32, 49, 55, 32, 49, 57, 58, 51, 57, 58, 51, 53, 32, 115, 106, 101, 108, 
> 107, 51, 51, 32, 115, 121, 115, 116, 101, 109]...', original message: bytes 
> can be at most 32766 in length; got 34944]
> 2017-02-17T19:39:56.795-05:00 ERROR [Extractor] Could not apply converter 
> [tokenizer] of extractor [77e451d0-f3b9-11e6-b21e-5254007b267d].
> java.lang.IllegalArgumentException: Multiple entries with same key: 
> id=4038, and id=4038,
> at 
> com.google.common.collect.ImmutableMap.checkNoConflict(ImmutableMap.java:136) 
> ~[graylog.jar:?]
> at 
> com.google.common.collect.RegularImmutableMap.checkNoConflictInKeyBucket(RegularImmutableMap.java:98)
>  
> ~[graylog.jar:?]
> at 
> com.google.common.collect.RegularImmutableMap.fromEntryArray(RegularImmutableMap.java:84)
>  
> ~[graylog.jar:?]
> at 
> com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:295) 
> ~[graylog.jar:?]
> at 
> org.graylog2.inputs.converters.TokenizerConverter.convert(TokenizerConverter.java:55)
>  
> ~[graylog.jar:?]
> at org.graylog2.plugin.inputs.Extractor.runConverters(Extractor.java:242) 
> [graylog.jar:?]
> at org.graylog2.plugin.inputs.Extractor.runExtractor(Extractor.java:228) 
> [graylog.jar:?]
> at org.graylog2.filters.ExtractorFilter.filter(ExtractorFilter.java:73) 
> [graylog.jar:?]
> at 
> org.graylog2.messageprocessors.MessageFilterChainProcessor.process(MessageFilterChainProcessor.java:100)
>  
> [graylog.jar:?]
> at 
> org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>  
> [graylog.jar:?]
> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) 
> [graylog.jar:?]
> at 
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>  
> [graylog.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]
> 2017-02-17T19:39:57.677-05:00 ERROR [Messages] Failed to index [1] 
> messages. Please check the index error log in your web interface for the 
> reason. Error: failure in bulk execution:
> [0]: index [graylog_8], type [message], id 
> [c560a160-f572-11e6-b21e-5254007b267d], message 
> [java.lang.IllegalArgumentException: Document contains at least one immense 
> term in field="level" (whose UTF8 encoding is longer than the max length 
> 32766), all of which were skipped.  Please correct the analyzer to not 
> produce such terms.  The prefix of the first immense term is: '[70, 101, 
> 98, 32, 49, 55, 32, 49, 57, 58, 51, 57, 58, 52, 53, 32, 115, 106, 101, 108, 
> 107, 51, 51, 32, 115, 121, 115, 116, 101, 109]...', original message: bytes 
> can be at most 32766 in length; got 34944]
> ^Z
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/013d028e-f053-4b5f-8da6-18ded9bdd073%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Troubleshooting logs

2017-02-17 Thread Jochen Schalanda 
Hi Tom,

On Friday, 17 February 2017 00:41:03 UTC+1, Tom Powers wrote:
>
> I've found this article on the right place to put the certs...but not sure 
> what format or how to get them out of the master server
>
>
> http://docs.graylog.org/en/2.0/pages/faq.html#i-have-configured-an-smtp-server-or-an-output-with-tls-connection-and-receive-handshake-errors-what-should-i-do
>

See 
http://docs.graylog.org/en/2.2/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store
 
for instructions for how to add certificates to the JVM trust store.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2134480e-bd5c-46b2-8521-3c93d1b3ac90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Troubleshooting logs

2017-02-16 Thread Jochen Schalanda 
Hi Tom,

On Thursday, 16 February 2017 16:28:09 UTC+1, Tom Powers wrote:
>
> If I turn TLS on for the Input side (Server 2), and click the Verify TLS 
> on the client side(server1)  (like I have done in my test lab),  then the 
> Server2 doesn't receive anything on the input.   
>

Have the SSL certificates you're using been signed by a public CA or did 
you add them to the JVM trust store on the second server? If not, that's 
the problem.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4bbc3f47-430f-4a38-8077-31afa1840770%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Spaces between characters!

2017-02-16 Thread Jochen Schalanda 
Hi Tom,

this looks like an encoding problem (UTF-16 vs. UTF-8), 
see https://github.com/Graylog2/graylog2-server/issues/3130 for a related 
issue with a potential fix.

Cheers,
Jochen

On Thursday, 16 February 2017 16:19:33 UTC+1, Tom Collins wrote:
>
> Hi all - I was wondering if anyone could help.
> I've been using Graylog successful, in production for several months now.
>
> Today, I've run in to my first real problem.
>
> I'm sending in some FSLogix log files, from a Windows machine, using NXLog.
>
> They're getting to Graylog just fine, and at first they appear fine, 
> however when searching I noticed that I couldn't return any results against 
> content I knew was there. Even when searching against extracted fields.
> After clicking on search terms, I've noticed that all of the fields seem 
> to have (what looks like) spaces between each character. They look 
> perfectly normal until you try actually try to search etc.
>
> Here is what I'm talking about;
>
>
> 
>
>
>
> 
>
>
> Weirdly, if I copy the text from field terms (above), in to, say 
> notepad...there are no spaces.
>
> Does anyone have any idea what might be causing this?! It's been driving 
> me crazy all day.
> This is a sample of the log that is being fed via nxlog
>
>  ---
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc]   = 
>>>   Begin: Unload profile: vannup  =
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc] [INFO :0x]User: 
>>> vannup. SID: S-1-5-21-2000128468-286259493-1166484339-21833.
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc] [INFO :0x]   
>>>  Configuration setting not found: ConcurrentUserSessions.  Using default: 0
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc] [INFO :0x]No 
>>> teardown required
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc] [INFO :0x]   
>>>  Configuration setting not found: ShutdownOnUserLogoff.  Using default: 0
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc] [INFO :0x]   
>>>  Configuration setting not found: RebootOnUserLogoff.  Using default: 0
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc] [INFO :0x]   
>>>  UnloadProfile successful.  User: vannup. SID: 
>>> S-1-5-21-2000128468-286259493-1166484339-21833.
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc] [INFO :0x]   
>>>  unloadProfile time: 0 milliseconds
>>
>> [2017-02-08 02:05:59.779][pid:0f1c][tid:20fc]   = 
>>>   End: Unload profile: vannup  =
>>
>> [2017-02-08 08:17:56.911][pid:0f1c][tid:1b98]   = 
>>>   Begin: LoadProfile: USJOLNETPC14  =
>>
>> [2017-02-08 08:17:56.911][pid:0f1c][tid:1b98] [INFO :0x]   
>>>  Configuration Read (DWORD): SOFTWARE\FSLogix\Profiles\Enabled.  Data: 0
>>
>>
> Here's my nxlog config. I've tried with everything I can think off (GELF, 
> json etc etc) - this works with other plain-text files;
>
> 
> Module  xm_syslog
> 
>  
> 
>  Module im_file
>  File 'D:\\FSLogix\\FSLogix\\Logs\\Profile\\Profile-*.log'
> SavePos TRUE
> ReadFromLast TRUE
> PollInterval 1
> InputType LineBased
> Exec$fullMessage = $raw_event;
> 
>  
> 
> Module  om_udp
> Host10.50.8.114
> Port12204
> Exec to_syslog_bsd();
> 
>
>  
> 
> Pathin => out
>  
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7c827257-4238-400b-8afa-428003be6504%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Archive data in free version of graylog?

2017-02-16 Thread Jochen Schalanda 
Hi Dan,

On Thursday, 16 February 2017 14:43:19 UTC+1, Dan Hoffmann wrote:
>
> Might there be an easy to read how to on this somewhere that you know 
> about?  A quick GIS turns up some info, but it's not easy to follow in my 
> current level of product knowledge.
>

See 
https://www.elastic.co/guide/en/elasticsearch/guide/current/backing-up-your-cluster.html
.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8bf5f162-0833-457e-90e4-8a3ad0bfb39e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Archive data in free version of graylog?

2017-02-16 Thread Jochen Schalanda 
Hi Dan,

On Thursday, 16 February 2017 13:53:08 UTC+1, Dan Hoffmann wrote:
>
> I saw that, but I'm not wanting to spend $6000 a year for that feature.  
> Was hoping there were more options.
>

You can still use the Elasticsearch snapshot functionality with all its 
drawbacks (like potentially being unable to restore old indices in new 
versions of Elasticsearch).

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c1cc6125-0360-4867-8df4-680795e4f38e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Nodes with too long GC pauses

2017-02-16 Thread Jochen Schalanda 
Hi Nitzan,

On Thursday, 16 February 2017 14:20:33 UTC+1, Nitzan Haimovich wrote:
>
> Where do I configure the threshold for this?
>

You can configure this with the gc_warning_threshold 
setting: https://github.com/Graylog2/graylog2-server/ 
blob/2.2.0/misc/graylog.conf#L527-L529

But be aware that you're merely covering up the problem and not solving 
anything with increasing this threshold.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f2d21cb2-19fe-4047-a3d3-8a4f0540%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Rest api for Logs

2017-02-16 Thread Jochen Schalanda 
Hi Anant,

you can query the complete data set over the Graylog REST API, check the 
search-related resources in the Graylog API browser at 
http://127.0.0.1:9000/api/api-browser (URI might be different for your 
setup).

Cheers,
Jochen

On Thursday, 16 February 2017 10:34:04 UTC+1, Anant Sawant wrote:
>
> Hi Everyone,
>
> Does any body knows if there is any REST api for graylog to get the logs 
> based on time? For example api to get logs for last 30 days.
> If its not can we directly get the logs form elasticsearch by querying 
> elaticsearch.?
>
> Thanks in advance
>
> Anant.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a0d0adb1-99cd-4ccf-991d-96d1509b8ce6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to upgrade Graylog 2.1 > 2.2 ?

2017-02-16 Thread Jochen Schalanda 
Hi,

On Thursday, 16 February 2017 10:34:07 UTC+1, jtkarvo wrote:
>
> Is is possible to do a rolling upgrade to a graylog cluster (from 2.1 to 
> 2.2)?  If so, should I upgrade master first or non-master nodes first?
>

Due to some changes in the index management it's not possible to do a 
rolling upgrade from Graylog 2.x to Graylog 2.2.0.

You should upgrade and start the master node first, then the upgrade and 
start the secondary nodes.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0ce56a86-0ca6-40fd-93e1-026480855dae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: how to resolve issue with indexer

2017-02-16 Thread Jochen Schalanda 
Hi Jiří,

the "level" message field has to be a numeric value, i. e. the numeric 
severity level of syslog 
messages: https://en.wikipedia.org/wiki/Syslog#Severity_level

You can use message processor pipeline rules to change that in 
Graylog: http://docs.graylog.org/en/2.2/pages/pipelines.html

Although in your specific case, I'd recommend converting the "level" field 
in Logstash.

Cheers,
Jochen


On Thursday, 16 February 2017 09:12:00 UTC+1, Jiří Kolb wrote:
>
> Hello,
> I have following architecture Logstash -> RabbitMQ ->Graylog
>
> I have issue in indexer with parsing:
> 17 minutes ago graylog_0 d58fe350-f41b-11e6-8407-000c29438b97 
> MapperParsingException[failed to parse [level]]; nested: 
> NumberFormatException[For input string: "information"]
>
> In logstash debug I can see message like this:
>
> {
>  "devid" => "FGVMEV00",
>"raw_message" => "date=2017-02-16 time=00:55:46 
> devname=FortiGate-VM64 devid=FGVMEV00 logid=0100040704 type=event 
> subtype=system level=notice vd=root logdesc=\"System performance 
> statistics\" action=\"perf-stats\" cpu=0 mem=47 totalsession=3 disk=0 
> bandwidth=0/0 setuprate=0 disklograte=0 fazlograte=0 msg=\"Performance 
> statistics: average CPU: 0, memory:  47, concurrent sessions:  3, 
> setup-rate: 0\"",
> "fazlograte" => "0",
>   "type" => "fortigate",
>"mem" => "47",
> "syslog5424_pri" => "189",
>   "@version" => "1",
>   "host" => "10.0.0.90",
> "action" => "perf-stats",
>"disklograte" => "0",
>  "device_id" => "FortiGate-VM64",
>  "level" => "notice",
>  "bandwidth" => "0/0",
>"cpu" => "0",
>  "<189>date" => "2017-02-16",
>"message" => "<189>date=2017-02-16 time=00:55:46 
> devname=FortiGate-VM64 devid=FGVMEV00 logid=0100040704 type=event 
> subtype=system level=notice vd=root logdesc=\"System performance 
> statistics\" action=\"perf-stats\" cpu=0 mem=47 totalsession=3 disk=0 
> bandwidth=0/0 setuprate=0 disklograte=0 fazlograte=0 msg=\"Performance 
> statistics: average CPU: 0, memory:  47, concurrent sessions:  3, 
> setup-rate: 0\"",
> "vd" => "root",
>"logdesc" => "System performance statistics",
>   "disk" => "0",
> "@timestamp" => 2017-02-16T07:55:39.383Z,
>  "setuprate" => "0",
>  "logid" => "0100040704",
>   "time" => "00:55:46",
>   "totalsession" => "3"
> }
>
>
>
> Can you please help? I do not understand why level is not parsed it is 
> string like others that are parsed correctly. 
>
> Thank you!
>
> Jiri
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a3eafa9d-6a0a-4a5b-ac81-c9d4173d7562%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SSL JVM

2017-02-15 Thread Jochen Schalanda 
Hi,

as long as you don't add your self-signed certificate to the trusted 
certificates of your web browsers as well, that "insecure" notification 
will remain.

Please consult the documentation of your web browser for this.

Cheers,
Jochen


On Wednesday, 15 February 2017 17:04:02 UTC+1, CTuser wrote:
>
> Hi Jochen,
>
> I've written it as follows:
>
> GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server 
> -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled 
> -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC 
> -XX:-OmitStackTraceInFastThrow 
> -Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks"
>
> I restarted the machine and it doesn't work.
> I still see the "connection is not secure" message.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1b79b825-a539-4d6b-9b1c-9e87df8abdff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SSL JVM

2017-02-15 Thread Jochen Schalanda 
Hi,

you can add JVM settings to the GRAYLOG_SERVER_JAVA_OPTS variable.

Cheers,
Jochen

On Wednesday, 15 February 2017 13:03:45 UTC+1, CTuser wrote:
>
> Hi Jochen,
>
> here is the output of the JVM settings (/etc/sysconfig/graylog-server):
> 
> # Path to the java executable.
> JAVA=/usr/bin/java
>
> # Default Java options for heap and garbage collection.
> GRAYLOG_SERVER_JAVA_OPTS=" -Xms1g -Xmx1g -XX:NewRatio=1 -server 
> -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled 
> -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC 
> -XX:-OmitStackTraceInFastThrow"
>
>
> # Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode)
> GRAYLOG_SERVER_ARGS=""
>
> # Program that will be used to wrap the graylog-server command. Useful to
> # support programs like authbind.
> GRAYLOG_COMMAND_WRAPPER=""
>
> 
>
> Where should I locate the following line?
> -Djavax.net.ssl.trustStore=/etc/graylog/cacerts.jks
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/574daddc-48d4-4516-8467-e46ca825c539%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Assistance with Pipeline Processor Function Plugin

2017-02-15 Thread Jochen Schalanda 
Hi Bill,

just for the fun of it, try using a unique ID and a plugin file name that 
lexicographically comes *after* the Graylog Pipeline Processor Plugin.

Cheers,
Jochen

On Wednesday, 15 February 2017 12:04:41 UTC+1, Bill Murrin wrote:
>
> I am looking for assistance with a plugin I am trying to create for a 
> pipeline processor function.
>
> I followed along with the tutorial (
> https://www.graylog.org/blog/71-writing-your-own-graylog-processing-pipeline-functions
> ) and also looked at source code for other pipeline processor functions. 
> I cannot for the life of me figure out what is causing it to error out. I'm 
> trying to get to a point where I can output debug code when I test the 
> function out.
>
> Everything appears to compile fine when I *mvn package* the code. 
>
> My graylog-plugin.properties file lists *isolated**=false*. I'm testing 
> the plugin using the* 2.1.3* ova file.
>
> Path to the project on my GitHub page:
> https://github.com/billmurrin/graylog-plugin-slookup-function
>
> When I add it as a plugin and restart graylog I get the following error:
>
> *2017-02-15_10:58:04.98543 2017-02-15 10:58:04,984 INFO : 
> org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Stream Lookup (SLookup) 
> pipeline function 1.0.0 [StreamLookupFunction]*
> 2017-02-15_10:58:04.98566 2017-02-15 10:58:04,985 INFO : 
> org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Elastic Beats Input 
> 1.1.5 [org.graylog.plugins.beats.BeatsInputPlugin]
> 2017-02-15_10:58:04.98619 2017-02-15 10:58:04,985 INFO : 
> org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Collector 1.1.3 
> [org.graylog.plugins.collector.CollectorPlugin]
> 2017-02-15_10:58:04.98712 2017-02-15 10:58:04,986 INFO : 
> org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Enterprise Integration 
> Plugin 1.1.3 
> [org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin]
> 2017-02-15_10:58:04.98821 2017-02-15 10:58:04,986 INFO : 
> org.graylog2.bootstrap.CmdLineTool - Loaded plugin: MapWidgetPlugin 1.1.3 
> [org.graylog.plugins.map.MapWidgetPlugin]
> 2017-02-15_10:58:04.98892 2017-02-15 10:58:04,986 INFO : 
> org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Pipeline Processor 
> Plugin 1.1.3 [org.graylog.plugins.pipelineprocessor.ProcessorPlugin]
> 2017-02-15_10:58:04.98939 2017-02-15 10:58:04,987 INFO : 
> org.graylog2.bootstrap.CmdLineTool - Loaded plugin: QuickValuesPlusWidget 
> 1.0.0 [org.graylog.plugins.quickvaluesplus.QuickValuesPlusWidgetPlugin]
> 2017-02-15_10:58:04.99000 2017-02-15 10:58:04,987 INFO : 
> org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Anonymous Usage 
> Statistics 2.1.3 [org.graylog.plugins.usagestatistics.UsageStatsPlugin]
>
>
> 2017-02-15_10:58:05.23546 2017-02-15 10:58:05,234 INFO : 
> org.hibernate.validator.internal.util.Version - HV01: Hibernate 
> Validator 5.2.4.Final
> 2017-02-15_10:58:05.77808* Exception in thread "main" 
> java.lang.NoClassDefFoundError: 
> org/graylog/plugins/pipelineprocessor/ast/functions/AbstractFunction*
> 2017-02-15_10:58:05.77839   at 
> java.lang.ClassLoader.defineClass1(Native Method)
> 2017-02-15_10:58:05.77926   at 
> java.lang.ClassLoader.defineClass(ClassLoader.java:763)
> 2017-02-15_10:58:05.77946   at 
> java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
> 2017-02-15_10:58:05.78004   at 
> java.net.URLClassLoader.defineClass(URLClassLoader.java:467)
> 2017-02-15_10:58:05.78028   at 
> java.net.URLClassLoader.access$100(URLClassLoader.java:73)
> 2017-02-15_10:58:05.78089   at 
> java.net.URLClassLoader$1.run(URLClassLoader.java:368)
> 2017-02-15_10:58:05.78137   at 
> java.net.URLClassLoader$1.run(URLClassLoader.java:362)
> 2017-02-15_10:58:05.78227   at 
> java.security.AccessController.doPrivileged(Native Method)
> 2017-02-15_10:58:05.78292   at 
> java.net.URLClassLoader.findClass(URLClassLoader.java:361)
> 2017-02-15_10:58:05.78330   at 
> java.lang.ClassLoader.loadClass(ClassLoader.java:424)
> 2017-02-15_10:58:05.78413   at 
> java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:814)
> 2017-02-15_10:58:05.78430   at 
> java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> 2017-02-15_10:58:05.78594   at 
> org.graylog.plugins.slookup.StreamLookupFunctionModule.configure(StreamLookupFunctionModule.java:22)
> 2017-02-15_10:58:05.78612   at 
> com.google.inject.AbstractModule.configure(AbstractModule.java:62)
> 2017-02-15_10:58:05.78668   at 
> com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
> 2017-02-15_10:58:05.78701   at 
> org.graylog2.shared.bindings.PluginBindings.configure(PluginBindings.java:51)
> 2017-02-15_10:58:05.78802   at 
> com.google.inject.AbstractModule.configure(AbstractModule.java:62)
> 2017-02-15_10:58:05.78833   at 
> com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
> 2017-02-15_10:58:05.78885   at 
> com.google.inject.spi.Elements.getElements(Elements.java:110)
>

[graylog2] Re: SSL JVM

2017-02-15 Thread Jochen Schalanda 
Hi,

please refer 
to http://docs.graylog.org/en/2.2/pages/configuration/file_location.html 
for the specific location of the file for the JVM settings.

Cheers,
Jochen

On Wednesday, 15 February 2017 11:15:01 UTC+1, CTuser wrote:
>
> Hi Jochen,
>
> I already followed the "Adding a self-signed certificate to the JVM trust 
> store" section.
> I also verified that the self-signed certificate has been added 
> successfully to the key store.
> I don't know how to cause the JVM to pick up the new trust store.
> According to the guide it has to be started with the JVM parameter 
> -Djavax.net.ssl.trustStore=/path/to/cacerts.jks  
> //it tells me nothing
>
> Please assist. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bb2aacc6-0642-4594-beaa-86d6b06d8251%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Incorrect Graylog Cluster details

2017-02-15 Thread Jochen Schalanda 
Hi Paweł,

please describe exactly what you did and which error messages you've seen. 
Additionally describe the current situation, the configuration of all 
Graylog nodes, and what problem you're trying to solve right now.

Cheers,
Jochen

On Wednesday, 15 February 2017 00:34:59 UTC+1, Paweł Karoluk wrote:
>
> Hi Jochen, You're right but there is another problem
> I have tried to enable rest_transport_uri with "public IP" but it couldn't 
> bind to Interface with port 9000 or 12900. I have SeLinux na IPtables 
> disabled so it's not a problem, maybe something else
>
> # netstat -tlpn | grep java
> tcp0  0 :::127.0.0.1:9000  :::*   
>   LISTEN  62396/java  
> tcp0  0 :::10.0.0.1:9200:::* 
> LISTEN  62396/java  
> tcp0  0 :::10.0.0.1:9300:::* 
> LISTEN  62396/java 
>
>
> My current config:
>
> rest_listen_uri = http://127.0.0.1:9000/api/
> rest_transport_uri = http://10.0.0.1:9000/api/
>
> web_listen_uri = http://127.0.0.1:9000/
> web_endpoint_uri = https://graylog1.local/api/
>
> HAproxy config:
> https://graylog1.local/ -> 127.0.0.1:9000
>
> I will appreciate any help
>
> Cheers!
>
>
> Hi, I have two node Graylog Cluster and as you can see there is some wrong 
>> with cluster config:
>>
>>
>> *GET /api/system/cluster/nodes*
>>
>> {
>> nodes: [
>> {
>> cluster_id: "6701202c-a9fe-42d2-8d5a-015acf66fbfa",
>> node_id: "5f596ebf-a988-4c08-858e-67d38a3e483b",
>> type: "server",
>> transport_address: "http://127.0.0.1:9000/api/;,
>> last_seen: "2017-02-10T00:45:30.000Z",
>> short_node_id: "5f596ebf",
>> hostname: "analog1.local",
>> is_master: true
>> },
>> {
>> cluster_id: "6701202c-a9fe-42d2-8d5a-015acf66fbfa",
>> node_id: "8be9e293-f60b-40c6-a0e6-8af6d617eb1a",
>> type: "server",
>> transport_address: "http://127.0.0.1:9000/api/;,
>> last_seen: "2017-02-10T00:45:30.000Z",
>> short_node_id: "8be9e293",
>> hostname: "analog2.local",
>> is_master: false
>> }
>> ],
>> total: 2
>> }
>>
>>
>> *GET /api/cluster*
>>
>> {
>> 5f596ebf-a988-4c08-858e-67d38a3e483b: {
>> facility: "graylog-server",
>> codename: "Smuttynose",
>> node_id: "5f596ebf-a988-4c08-858e-67d38a3e483b",
>> cluster_id: "6701202c-a9fe-42d2-8d5a-015acf66fbfa",
>> version: "2.1.3+040d371",
>> started_at: "2017-02-10T00:27:13.101Z",
>> hostname: "analog1.local",
>> lifecycle: "running",
>> lb_status: "alive",
>> timezone: "Europe/Warsaw",
>> operating_system: "Linux 2.6.32-642.13.1.el6.x86_64",
>> is_processing: true
>> },
>> 8be9e293-f60b-40c6-a0e6-8af6d617eb1a: {
>> facility: "graylog-server",
>> codename: "Smuttynose",
>> node_id: "5f596ebf-a988-4c08-858e-67d38a3e483b",
>> cluster_id: "6701202c-a9fe-42d2-8d5a-015acf66fbfa",
>> version: "2.1.3+040d371",
>> started_at: "2017-02-10T00:27:13.101Z",
>> hostname: "analog1.local",
>> lifecycle: "running",
>> lb_status: "alive",
>> timezone: "Europe/Warsaw",
>> operating_system: "Linux 2.6.32-642.13.1.el6.x86_64",
>> is_processing: true
>> }
>> }
>>
>>
>> In /api/cluster I supposed to get two different node_id and hostname, but 
>> hostnames are the same. As the result when I want to check the 
>> /system/nodes I got dubbed stats only of one host. The real HeapSize of 
>> analog2 is only 2GB (img: analog2-system-nodes 
>> ) not 4GB as analog1 - master node 
>> (img: analog1-system-nodes ).
>>
>>
>> MongoDB and ES Cluster are external and shared for both hosts.
>>
>>
>> Thanks Guys
>>
>>
>> Pawel
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/889031aa-aa6a-479d-a8a0-b73f62219bd8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SSL JVM

2017-02-15 Thread Jochen Schalanda 
Hi,

the necessary steps are described in the documentation at 
http://docs.graylog.org/en/2.2/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store
.

Cheers,
Jochen

On Wednesday, 15 February 2017 09:14:03 UTC+1, CTuser wrote:
>
> Hi,
>
> I created self-signed certificate and currently the connection via https 
> is not secure because I didn't do the JVM step.
>
> Please explain what should I do in the following step:
>
> " In order for the JVM to pick up the new trust store, it has to be 
> started with the JVM parameter 
> -Djavax.net.ssl.trustStore=/path/to/cacerts.jks. If you’ve been using 
> another password to encrypt the JVM trust store than the default changeit, 
> you additionally have to set the JVM parameter 
> -Djavax.net.ssl.trustStorePassword=secret.
>
> Most start and init scripts for Graylog provide a JAVA_OPTS variable 
> which can be used to pass the javax.net.ssl.trustStore and (optionally) 
> javax.net.ssl.trustStorePassword system properties.  "
>
>
> Graylog version: 2.1.2
>
> OS: CentOS 7
>
>
> Thanks.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/12caa576-733e-4e7e-9931-daa2f4355505%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to upgrade Graylog 2.1 > 2.2 ?

2017-02-15 Thread Jochen Schalanda 
Hi,

you can find upgrade instructions in the documentation, depending on how 
you've installed Graylog in the first place.

http://docs.graylog.org/en/2.2/pages/configuration/graylog_ctl.html#upgrade-graylog
http://docs.graylog.org/en/2.2/pages/installation/operating_system_packages.html#deb-apt
http://docs.graylog.org/en/2.2/pages/installation/operating_system_packages.html#rpm-yum-dnf

Cheers,
Jochen


On Tuesday, 14 February 2017 23:26:13 UTC+1, dhe...@gmail.com wrote:
>
> I looked here  http://docs.graylog.org/en/2.2/pages/upgrade.html  and 
> don't see any directions for upgrading Graylog 2.1  to 2.2. A Stackoverflow 
> post[1] mentions backing up /etc/gralog2.conf and simply untarring the new 
> graylog. Is this the correct upgrade path?  I've already posted this 
> question by accident to the SELKS group so I have ruled out that I've 
> likely missed something completely obvious. 
>
> Thanks
>
>  [1] 
> http://stackoverflow.com/questions/25438095/how-can-i-upgrade-graylog2-to-a-newer-version
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/67a4f0c8-c3a2-42ca-9ca1-628f9afe2c18%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [ANN] Graylog 2.2.0 has been released

2017-02-15 Thread Jochen Schalanda 
Hi Anas,

On Wednesday, 15 February 2017 09:33:50 UTC+1, Benbrahim Anass wrote:
>
> Congratulations on the new release, is there anything new about custom 
> dashboards ?
>

Please refer to the release notes for detailed information: 
https://www.graylog.org/blog/88-announcing-graylog-v2-2-0

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/eb2838dd-c028-45c1-a6e7-f5eea8760317%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [ANN] Graylog 2.2.0 has been released

2017-02-14 Thread Jochen Schalanda 
Hi everyone,

I'm proud to announce the GA release of Graylog 2.2.0!

We've put a lot of work into this release to bring you interesting features 
like improved retention and rotation (index sets) and enhanced alerting.

You can find the release notes for Graylog 2.2.0 at:

https://www.graylog.org/blog/88-announcing-graylog-v2-2-0


If you have any questions about the new release of Graylog, don't hesitate 
to get into one of our community support 
channels: https://www.graylog.org/community-support

And of course we're also offering professional support services for the 
latest and greatest version of 
Graylog: https://www.graylog.org/professional-support


Previous release notes:

   - https://www.graylog.org/blog/77-announcing-graylog-2-2-0-beta-2
   - https://www.graylog.org/blog/78-announcing-graylog-v2-2-0-beta-3
   - https://www.graylog.org/blog/79-announcing-graylog-v2-2-0-beta-4
   - https://www.graylog.org/blog/80-announcing-graylog-v2-2-0-beta-5
   - https://www.graylog.org/blog/81-announcing-graylog-v2-2-0-beta-6
   - https://www.graylog.org/blog/85-announcing-graylog-v2-2-0-rc-1
   

Cheers,
Jochen (in the name of the Graylog team)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a64e6dfd-e83a-4f2e-84d9-477fe905ca58%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Remove field using extractos

2017-02-14 Thread Jochen Schalanda 
Hi Rui,

On Tuesday, 14 February 2017 13:15:13 UTC+1, Rui Goncalves wrote:
>
> Why it's not possible to remove a field from the received message using 
> extractors?
>

This was a deliberate decision at the time to prevent people from wondering 
why some field didn't exist anymore due to stacked or complicated 
extractors.
 

> However it's in an experimental phase (with potential stability and 
> performance issues) and it seems overkill for doing something so simple as 
> dropping a field.
>

The message processing pipelines aren't experimental anymore in Graylog 
2.2.0.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/681e4875-a2db-48dc-a7c3-5fdebb263657%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Logging of Graylog-Server to Syslog

2017-02-13 Thread Jochen Schalanda 
Hi Frank,

thanks for the update!

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1c2d2400-9587-4b06-aa35-cba6e629332d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Incorrect Graylog Cluster details

2017-02-13 Thread Jochen Schalanda 
Hi Paweł,

as a matter of fact, everything is correct, except for your configuration.

The transport_address attribute in the output of GET 
/api/system/cluster/nodes shows, that both nodes are using 
http://127.0.0.1:9000/api/ as their transport address.
This address can be configured with the rest_transport_uri setting 

 
and has to be the public URI of the Graylog REST API of each Graylog node. 
It's being used by every Graylog node to communicate with other Graylog 
nodes.

tl;dr: Set rest_transport_uri on each Graylog node to a URI which can be 
accessed by all the other Graylog nodes.

Cheers,
Jochen

On Monday, 13 February 2017 19:51:02 UTC+1, Paweł Karoluk wrote:
>
> Hi, I have two node Graylog Cluster and as you can see there is some wrong 
> with cluster config:
>
>
> *GET /api/system/cluster/nodes*
>
> {
> nodes: [
> {
> cluster_id: "6701202c-a9fe-42d2-8d5a-015acf66fbfa",
> node_id: "5f596ebf-a988-4c08-858e-67d38a3e483b",
> type: "server",
> transport_address: "http://127.0.0.1:9000/api/;,
> last_seen: "2017-02-10T00:45:30.000Z",
> short_node_id: "5f596ebf",
> hostname: "analog1.local",
> is_master: true
> },
> {
> cluster_id: "6701202c-a9fe-42d2-8d5a-015acf66fbfa",
> node_id: "8be9e293-f60b-40c6-a0e6-8af6d617eb1a",
> type: "server",
> transport_address: "http://127.0.0.1:9000/api/;,
> last_seen: "2017-02-10T00:45:30.000Z",
> short_node_id: "8be9e293",
> hostname: "analog2.local",
> is_master: false
> }
> ],
> total: 2
> }
>
>
> *GET /api/cluster*
>
> {
> 5f596ebf-a988-4c08-858e-67d38a3e483b: {
> facility: "graylog-server",
> codename: "Smuttynose",
> node_id: "5f596ebf-a988-4c08-858e-67d38a3e483b",
> cluster_id: "6701202c-a9fe-42d2-8d5a-015acf66fbfa",
> version: "2.1.3+040d371",
> started_at: "2017-02-10T00:27:13.101Z",
> hostname: "analog1.local",
> lifecycle: "running",
> lb_status: "alive",
> timezone: "Europe/Warsaw",
> operating_system: "Linux 2.6.32-642.13.1.el6.x86_64",
> is_processing: true
> },
> 8be9e293-f60b-40c6-a0e6-8af6d617eb1a: {
> facility: "graylog-server",
> codename: "Smuttynose",
> node_id: "5f596ebf-a988-4c08-858e-67d38a3e483b",
> cluster_id: "6701202c-a9fe-42d2-8d5a-015acf66fbfa",
> version: "2.1.3+040d371",
> started_at: "2017-02-10T00:27:13.101Z",
> hostname: "analog1.local",
> lifecycle: "running",
> lb_status: "alive",
> timezone: "Europe/Warsaw",
> operating_system: "Linux 2.6.32-642.13.1.el6.x86_64",
> is_processing: true
> }
> }
>
>
> In /api/cluster I supposed to get two different node_id and hostname, but 
> hostnames are the same. As the result when I want to check the 
> /system/nodes I got dubbed stats only of one host. The real HeapSize of 
> analog2 is only 2GB (img: analog2-system-nodes 
> ) not 4GB as analog1 - master node 
> (img: analog1-system-nodes ).
>
>
> MongoDB and ES Cluster are external and shared for both hosts.
>
>
> Thanks Guys
>
>
> Pawel
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6a85729a-f686-4b3c-b239-d43500d897d1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: HELP-ME Duplications mensages

2017-02-13 Thread Jochen Schalanda 
Hi Anderson,

On Monday, 13 February 2017 14:25:29 UTC+1, Anderson Gabriel wrote:
>
> Hello, the timestamp is the same. But the ID is different
>

This means that these identical messages have been sent to Graylog multiple 
times and that Graylog doesn't duplicate them.

Are you sure that Logstash is running only once on your system? Are you 
sure that your Logstash configuration doesn't duplicate the messages?

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4572c89b-539c-4de4-81ec-47cf27130216%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: fresh install of graylog 2.1.2 -> can't get it running

2017-02-13 Thread Jochen Schalanda 
Hi Denny,

it looks like the elasticsearch_discovery_zen_ping_unicast_hosts setting is 
wrong. Please refer 
to 
http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html#network-setup
 
for details.

Cheers,
Jochen

On Monday, 13 February 2017 10:23:18 UTC+1, Denny Gebel wrote:
>
> Hi Grayloggers,
>
> I have a working 1.3.4 multi-server setup which needs to be upgraded.
>
> I've installed a new test environment with graylog 2.1.2 on CentOS 7 (no 
> firewall enabled, selinux off):
>
> 3 VMs with Graylog (2.1.2) and MongoDB (2.6.12) + 3 VMs ES (2.4.4).
> ES-Cluster is running fine, as well as the MongoDB-Replicaset.
>
> Configuration of Graylog is done via Graylog-Puppet-Module.
>
> The generated config file looks like this:
> # WARNING: Maintained by Puppet, manual changes will be lost!
>
> allow_highlighting = true
> allow_leading_wildcard_searches = true
> content_packs_dir = /usr/share/graylog-server/contentpacks
> elasticsearch_cluster_name = graylogcluster
> elasticsearch_discovery_zen_ping_unicast_hosts = 
> ["graylog-elasticsearch01.my.domain:9300", 
> "graylog-elasticsearch02.my.domain:9300", 
> "graylog-elasticsearch03.my.domain:9300"]
> elasticsearch_index_prefix = graylog
> elasticsearch_max_number_of_indices = 30
> elasticsearch_max_time_per_index = 1d
> elasticsearch_replicas = 1
> elasticsearch_shards = 4
> is_master = true
> message_journal_dir = /var/lib/graylog-server/journal
> mongodb_uri = 
> mongodb://graylog:secretp...@graylog01.my.domain:27017,graylog02.my.domain:27017,graylog03.my.domain:27017/graylog
> node_id_file = /etc/graylog/server/node-id
> password_secret = supersecretpass
> plugin_dir = /usr/share/graylog-server/plugin
> rest_listen_uri = http://172.16.0.93:9000/api/
> rest_transport_uri = http://172.16.0.93:9000/api/
> retention_strategy = delete
> root_password_sha2 = supersecretrootpass
> root_timezone = Europe/Berlin
> root_username = admin
> rotation_strategy = time
> web_enable = true
> web_listen_uri = http://172.16.0.93:9000/
>
> Problem is: There's no web interface listening on port 9000 - which I 
> would expect.
>
> Is there anything I missed? The log file (attached) doesn't show any error 
> or something :/
>
> Thanks for your help.
>
> Denny
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/221dd34e-38f4-45c8-b519-5e11fbb26f3b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Github page on giving Graylog read-access to non-admin users

2017-02-13 Thread Jochen Schalanda 
Hi,

please upgrade to Graylog 2.2.0, which supports your use case via a default 
stream containing all messages.

Cheers,
Jochen

On Friday, 10 February 2017 17:51:05 UTC+1, dhe...@gmail.com wrote:
>
> I've added LDAP auth to graylog 2.1.0-SNAPSHOT and assigned "Allow 
> Reading" roles to all my streams. I want users in this role to be able to 
> query the "regular" search data so I added a "Default Search" stream with a 
> rule to match "^.*$" on the "message" field (for syslog).  I've added 
> "Allow Reading" access for my LDAP user. When logged in as Admin, I can see 
> messages going into this stream. When logged in as the LDAP user, nothing 
> appears to be going in (under Streams menu - all messages/second counts 
> stay at 0).  As of this sentence, I re-loaded the Streams page for my LDAP 
> user and it shows up empty now. There were a handful of streams there a 
> minute ago :/
>
> Is non-admin user stream sharing still in development, or has this issue 
> been solved elsewhere? 
>
> A google turned up this page about it: a 
> https://github.com/Graylog2/graylog2-web-interface/issues/620
> "There are several work-arounds for this issue dating back to 
> 2015.recommend posting it" to mailing list or IRC. So I am asking here. 
>
> Graylog is a really great project. I'm not complaining. Actually really 
> satisfied with what it can do. Fits my needs perfectly. Just looking for a 
> way to let others in my group use it without using a shared admin account.
>
> Thanks!
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4bd179cb-5c25-4b74-958c-192f1c5e5fc8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Parse JSON containing timestamp field

2017-02-13 Thread Jochen Schalanda 
Hi Rui,

the timestamp field has to contain a valid date value, not a string that 
looks like a date.

You can use the message processing pipeline or the date extractor for this:

http://docs.graylog.org/en/2.2/pages/extractors.html#normalization
http://docs.graylog.org/en/2.2/pages/pipelines.html

Cheers,
Jochen

On Friday, 10 February 2017 15:57:13 UTC+1, Rui Goncalves wrote:
>
> Hi all.
> I want to send JSON documents into graylog containing a field ("ts") that 
> contains the timestamp event. I'm unable to set the "ts" field value as 
> "timestamp" value. Graylog sets a timestamp field when the message is 
> received, and I'm unable to update that field to "ts" value! 
>
> Sample message: {"ts": "2017-02-10T12:13:42Z", msg="", service="yyy", 
> ... }
>
> 1. I've created a raw TCP 
> 2. Added a JSON extractor, so all JSON fields get extracted
> 3. Added an extractor to cut ts field and store on the timestamp field. 
>
> I was expecting to get the timespamp field with the ts value! :-/ I've 
> also tried to rename the "ts" field in the source document to "timestamp", 
> but it does not work either.
>
> Is that possible to update the timestamp field? 
>
> Thanks,
> Rui
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/418a86ef-7bfa-4aa1-b039-ef3eb554afe5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Does graylog automatically detect duplicate messages on ingest?

2017-02-13 Thread Jochen Schalanda 
Hi Matthew,

On Friday, 10 February 2017 00:51:57 UTC+1, Matthew Shapiro wrote:
>
> Does Graylog have any detection of duplicate messages to overwrite, and if 
> not is there any way to force an id on a message via an extractor?
>

No, Graylog doesn't support de-duplication of messages and overwriting the 
internal _id field is forbidden, so I'm afraid you'll have to delete the 
old messages manually from Elasticsearch using some other attributes.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ce50e0c2-9acb-4217-8514-7c7ecff05ddf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-13 Thread Jochen Schalanda 
Hi Rob,

the Graylog Collector Sidecar simply configures and starts the actual 
collectors (Filebeat or nxlog), so you'll have to check with their docs if 
that's possible:

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html
https://www.elastic.co/guide/en/beats/filebeat/current/index.html

Cheers,
Jochen

On Thursday, 9 February 2017 23:16:11 UTC+1, Rob Repp wrote:
>
> The files are definitely updating. One interesting thing, I tried do 
> establish this by just tailing the file with both Notepad++ and with a 
> freeware "tail" utility for Windows and it never updated. I had to manually 
> reload the file to see any changes. Further, I never saw any update in the 
> file Date Modified. Is there some way to force collector sidecar to poll 
> the files even if they don't show any obvious activity?
>
> On Tuesday, February 7, 2017 at 1:55:07 AM UTC-6, Jochen Schalanda wrote:
>>
>> Hi Rob,
>>
>> this sounds like either there is simply no new content in the files 
>> you've configured nxlog to watch, or that the file pattern is wrong. Try 
>> using another File pattern in the nxlog im_file input or switch to 
>> Filebeat.
>>
>> Cheers,
>> Jochen
>>
>> On Monday, 6 February 2017 23:22:59 UTC+1, Rob Repp wrote:
>>>
>>> Okay, I did a packet capture that's showing traffic between the two 
>>> boxes. There seems to be the Graylog host sending a json of the nxlog.conf 
>>> config data to the DHCP server once every four seconds or so, and the DHCP 
>>> server sending back HTTP requests on port 9000. None of the exchanges look 
>>> like they contain data from the DHCP logs.
>>>
>>> On Monday, February 6, 2017 at 10:37:44 AM UTC-6, Jochen Schalanda wrote:
>>>>
>>>> Hi Rob,
>>>>
>>>> since the configuration doesn't show any obvious errors, please use 
>>>> Wireshark or a similar tool like tcpdump to check if the log messages from 
>>>> nxlog are sent to the correct host and if the UDP packets actually arrive 
>>>> at the Graylog GELF UDP input.
>>>>
>>>> Cheers,
>>>> Jochen
>>>>
>>>> On Monday, 6 February 2017 17:08:21 UTC+1, Rob Repp wrote:
>>>>>
>>>>> The traffic is not being blocked. There's no firewall on either 
>>>>> machine, and the network path is unobstructed. Further, the Collector 
>>>>> status for that Collector is showing green, with Backend "Nxlog: 
>>>>> running." 
>>>>> It looks like it's connected and responsive. It's just that there never 
>>>>> seem to be any messages on the associated Input.
>>>>> Tks,
>>>>> R.
>>>>>
>>>>> On Saturday, February 4, 2017 at 3:30:18 AM UTC-6, Jochen Schalanda 
>>>>> wrote:
>>>>>>
>>>>>> Hi Rob,
>>>>>>
>>>>>> the configuration looks good so far. Make sure that the host 
>>>>>> "re.da.ct.ed" can be accessed by your Windows machine and that port 
>>>>>> 5441/udp is open and not blocked by a firewall.
>>>>>>
>>>>>> Cheers,
>>>>>> Jochen
>>>>>>
>>>>>> On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote:
>>>>>>>
>>>>>>> Okay, in order:
>>>>>>>
>>>>>>> 1. I'm using the OVA VM image from Graylog, so most of the 
>>>>>>> configuration is already done. All I did was add a Connector with one 
>>>>>>> nxlog 
>>>>>>> input and one nxlog output, and then the GELF UDP input that the 
>>>>>>> WinDHCP 
>>>>>>> json created.
>>>>>>>
>>>>>>> The WinDHCP input is configured like this:
>>>>>>>
>>>>>>> WinDHCPLogs-gelf GELF UDP RUNNING
>>>>>>> On node 771f3128 / graylog 
>>>>>>> <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf>
>>>>>>>
>>>>>>>- bind_address:
>>>>>>>0.0.0.0
>>>>>>>- decompress_size_limit:
>>>>>>>8388608
>>>>>>>- override_source:
>>>>>>>**
>>>>>>>- port:
>>>>>>>5441
>>>>>>>- recv_buffer_size:
>>>>>>>1048576
>>>>>>>

[graylog2] Re: How do you build from source code for version 2.1.2 ?

2017-02-13 Thread Jochen Schalanda 
Hi,

please refer 
to 
http://docs.graylog.org/en/2.2/pages/installation/operating_system_packages.html#rpm-yum-dnf
 
for the relevant information.

Cheers,
Jochen

On Friday, 10 February 2017 17:24:55 UTC+1, bernadet...@wavestrike.com 
wrote:
>
> I need to create RPMs for CENTOS 6 (eventually CENTOS 7)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3fd91ffc-3466-497b-b6e7-99adaf002083%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How do you track unique users that have hit your site/which version do you need

2017-02-13 Thread Jochen Schalanda 
Hi,

please elaborate on your use case.

In general, we always recommend running the latest stable version of 
Graylog (which is Graylog 2.2.0 at the time of writing).

Cheers,
Jochen

On Friday, 10 February 2017 17:24:17 UTC+1, bernadet...@wavestrike.com 
wrote:
>
> we are using older version of graylog. Which version let's you figure out 
> a list of unique users ?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d86cdc14-e8b8-476e-8436-b5888070cfc9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: missing alerts menu

2017-02-13 Thread Jochen Schalanda 
Hi Wallace,

are there any error messages in the logs of your Graylog node or in the 
Developer console of your web browser?

Which web browser are you using?

Cheers,
Jochen

On Friday, 10 February 2017 04:17:25 UTC+1, Wallace Turner wrote:
>
> my (latest) graylog installation is missing the 'Alerts' menu item
>
>
> 
>
>
> I'm trying to add/view the alerts. the docs at this page indicate it 
> should  be present
>
> http://docs.graylog.org/en/2.2/pages/getting_started/stream_alerts.html
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/59eca43d-7b0b-4675-8065-4521bcfff286%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: collect logs from remote machine

2017-02-09 Thread Jochen Schalanda 
Hi Wallace,

On Thursday, 9 February 2017 12:20:26 UTC+1, Wallace Turner wrote:
>
> Ho Jochen so you need to install Sidecar (and then possibly nxlog) on each 
> machine you want to watch a logfile?
>

You can use any other means of shipping the logs from your systems to 
Graylog that you like. You also don't have to use the Graylog Collector 
Sidecar, but it usually makes things easier.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/aa16fb75-0f86-4617-87e5-d68c03a5594c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to parse OpenVPN logs in Graylog?

2017-02-09 Thread Jochen Schalanda 
Hi César,

first you have to ship the logs to your Graylog server, either by 
forwarding the messages via your syslog daemon on that system or by reading 
from a log file on that system.

See http://docs.graylog.org/en/2.2/pages/sending_data.html 
and http://docs.graylog.org/en/2.2/pages/collector_sidecar.html for details.

Then you need to extract the interesting information from the plaintext 
logs using extractors or message pipeline rules.

See http://docs.graylog.org/en/2.2/pages/extractors.html 
and http://docs.graylog.org/en/2.2/pages/pipelines.html for details.

Cheers,
Jochen

On Thursday, 9 February 2017 12:18:32 UTC+1, CESAR Fabre wrote:
>
> Hi guys,
>
> I have the PfSense 2.3.2 with OpenVPN enabled. I want to parse OpenVPN 
> logs in Graylog with Dashboards.
>
> I have no idea. Can you help me?
>
>
> Thanks a lot!
>
>
> César
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7e4152a7-2286-4798-b7fc-da3ac92851fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Overwriting Timestamp field using Pipeline rules

2017-02-09 Thread Jochen Schalanda 
Hi Al,

you might want to try to use your pattern with lower case 'y' for the year 
component of the date pattern.

Cheers,
Jochen

On Wednesday, 8 February 2017 21:09:19 UTC+1, Al Reynolds wrote:
>
> I've noticed another error. The timestamp field is being replaced 
> correctly, but the "gl2_processing_error" field is showing the following 
> error (on all messages):
> For rule 'WO-CS-RAS': In call to function 'parse_date' at 8:15 an 
> exception was thrown: Invalid format: "2017-02-08 15:05:59,170" is 
> malformed at "17-02-08 15:05:59,170"
>
>
> It doesn't seem to have any adverse effects, but I'm curious as to what 
> might be causing it?
>
> On Wednesday, February 8, 2017 at 1:56:17 PM UTC-5, Al Reynolds wrote:
>>
>> Figured it out--parse_date needed the timestamp . New rule looks like 
>> this:
>> rule "WO-CS-RAS" 
>> when 
>> 
>> contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
>> then
>> set_field("WO_Log_Source","RAS-CS");
>> let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value: 
>> to_string($message.message));
>> set_fields(matches);
>> let date = parse_date(to_string($message.WO_Timestamp), "-MM-dd 
>> HH:mm:ss,SSS", "EST");
>> set_field("timestamp", date);
>> route_to_stream("WideOrbit Logs");
>> end
>>
>> I was under the impression that the timezone was optional? 
>>
>> Thanks for all your help with this Jochen--it's greatly appreciated!
>>
>> Cheers,
>> Al
>>
>> On Wednesday, February 8, 2017 at 11:05:22 AM UTC-5, Al Reynolds wrote:
>>>
>>> That's what I get for typing it out...thank you for catching that! 
>>> Unfortunately, even after correcting for the incorrect milliseconds value, 
>>> it's still not replacing timestamp value. I sent the parsed date to a new 
>>> field (in this case, "log_timestamp") to verify that the output data was in 
>>> the correct format, which it is now, but it still won't replace the 
>>> timestamp field.
>>>
>>> Message sample with "log_timestamp" field:
>>> WO_CS_RAS_CS_MESSAGE
>>> 2017-02-08 11:00:34,980 WARN  [Task 'ATLANTA-FS' FS timer.1] 
>>> FriendshipTasksServiceImpl = Could not obtain task info for:  
>>> 2c95ac8e-57e3-91b2-0158-495b880b24e8REQUEST FAILED ==> STATUS CODE: 404, 
>>> RESPONSE BODY:
>>> WO_LogLevel
>>> WARN
>>> WO_Log_Source
>>> RAS-CS
>>> WO_Message
>>> Could not obtain task info for:  2c95ac8e-57e3-91b2-0158-
>>> 495b880b24e8REQUEST FAILED ==> STATUS CODE: 404, RESPONSE BODY:
>>> WO_Process
>>> Task 'ATLANTA-FS' FS timer.1
>>> WO_SubProcess
>>> FriendshipTasksServiceImpl
>>> WO_Timestamp
>>> 2017-02-08 11:00:34,980
>>> facility
>>> filebeat
>>> file
>>> d:\centralserver\ras-server\log\ras_cs_WO-ATL-CS.log
>>> input_type
>>> log
>>> log_timestamp
>>> 2017-02-08T11:00:34.980Z
>>> message
>>> 2017-02-08 11:00:34,980 WARN  [Task 'ATLANTA-FS' FS timer.1] 
>>> FriendshipTasksServiceImpl = Could not obtain task info for:  
>>> 2c95ac8e-57e3-91b2-0158-495b880b24e8REQUEST FAILED ==> STATUS CODE: 404, 
>>> RESPONSE BODY:
>>> name
>>> WO-ATL-CS
>>> offset
>>> 2372156
>>> source
>>> WO-ATL-CS
>>> timestamp
>>> 2017-02-08T16:00:35.864Z
>>> type
>>> log
>>>
>>> Corrected rule: 
>>> rule "WO-CS-RAS" 
>>> when 
>>> 
>>> contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
>>> then
>>> set_field("WO_Log_Source","RAS-CS");
>>> let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value: 
>>> to_string($message.message));
>>> set_fields(matches);
>>> let date = parse_date(to_string($message.WO_Timestamp), "-MM-dd 
>>> HH:mm:ss,SSS");
>>> set_field("timestamp", date);
>>> route_to_stream("WideOrbit Logs");
>>> end
>>>
>>> Thanks!
>>>
>>> Cheers,
>>> Al
>>>
>>> On Wednesday, February 8, 2017 at 10:55:03 AM UTC-5, Jochen Schalanda 
>>> wrote:
>>>>
>>>> Hi Al,
>>>>
>>>> On Wednesday, 8 February 2017 15:46:07 UTC+1, Al R

[graylog2] Re: Graylog is ignoring some UDP packets sent by a particular host

2017-02-09 Thread Jochen Schalanda 
Hi,

Graylog itself doesn't care where the packets are coming from.

Is the routing to Graylog working for the "ignored" host?
Is the networking set up correctly on all hosts?
Are there any firewall rules in place?
How did you configure the Syslog UDP and the Raw/Plaintext UDP inputs?

Cheers,
Jochen

On Wednesday, 8 February 2017 19:43:38 UTC+1, tomaszik...@gmail.com wrote:
>
> Hello,
>
> I've recently set up a working Graylog server. It's collecting logs from 
> many network switches and routers. One particular router (ironically, the 
> most important one) doesn't appear in the Sources list though. Graylog 
> keeps ignoring all packets coming from that host. Here's an example of a 
> packet which is *not* ignored by Graylog:
>
> 19:12:15.705167 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
> UDP (17), length 115)
> 10.50.255.44.40810 > Silenoz.syslog: [udp sum ok] [|syslog]
>  0x:  4500 0073  4000 4011 27e3 0a32 ff2c  E..s..@.@.'..2.,
>  0x0010:  0a32 ff06 9f6a 0202 005f 01d1 6468 6370  .2...j..._..dhcp
>  0x0020:  2c77 6172 6e69 6e67 2067 706f 6e2d 6d6e  ,warning.gpon-mn
>  0x0030:  6720 6f66 6665 7269 6e67 206c 6561 7365  g.offering.lease
>  0x0040:  2031 302e 3530 2e32 3338 2e33 3520 666f  .10.50.238.35.fo
>  0x0050:  7220 3030 3a30 323a 3731 3a35 413a 3036  r.00:02:71:5A:06
>  0x0060:  3a42 3820 7769 7468 6f75 7420 7375 6363  :B8.without.succ
>  0x0070:  6573 73 
>
> And below you can see a packet which *is* ignored by Graylog:
>
> 10.50.255.111.56993 > Silenoz.syslog: [udp sum ok] SYSLOG, length: 154
>  Facility local7 (23), Severity notice (5)
>  Msg: Feb 8 19:12:17: %SYSLOG-5-NOTICE: aaad: SubSessionAUTHFAIL user: 
> pppoe16344@mn (24) Authentication failure [Circuit handle: 1/4:511:63:31/6
> /2/47661]\0x0a
>  0x:  3c31 3839 3e46 6562 2038 2031 393a 3132
>  0x0010:  3a31 373a 2025 5359 534c 4f47 2d35 2d4e
>  0x0020:  4f54 4943 453a 2061 6161 643a 2053 7562
>  0x0030:  5365 7373 696f 6e41 5554 4846 4149 4c20
>  0x0040:  7573 6572 3a20 7070 706f 6531 3633 3434
>  0x0050:  406d 6e20 2832 3429 2041 7574 6865 6e74
>  0x0060:  6963 6174 696f 6e20 6661 696c 7572 6520
>  0x0070:  5b43 6972 6375 6974 2068 616e 646c 653a
>  0x0080:  2031 2f34 3a35 3131 3a36 333a 3331 2f36
>  0x0090:  2f32 2f34 3736 3631 5d0a
>  0x:  4500 00b6 77da  4011 ef82 0a32 ff6f  E...w...@2.o
>  0x0010:  0a32 ff06 dea1 0202 00a2 28d8 3c31 3839  .2(.<189
>  0x0020:  3e46 6562 2038 2031 393a 3132 3a31 373a  >Feb.8.19:12:17:
>  0x0030:  2025 5359 534c 4f47 2d35 2d4e 4f54 4943  .%SYSLOG-5-NOTIC
>  0x0040:  453a 2061 6161 643a 2053 7562 5365 7373  E:.aaad:.SubSess
>  0x0050:  696f 6e41 5554 4846 4149 4c20 7573 6572  ionAUTHFAIL.user
>  0x0060:  3a20 7070 706f 6531 3633 3434 406d 6e20  :.pppoe16344@mn.
>  0x0070:  2832 3429 2041 7574 6865 6e74 6963 6174  (24).Authenticat
>  0x0080:  696f 6e20 6661 696c 7572 6520 5b43 6972  ion.failure.[Cir
>  0x0090:  6375 6974 2068 616e 646c 653a 2031 2f34  cuit.handle:.1/4
>  0x00a0:  3a35 3131 3a36 333a 3331 2f36 2f32 2f34  :511:63:31/6/2/4
>  0x00b0:  3736 3631 5d0a   7661].
>
> As you can see, the packet is much longer, but it doesn't exceed the 
> maximum UDP packet size that can be processed by Graylog (8192). My guess 
> is that logs coming from 10.50.255.111 are not RFC compatible and thus 
> they're discarded by Graylog. How can I debug it / fix it? I didn't find 
> any related messages in the Elasticsearch log (there were no errors related 
> to parsing a message).
> I deleted the default Input object and added a new RAW UDP Input object. 
> It didn't fix the issue - logs from 10.50.255.111 are still not parsed.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2329a7b6-d34d-4764-8204-147edcc86e5d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Incoming Gelf UDP messages not showing up

2017-02-09 Thread Jochen Schalanda 
Hi,

On Thursday, 9 February 2017 06:54:30 UTC+1, IJFK wrote:
>
> I'm sending Syslog packets in Gelf format (I successfully validated the 
> Json), and no matter what I do, the packets don't show up. There is no 
> parsing error or anything, the data just doesn't show up.
>

How exactly are you sending messages? How did you configure the clients? 
How did you configure the inputs (and which types) in Graylog? 


I already created a Raw/UDP input & stream, which does show the messages 
> coming in, I also verified with tcpdump that they are actually making it to 
> the server.
>

This sounds like they are simply not valid GELF messages.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f765796b-d5b6-48ec-b1cc-b5af51b2249c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Forward from One graylog to another

2017-02-09 Thread Jochen Schalanda 
Hi Tom,

On Thursday, 9 February 2017 04:46:31 UTC+1, Tom Powers wrote:
>
> Is there any good doc on setting up the tls on the stream output and then 
> the receiving side at the new graylog instance?


Please refer to the documentation 
at http://docs.graylog.org/en/2.1/pages/streams.html#outputs

It's simply setting up the stream GELF output (Streams -> Manage Stream 
Output -> Launch new output) and a GELF input on the other instance of 
Graylog (System -> Inputs).

Cheers,
Jochen

>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2ce7f6a5-a6b6-4bcc-a13b-bdcfa03f631a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: collect logs from remote machine

2017-02-09 Thread Jochen Schalanda 
Hi Wallace,

On Thursday, 9 February 2017 06:03:07 UTC+1, Wallace Turner wrote:
>
> What i am trying to do is for graylog to retrieve (or monitor) a log file 
> at a network location (windows servers) and bring the contents of the plain 
> text log file to graylog.
>
> Is this possible (on windows)?
>

Yes, that's possible. You could simply use the Graylog Collector Sidecar 
for this: http://docs.graylog.org/en/2.1/pages/collector_sidecar.html

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f5575f15-fae6-494e-b992-a180cbe7001b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Forward from One graylog to another

2017-02-08 Thread Jochen Schalanda 
Hi Tom,

On Wednesday, 8 February 2017 23:31:46 UTC+1, Tom Powers wrote:
>
> We are only tracking windows events here, so If I read this right, could i 
> set the stream output in Gelf format and send it to the Parent office 
> Graylog server (over TLS of course)?
>

Yes, that's pretty much it. Assign a GELF output to the relevant streams 
and send them to your central Graylog instance (with a GELF input).

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/95b47bab-accd-4bc5-93b1-512e8c869151%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Extractor and processing messages

2017-02-08 Thread Jochen Schalanda 
Hi Rayees,

On Wednesday, 8 February 2017 18:00:05 UTC+1, Rayees Namathponnan wrote:
>
> I am looking extractor configuration, there i am not seeing any way to 
> define the input,  without this all the messages comes to system will go 
> trough the extractor right ? I am missing something ?
>

Extractors are logically bound to inputs. You can create an (almost) 
arbitrary number of inputs in Graylog for each special case.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ec04c1d9-e2be-4c97-9b42-4d0c7e9eb079%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Extractor and processing messages

2017-02-08 Thread Jochen Schalanda 
Hi Rayees,

On Wednesday, 8 February 2017 17:38:56 UTC+1, Rayees Namathponnan wrote:
>
> Suppose i have defined 10 extractors and if any messages comes to graylog 
> this go trough all the 10 extractors ?
>

This depends on your configuration and if the preconditions for these 
extractors have been met, but it's possible that all 10 extractors have to 
run for each message.

I am performing some test in graylog and see how graylog behave if i add 
> more extractor,  and want to check alert performance wrt to number of 
> extractor 
>

Usually you would create multiple inputs for messages with vastly different 
requirements to run extractors, so that not all extractors have to run for 
all ingested messages.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/01c71c04-d8bd-4283-ac8e-16f6926932a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Overwriting Timestamp field using Pipeline rules

2017-02-08 Thread Jochen Schalanda 
Hi Al,

On Wednesday, 8 February 2017 15:11:34 UTC+1, Al Reynolds wrote:
>
> I was under the impression that using the "parse_date" function would 
> create a Date object?
>

It does, 
see http://docs.graylog.org/en/2.1/pages/pipelines/functions.html#parse-date 
for reference. But your date pattern may be wrong 
(see 
http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html 
for reference).

Please share some example messages, so that we can validate your rule.

 

> As for "$timestamp" instead of "timestamp", I was trying different 
> configurations, and thought that since the message field is referenced as 
> "$message" I would try that format. What does the "$" indicate? 
>

The $ character is simply part of the variable name containing the current 
message (which is "$message"). It doesn't have a special meaning.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/acd02ab0-564b-46cc-bab8-627170b05489%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.2.0-rc.1 lags while editing inputs

2017-02-08 Thread Jochen Schalanda 
Hi,

this is the start command for Elasticsearch, not Graylog.

Please post the configuration of Graylog and the JVM settings for Graylog 
(see http://docs.graylog.org/en/2.1/pages/configuration/file_location.html 
for where to find them).

Cheers,
Jochen

On Wednesday, 8 February 2017 12:14:41 UTC+1, Ha NN wrote:
>
> It has 8 cores, 32GB ram
>
> JVM:
> /usr/bin/java -Xms18g -Xmx18g -Djava.awt.headless=true -XX:+UseParNewGC 
> -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 
> -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError 
> -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true 
> -Des.path.home=/usr/share/elasticsearch -cp 
> /usr/share/elasticsearch/lib/elasticsearch-2.4.4.jar:/usr/share/elasticsearch/lib/*
>  
> org.elasticsearch.bootstrap.Elasticsearch start 
> -Des.pidfile=/var/run/elasticsearch/elasticsearch.pid 
> -Des.default.path.home=/usr/share/elasticsearch 
> -Des.default.path.logs=/var/log/elasticsearch 
> -Des.default.path.data=/var/lib/elasticsearch 
> -Des.default.path.conf=/etc/elasticsearch
>
> Am Mittwoch, 8. Februar 2017 11:54:59 UTC+1 schrieb Jochen Schalanda:
>>
>> Hi,
>>
>> there are quite long GC pauses mentioned in your logs.
>>
>> What are the hardware specs of the machine(s) running Graylog and how did 
>> you configure Graylog (also how are the JVM settings)?
>>
>> Cheers,
>> Jochen
>>
>> On Wednesday, 8 February 2017 11:43:27 UTC+1, Ha NN wrote:
>>>
>>> Hi,
>>>
>>> i am testing Graylog 2.2.0-rc.1 with a gelf udp input plugin. I send 
>>> logs with rsyslog into it. I created some grok pattern extractors mostly 
>>> those ones ID=%{DATA:id} 
>>>
>>> Once created and you want to edit them it takes a very long time to load 
>>> the edit page and it seems graylog stops to process messages as you will 
>>> see the messages in/out counter at the top goes down to 0.
>>>
>>> I also noticed that for some messages the extractors does not apply but 
>>> they should.
>>>
>>> I have a one node setup. I use multiple indicies for different streams 
>>> (what a great feature!!!)
>>>
>>> You will find following in the log:
>>>
>>> 2017-02-08T11:11:59.376+01:00 WARN  [NodePingThread] Did not find meta 
>>> info of this node. Re-registering.
>>> 2017-02-08T11:12:02.265+01:00 INFO  [jvm] 
>>> [graylog-192b57c1-d456-4817-acff-d460547e7775] [gc][young][172980][17325] 
>>> duration [725ms], collections [1]/[2.8s], total [725ms]/[7m], memory 
>>> [1.7gb]->[1.1gb]/[3.8gb], all_pools {[young] 
>>> [853.1mb]->[204mb]/[1.6gb]}{[survivor] [13.7mb]->[42.2mb]/[204.7mb]}{[old] 
>>> [943.2mb]->[943.7mb]/[2gb]}
>>> 2017-02-08T11:14:27.066+01:00 INFO  [ExtractorsResource] Updated 
>>> extractor <7e13da31-ed47-11e6-a18b-b083fec76da6> of type [grok] in input 
>>> <58949a5f6c6c8c6b200a1b3b>.
>>> 2017-02-08T11:16:28.641+01:00 WARN  [NodePingThread] Did not find meta 
>>> info of this node. Re-registering.
>>> 2017-02-08T11:17:15.605+01:00 INFO  [ExtractorsResource] Updated 
>>> extractor <3c954090-ea26-11e6-95c6-b083fec76da6> of type [grok] in input 
>>> <58949a5f6c6c8c6b200a1b3b>.
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a4e61733-a6f7-4fec-b4af-3888543c4f0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.2.0-rc.1 lags while editing inputs

2017-02-08 Thread Jochen Schalanda 
Hi,

there are quite long GC pauses mentioned in your logs.

What are the hardware specs of the machine(s) running Graylog and how did 
you configure Graylog (also how are the JVM settings)?

Cheers,
Jochen

On Wednesday, 8 February 2017 11:43:27 UTC+1, Ha NN wrote:
>
> Hi,
>
> i am testing Graylog 2.2.0-rc.1 with a gelf udp input plugin. I send logs 
> with rsyslog into it. I created some grok pattern extractors mostly those 
> ones ID=%{DATA:id} 
>
> Once created and you want to edit them it takes a very long time to load 
> the edit page and it seems graylog stops to process messages as you will 
> see the messages in/out counter at the top goes down to 0.
>
> I also noticed that for some messages the extractors does not apply but 
> they should.
>
> I have a one node setup. I use multiple indicies for different streams 
> (what a great feature!!!)
>
> You will find following in the log:
>
> 2017-02-08T11:11:59.376+01:00 WARN  [NodePingThread] Did not find meta 
> info of this node. Re-registering.
> 2017-02-08T11:12:02.265+01:00 INFO  [jvm] 
> [graylog-192b57c1-d456-4817-acff-d460547e7775] [gc][young][172980][17325] 
> duration [725ms], collections [1]/[2.8s], total [725ms]/[7m], memory 
> [1.7gb]->[1.1gb]/[3.8gb], all_pools {[young] 
> [853.1mb]->[204mb]/[1.6gb]}{[survivor] [13.7mb]->[42.2mb]/[204.7mb]}{[old] 
> [943.2mb]->[943.7mb]/[2gb]}
> 2017-02-08T11:14:27.066+01:00 INFO  [ExtractorsResource] Updated extractor 
> <7e13da31-ed47-11e6-a18b-b083fec76da6> of type [grok] in input 
> <58949a5f6c6c8c6b200a1b3b>.
> 2017-02-08T11:16:28.641+01:00 WARN  [NodePingThread] Did not find meta 
> info of this node. Re-registering.
> 2017-02-08T11:17:15.605+01:00 INFO  [ExtractorsResource] Updated extractor 
> <3c954090-ea26-11e6-95c6-b083fec76da6> of type [grok] in input 
> <58949a5f6c6c8c6b200a1b3b>.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9bf9b698-1f06-48fc-adcb-642cf4ad7198%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Overwriting Timestamp field using Pipeline rules

2017-02-07 Thread Jochen Schalanda 
Hi Al,

the "timestamp" field has to be a Date object and not a string. 
Additionally, the first parameter of your set_field() call seems odd 
("$timestamp" instead of "timestamp").

This rule might work, although I haven't tested it:

rule "WO-CS-RAS" 
when 

contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
then
set_field("WO_Log_Source","RAS-CS");
let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value: 
to_string($message.message));
set_fields(matches);
let date = parse_date(to_string($message.WO_Timestamp), "-MM-dd 
HH:mm:ss,sss");
set_field("timestamp", date);
route_to_stream("WideOrbit Logs");
end


Cheers,
Jochen


On Tuesday, 7 February 2017 20:52:38 UTC+1, Al Reynolds wrote:
>
> Hello all,
>
> I'm attempting to switch our logging infrastructure from the ELK stack to 
> Graylog, but I'm running into an issue with the pipeline rules and 
> replacing the timestamp field. Rule below: 
>
> rule "WO-CS-RAS" 
> when 
> 
> contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
> then
> set_field("WO_Log_Source","RAS-CS");
> let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value: 
> to_string($message.message));
> set_fields(matches);
> let date = parse_date(to_string($message.WO_Timestamp), "-MM-dd 
> HH:mm:ss,sss");
> let new_date = format_date(date,"-MM-DD'T'HH:mm:ss.SSS");
> set_field("$timestamp", new_date);
> route_to_stream("WideOrbit Logs");
> end
>
> I've tried without the date formatter as well--no luck there either. The 
> rule will error out and not replace the timestamp field. Everything else 
> works perfectly. Any suggestions as to where I might be going wrong? If I 
> use an extractor I can replace the timestamp field, but I'd like to keep 
> everything in one place if possible. 
>
> Thanks!
>
> Cheers,
> Al
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b1ee4811-c22a-4529-8544-f23c5411bfdb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Please share how to setup graylog with windows log4net logs.

2017-02-07 Thread Jochen Schalanda 
Hi Rohit,

check the Graylog Marketplace for GELF appenders supporting 
log4net: https://marketplace.graylog.org/addons?tag=log4net

Cheers,
Jochen

On Tuesday, 7 February 2017 17:53:54 UTC+1, rohit agarwal wrote:
>
> Hi,
>
> Please help in configuring graylog on centos7 with log4net logs to be 
> shipped from windows servers in GELF format.
>
> Share any link or doc for the same.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/41685a35-8219-49ee-b577-f152e53b3c9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Logstash Split Plugin

2017-02-07 Thread Jochen Schalanda 
Hi Shrawan,

since you've asked this question multiple times already (
https://groups.google.com/d/msg/graylog2/Qev2klwPmGQ/o0bTaXuyAwAJ, 
https://groups.google.com/d/msg/graylog2/G7Z3yOiqrn8/e0ISsyEuAgAJ), you 
should consider buying professional support at 
https://www.graylog.org/professional-support.

Other than that, please direct questions about Logstash to 
https://discuss.elastic.co/c/logstash.

Cheers,
Jochen

On Tuesday, 7 February 2017 16:29:28 UTC+1, Shrawan Bhagwat wrote:
>
> Hi All,
>
> We do have JSON data in the form
> {
> "data": [
>
> {
> "appName": "DemoApp",
> "appVersion": "1.1",
> "deviceId": "1234567",
> "deviceName": "moto e",
> "deviceOSVersion": "5.1",
> "packageName": "com.abc.DemoApp",
> "message": "testing null pointer exception",
> "errorLog": "null pointer exception"
> },
>
> {
> "appName": "DemoApp",
> "appVersion": "1.1",
> "deviceId": "1234567",
> "deviceName": "moto e",
> "deviceOSVersion": "5.1",
> "packageName": "com.abc.DemoApp",
> "message": "testing illegal state exception",
> "errorLog": "illegal state exception"
> }
> ]
> }
>
> We want to split data into separate messages and different fields like 
> appName, appVersion etc.
> My queries:
> i) We use Split filter to split it into different fields and we are 
> getting "data_appName" as field name instead of "appName"! how to change 
> this field to "appName" etc without data_ prefix
> ii) Message field contains both data not single data. how to split message 
> field?
>
> filter in config file:
>
> filter{
> json {
>   source => "message"
>  }
>
>mutate { gsub => [ "message", "},", "shr" ] }
> split {
>  terminator => "shr"
>   field => "data"
>}
>
>
> Please guide for both queries.
>
> Regards,
> Shrawan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/81aa5782-5327-4266-b6ec-235b166abf8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.1.2 - Geo-Location

2017-02-07 Thread Jochen Schalanda 
Hi,

please read the documentation again: 
http://docs.graylog.org/en/2.1/pages/geolocation.html#configure-the-message-processor

I've already quoted the relevant parts in my previous post.

You have to extract the information into separate fields. Currently 
everything is in the "message" field.

Cheers,
Jochen

On Tuesday, 7 February 2017 13:59:54 UTC+1, CTuser wrote:
>
> Here is some log for example:
>
> ---
> message
> 192.168.99.1 date=2017-02-07 time=14:56:43 devname=PrimaryFGT 
> devid=FG100D3G16814848 logid=13 type=traffic subtype=forward 
> level=notice vd=root srcip=27.214.37.81 srcport=29770 srcintf="wan1" 
> dstip=199.203.140.150 dstport=23 dstintf="wan1" sessionid=968745459 proto=6 
> action=deny policyid=0 dstcountry="Israel" srccountry="China" trandisp=noop 
> service="TELNET" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 
> appcat="unscanned" crscore=30 craction=131072 crlevel=high
>
> ---
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f5d97bc9-7207-43c3-945e-a23960955c59%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog over multiple sites

2017-02-07 Thread Jochen Schalanda 
Hi,

On Tuesday, 7 February 2017 13:46:36 UTC+1, SystemAdminUK wrote:
>
> Then at one site I have the web interface to query the data. This would 
> mean I would not need to ship the logs offsite, and save on internet 
> bandwidth. Is this a possible option?
>

Unfortunately that's not possible.

 

> Or so I need to have all data i none database to function correctly?
>

Yes.

Since it sounds like you have 3 independent locations anyway, why not run 3 
separate Graylog instances?

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6d3fcb09-7155-48c8-b599-a0f9e1c7c82f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.1.2 - Geo-Location

2017-02-07 Thread Jochen Schalanda 
Hi,

On Tuesday, 7 February 2017 13:46:47 UTC+1, CTuser wrote:
>
> Yes, of course.
> I'm getting lots of messages contain IPV4 from the FW.
>

Do they have any field that *only* contains an IPv4 address and no other 
content?

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3c4fd4a0-891a-43a2-87f0-422981ef5f90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.1.2 - Geo-Location

2017-02-07 Thread Jochen Schalanda 
Hi,

are there any other messages which exclusively contain an IPv4 or IPv6 
address in the "message" field?

I'll quote 
http://docs.graylog.org/en/2.1/pages/geolocation.html#configure-the-message-processor
:

That’s it, at this point Graylog will start looking for fields *containing 
> exclusively an IPv4 or IPv6 address*, and extracting their geolocation 
> into a _geolocation field. 


> Note: In case you are not sending structured logs to Graylog, you can use 
> extractors to store the IPs in your messages into their own fields. Check 
> out the Extractors documentation 
>  for 
> more information.


Cheers,
Jochen

On Tuesday, 7 February 2017 12:59:46 UTC+1, CTuser wrote:
>
>
> Hi,
>
>
> I followed 
> http://docs.graylog.org/en/2.0/pages/geolocation.html#configure-geolocation 
> in order to apply the Geo-Location feature.
> I tested it with nc -w0   <<< '8.8.8.8' and it worked.
>
>
> [image: image] 
> 
>
> I don't see another logs with "message_geolocation" , even though the 
> database path is configured.
>
> [image: image]
>
> 
>
>
>
> 
>
> In addition, it's also activate in Message Processors Configuration.
>
>
> [image: image] 
> 
>
> Please advise.
>
>- Graylog Version: 2.1.2 (Running on CentOS 7)
>- Elasticsearch Version: Don't know
>- MongoDB Version: Don't know
>- Operating System: win 10 x64
>- Browser version: FF 51.0.1
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8a787c67-004c-4d28-81da-6ada75e0a8c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Azure Metrics alerts to Graylog

2017-02-07 Thread Jochen Schalanda 
Hi Pablo,

On Monday, 6 February 2017 19:34:38 UTC+1, Pablo Daniel Estigarribia Davyt 
wrote:
>
> As I have seen, there is no standard http post input only GELF in graylog? 
> Or using tcp port could be possible? (I will try this and extractor 
> configuration). 
>

This will probably not work because HTTP requires the server to respond to 
the client's request which the generic TCP input doesn't do.
 

> One other possibility I have seen is to configure logstash http-input 
> https://www.elastic.co/blog/introducing-logstash-input-http-plugin then 
> use RabbitMQ to send data to Graylog? 
>

Yes, that might work. You can also use Logstash's GELF output if you don't 
want to set up a RabbitMQ broker.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/db17a21b-a3f2-44a6-bb91-3c06785f1db4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Logging of Graylog-Server to Syslog

2017-02-07 Thread Jochen Schalanda 
Hi Frank,

On Monday, 6 February 2017 22:49:23 UTC+1, Frank Engler wrote:
>
> Any clue what is going wrong? Why is only the Socket example working and 
> the 
> Syslog test isn't? 
>

This shows that the appender mechanism itself is working but that either 
the Syslog appender doesn't work or that you have configured it wrong.

Try starting with the absolute minimum configuration for the Syslog 
appender and add additional settings once this is working. For example, try 
using "127.0.0.1" in the "host" setting instead of "localhost" (which could 
resolve to any other IP address).

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b745808b-fa5c-4976-9d02-58e6bead126f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help regex message

2017-02-07 Thread Jochen Schalanda 
Hi Rafael,

you can use https://grokdebug.herokuapp.com/ to play around with and debug 
your Grok patterns.

FWIW, you're missing a backslash to escape the parenthesis after the 
timestamp.

This pattern is working:

^\[%{TIME}\.[0-9]{0,3}\]\s+\[%{WORD:loglevel}\].*



Cheers,
Jochen


On Monday, 6 February 2017 20:22:47 UTC+1, Rafael Pereira Silva wrote:
>
> Hello, I need help in regex logstash.
>
> Mount a regex to get this line:
>
> *[13:24:20.118] [ERROR] [qtp1817789863-23] 
> [c.c.c.v.h.ControllerExceptionHandler] : Uncaught Exception: {}*
>
> I tried use: 
>
>
> ^\[(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])]\s+(\[%{WORD:loglevel}\])
>  
> 
>
> However ,I just captured *[13:24:20.118] [ERROR]* ,  help me capture an 
> entire line.
>
>
>
> Thanks
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d185bde0-e24e-4a0b-96d5-d04afebe190a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: buglet: broken link http://info.graylog.org/marketplace-requests

2017-02-06 Thread Jochen Schalanda 
Hi Jason,

the link http://info.graylog.org/marketplace-requests 

 shows 
a contact form for me:



Which browser are you using? Which extensions (possibly blocking content 
like Javascript) are you using?

Cheers,
Jochen


On Tuesday, 7 February 2017 05:59:37 UTC+1, Jason Haar wrote:
>
> Hi there
>
> I just did a search on the marketplace for Azure related plugins and found 
> nothing. There was a link saying
>
> "Sorry, nothing matches your query.
>
> Not found what you are looking for? Let us know what you'd like to see in 
> the Marketplace!"
>
> But the link goes nowhere
>
> http://info.graylog.org/marketplace-requests
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/64e3af80-90ae-47ba-8858-606c0c9886c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-06 Thread Jochen Schalanda 
Hi Rob,

this sounds like either there is simply no new content in the files you've 
configured nxlog to watch, or that the file pattern is wrong. Try using 
another File pattern in the nxlog im_file input or switch to Filebeat.

Cheers,
Jochen

On Monday, 6 February 2017 23:22:59 UTC+1, Rob Repp wrote:
>
> Okay, I did a packet capture that's showing traffic between the two boxes. 
> There seems to be the Graylog host sending a json of the nxlog.conf config 
> data to the DHCP server once every four seconds or so, and the DHCP server 
> sending back HTTP requests on port 9000. None of the exchanges look like 
> they contain data from the DHCP logs.
>
> On Monday, February 6, 2017 at 10:37:44 AM UTC-6, Jochen Schalanda wrote:
>>
>> Hi Rob,
>>
>> since the configuration doesn't show any obvious errors, please use 
>> Wireshark or a similar tool like tcpdump to check if the log messages from 
>> nxlog are sent to the correct host and if the UDP packets actually arrive 
>> at the Graylog GELF UDP input.
>>
>> Cheers,
>> Jochen
>>
>> On Monday, 6 February 2017 17:08:21 UTC+1, Rob Repp wrote:
>>>
>>> The traffic is not being blocked. There's no firewall on either machine, 
>>> and the network path is unobstructed. Further, the Collector status for 
>>> that Collector is showing green, with Backend "Nxlog: running." It looks 
>>> like it's connected and responsive. It's just that there never seem to be 
>>> any messages on the associated Input.
>>> Tks,
>>> R.
>>>
>>> On Saturday, February 4, 2017 at 3:30:18 AM UTC-6, Jochen Schalanda 
>>> wrote:
>>>>
>>>> Hi Rob,
>>>>
>>>> the configuration looks good so far. Make sure that the host 
>>>> "re.da.ct.ed" can be accessed by your Windows machine and that port 
>>>> 5441/udp is open and not blocked by a firewall.
>>>>
>>>> Cheers,
>>>> Jochen
>>>>
>>>> On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote:
>>>>>
>>>>> Okay, in order:
>>>>>
>>>>> 1. I'm using the OVA VM image from Graylog, so most of the 
>>>>> configuration is already done. All I did was add a Connector with one 
>>>>> nxlog 
>>>>> input and one nxlog output, and then the GELF UDP input that the WinDHCP 
>>>>> json created.
>>>>>
>>>>> The WinDHCP input is configured like this:
>>>>>
>>>>> WinDHCPLogs-gelf GELF UDP RUNNING
>>>>> On node 771f3128 / graylog 
>>>>> <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf>
>>>>>
>>>>>- bind_address:
>>>>>0.0.0.0
>>>>>- decompress_size_limit:
>>>>>8388608
>>>>>- override_source:
>>>>>**
>>>>>- port:
>>>>>5441
>>>>>- recv_buffer_size:
>>>>>1048576
>>>>>
>>>>>
>>>>> 2. The nxlog.conf file is:
>>>>>
>>>>> define ROOT C:\Program Files (x86)\nxlog
>>>>>
>>>>> 
>>>>>   Module xm_gelf
>>>>> 
>>>>>
>>>>> Moduledir %ROOT%\modules
>>>>> CacheDir %ROOT%\data
>>>>> Pidfile %ROOT%\data\nxlog.pid
>>>>> SpoolDir %ROOT%\data
>>>>> LogFile %ROOT%\data\nxlog.log
>>>>> LogLevel INFO
>>>>>
>>>>> 
>>>>> Module  xm_fileop
>>>>> 
>>>>> When@daily
>>>>> Execfile_cycle('%ROOT%\data\nxlog.log', 7);
>>>>>  
>>>>> 
>>>>>
>>>>> 
>>>>> Module im_file
>>>>> File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
>>>>> PollInterval 1
>>>>> SavePos True
>>>>> ReadFromLast True
>>>>> Recursive False
>>>>> RenameCheck True
>>>>> Exec $FileName = file_name(); # Send file name with each message
>>>>> 
>>>>>
>>>>> 
>>>>> Module om_udp
>>>>> Host re.da.ct.ed
>>>>> Port 5441
>>>>> OutputType  GELF
>>>>> Exec $short_message = $raw_event; # Avoids truncation of the 
>>>>> short_message field.
>>>>> Exec $gl2_source_collector = '9960a8cd-7abe-4

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-06 Thread Jochen Schalanda 
Hi Rob,

since the configuration doesn't show any obvious errors, please use 
Wireshark or a similar tool like tcpdump to check if the log messages from 
nxlog are sent to the correct host and if the UDP packets actually arrive 
at the Graylog GELF UDP input.

Cheers,
Jochen

On Monday, 6 February 2017 17:08:21 UTC+1, Rob Repp wrote:
>
> The traffic is not being blocked. There's no firewall on either machine, 
> and the network path is unobstructed. Further, the Collector status for 
> that Collector is showing green, with Backend "Nxlog: running." It looks 
> like it's connected and responsive. It's just that there never seem to be 
> any messages on the associated Input.
> Tks,
> R.
>
> On Saturday, February 4, 2017 at 3:30:18 AM UTC-6, Jochen Schalanda wrote:
>>
>> Hi Rob,
>>
>> the configuration looks good so far. Make sure that the host 
>> "re.da.ct.ed" can be accessed by your Windows machine and that port 
>> 5441/udp is open and not blocked by a firewall.
>>
>> Cheers,
>> Jochen
>>
>> On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote:
>>>
>>> Okay, in order:
>>>
>>> 1. I'm using the OVA VM image from Graylog, so most of the configuration 
>>> is already done. All I did was add a Connector with one nxlog input and one 
>>> nxlog output, and then the GELF UDP input that the WinDHCP json created.
>>>
>>> The WinDHCP input is configured like this:
>>>
>>> WinDHCPLogs-gelf GELF UDP RUNNING
>>> On node 771f3128 / graylog 
>>> <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf>
>>>
>>>- bind_address:
>>>0.0.0.0
>>>- decompress_size_limit:
>>>8388608
>>>- override_source:
>>>**
>>>- port:
>>>5441
>>>- recv_buffer_size:
>>>1048576
>>>
>>>
>>> 2. The nxlog.conf file is:
>>>
>>> define ROOT C:\Program Files (x86)\nxlog
>>>
>>> 
>>>   Module xm_gelf
>>> 
>>>
>>> Moduledir %ROOT%\modules
>>> CacheDir %ROOT%\data
>>> Pidfile %ROOT%\data\nxlog.pid
>>> SpoolDir %ROOT%\data
>>> LogFile %ROOT%\data\nxlog.log
>>> LogLevel INFO
>>>
>>> 
>>> Module  xm_fileop
>>> 
>>> When@daily
>>> Execfile_cycle('%ROOT%\data\nxlog.log', 7);
>>>  
>>> 
>>>
>>> 
>>> Module im_file
>>> File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
>>> PollInterval 1
>>> SavePos True
>>> ReadFromLast True
>>> Recursive False
>>> RenameCheck True
>>> Exec $FileName = file_name(); # Send file name with each message
>>> 
>>>
>>> 
>>> Module om_udp
>>> Host re.da.ct.ed
>>> Port 5441
>>> OutputType  GELF
>>> Exec $short_message = $raw_event; # Avoids truncation of the 
>>> short_message field.
>>> Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32';
>>> Exec $Hostname = hostname_fqdn();
>>> 
>>>
>>> 
>>>   Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0
>>> 
>>>
>>> 3. collector_sidecar.yml is this:
>>>
>>> server_url: http://re.da.ct.ed:9000/api 
>>> update_interval: 10
>>> tls_skip_verify: false
>>> send_status: true
>>> list_log_files:
>>> node_id: NS1
>>> collector_id: file:C:\Program 
>>> Files\graylog\collector-sidecar\collector-id
>>> cache_path: C:\Program Files\graylog\collector-sidecar\cache
>>> log_path: C:\Program Files\graylog\collector-sidecar\logs
>>> log_rotation_time: 86400
>>> log_max_age: 604800
>>> tags: dhcp
>>> backends:
>>> - name: nxlog
>>>   enabled: true
>>>   binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
>>>   configuration_path: C:\Program 
>>> Files\graylog\collector-sidecar\generated\nxlog.conf
>>> - name: winlogbeat
>>>   enabled: false
>>>   binary_path: C:\Program 
>>> Files\graylog\collector-sidecar\winlogbeat.exe
>>>   configuration_path: C:\Program 
>>> Files\graylog\collector-sidecar\generated\winlogbeat.yml
>>> - name: filebeat
>>>   enabled: false
>>>   binary_path: C:\Program 
>>> Files\graylog\collector-sidecar\filebeat.exe
>>>   configuration_path: C:\Program 
>>

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

2017-02-06 Thread Jochen Schalanda 
Hi,

On Monday, 6 February 2017 12:16:12 UTC+1, ql.w...@163.com wrote:
>
> I haved stopped input, the graylog should not receive all logs, BUT the 
> abnormal message can be received as before. 
>

Please verify with Wireshark or tcpdump, that these messages are indeed 
being received by Graylog or if they simply have a timestamp "in the 
future" so that they only show up now in a search query (try using an 
absolute search with its end some hours in the future).


Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f90d31e2-ae47-45f2-a72c-d8bd80657b19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: OutOfMemoryError for Beats plugin

2017-02-06 Thread Jochen Schalanda 
Hi Richard,

depending on the number and size of messages, 512 MiB of heap memory might 
be too little for Graylog 2.1.x.

Please assign at least 1 GiB of heap memory using the -Xms and -Xmx JVM 
parameters.

On a side note, the OutOfMemoryError occurring in the code of the Beats 
plugin doesn't necessarily imply a problem there, but it was simply the 
place where the JVM memory was exhausted already.

Cheers,
Jochen

On Monday, 6 February 2017 12:32:36 UTC+1, Richard S. Westmoreland wrote:
>
> 2.1, it is the Beats Input that came with that version of GL, 2G ram 1 
> core, 512mb assigned to heap.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b87bb35b-decc-4b67-a17f-2be94a75ee05%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: json array parsing issue with logstash

2017-02-06 Thread Jochen Schalanda 
Hi Ashkay,

I'd recommend starting over with a blank "filter" section in your Logstash 
configuration and build up on working blocks. For example your "gsub" 
filter looks just strange.

For further questions about Logstash, please post to 
https://discuss.elastic.co/c/logstash.

Cheers,
Jochen

On Monday, 6 February 2017 11:48:36 UTC+1, Akshay Agarwal wrote:
>
> Hi Jochen,
>
> I had gone through the link that you have provided.
>
> Previously, I have tried the configuration mentioned in that link.
>
> But in that as well I was getting the same issue.
>
>
> On Monday, February 6, 2017 at 3:08:27 PM UTC+5:30, Jochen Schalanda wrote:
>>
>> Hi Akshay,
>>
>> you can use the Logstash split filter to split your message into 
>> individual events by splitting by the "data" field.
>>
>> See 
>> https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html 
>> for details.
>>
>> If you need more help with Logstash, please post to 
>> https://discuss.elastic.co/c/logstash
>>
>> Cheers,
>> Jochen
>>
>> On Monday, 6 February 2017 07:27:45 UTC+1, Akshay Agarwal wrote:
>>>
>>> Hi All,
>>>
>>> Want to implement service request trace using http plugin of logstash in 
>>> JSON Array format.
>>>
>>> Getting the following error when trying to parse the JSON array:
>>>
>>> error: 
>>>
>>> :message=>"gsub mutation is only applicable for Strings, skipping", 
>>> :field=>"message", :value=>nil, :level=>:debug, 
>>> :file=>"logstash/filters/mutate.rb", :line=>"322", :method=>"gsub"}
>>> :message=>"Exception in filterworker", 
>>> "exception"=>#>> are splittable. field:message is of type = NilClass>
>>>
>>>
>>>
>>> My json array is :
>>>
>>> {
>>> "data": [
>>> {
>>> "appName": "DemoApp",
>>> "appVersion": "1.1",
>>> "deviceId": "1234567",
>>> "deviceName": "moto e",
>>> "deviceOSVersion": "5.1",
>>> "packageName": "com.tcs.DemoApp",
>>> "message": "testing null pointer exception",
>>> "errorLog": "null pointer exception"
>>> },
>>> {
>>> "appName": "DemoApp",
>>> "appVersion": "1.1",
>>> "deviceId": "1234567",
>>> "deviceName": "moto e",
>>> "deviceOSVersion": "5.1",
>>> "packageName": "com.tcs.DemoApp",
>>> "message": "testing illegal state exception",
>>> "errorLog": "illegal state exception"
>>> }
>>> ]
>>> }
>>>
>>>
>>>
>>>
>>> my logstash config is :
>>>
>>> input {
>>> http {
>>> codec => "json"
>>> }
>>> }
>>> filter{
>>> json {
>>>   source => "message"
>>>  }
>>>mutate { gsub => [ "message", "},\r\n\r\n{", "}shr{" ] }
>>> split {
>>>   terminator => "shr"
>>>}
>>> }
>>> }
>>>
>>>
>>> output {
>>>  stdout { codec => "json" }
>>> gelf{
>>> host => localhost
>>> facility => "%{type}"
>>> level =>["%{SeverityLevel}", "INFO"]
>>> codec => "json"
>>> }
>>>file{
>>> path => "/chroot/result.log"
>>> }
>>> }
>>>
>>>
>>>
>>> Any help would be appreciated.
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/15c8c50b-b781-4a0b-b07b-4d710a4064df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

2017-02-06 Thread Jochen Schalanda 
Hi,

are you sure that these messages are ingested right now and don't simply 
have a timestamp "in the future" (e. g. because of timezone issues) and 
have been ingested some hours ago?

Cheers,
Jochen

On Monday, 6 February 2017 11:17:19 UTC+1, ql.w...@163.com wrote:
>
> Hi,
> This messages shows received by deleted input on  0de4fb00 / Unknown, as 
> shown in FIG:
>
>
> <https://lh3.googleusercontent.com/-Bv2lPjtjiBI/WJhMKCO8wmI/AAc/O1DE3V7Itvo9RaYfO3FYkioGrNP-yRWDACLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206181601.png>
>
> But the normal messages shows received by netsyslog on  0de4fb00 / 
> Unknown,as shown in FIG:
>
>
> <https://lh3.googleusercontent.com/-4pmWgp_vfz4/WJhM8w50ltI/AAk/J3VF__snTZs5jOwy8Z-GikbAtEE-rwwkACLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206181912.png>
>
>
> 在 2017年2月6日星期一 UTC+8下午5:11:55,Jochen Schalanda写道:
>>
>> Hi,
>>
>> when you click on one of these messages, you can see on which input they 
>> were received next to the "Received by" field.
>>
>> Once you have identified the input, you can use tools like Wireshark, 
>> tcpdump, or simply lsof to identify where these messages come from.
>>
>> Cheers,
>> Jochen
>>
>>
>> On Monday, 6 February 2017 04:06:00 UTC+1, ql.w...@163.com wrote:
>>>
>>> Hi,
>>>
>>> I deleted the command that send logs to graylog server in the switch, 
>>> But, graylog can receive the logs of this switch as before. I don't know 
>>> where those logs received by the graylog server come from?  
>>>
>>>
>>> <https://lh3.googleusercontent.com/-s1zELVGLS_4/WJfnIXR4eLI/AAM/JLr0beJpbmgyHv6RFo_8ZVuVDuW6WNxpgCLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206110452.png>
>>>
>>>
>>> The switch do not send logs to graylog,  But, graylog can receive the 
>>> logs of this switch as before. As shown in FIG. 
>>>
>>>
>>>
>>> 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道:
>>>>
>>>> Hi,
>>>>
>>>> please elaborate on your problem. I'm not sure what you're trying to 
>>>> say.
>>>>
>>>> What did you expect to happen or retrieve? What did actually happen?
>>>> As far as I see, the timestamps of the log messages are correct.
>>>>
>>>> Cheers,
>>>> Jochen
>>>>
>>>> On Saturday, 4 February 2017 10:48:25 UTC+1, ql.w...@163.com wrote:
>>>>>
>>>>> My graylog server always collect expired logs, these logs are 
>>>>> generated long before , and now the switch has no such logs.
>>>>> [image: image] 
>>>>> <https://www.google.com/url?q=https%3A%2F%2Fcloud.githubusercontent.com%2Fassets%2F24647716%2F22615473%2F4bef9a9a-ead0-11e6-9fc6-16e97d29dc70.png=D=1=AFQjCNHn4s-cddXkUqyzVtF1SmKgF5blNw>
>>>>>
>>>>> The current log's source is 2017, The log whose source is 
>>>>> G1-K115-ACC-SW-48 is very early, but the server is collecting now.
>>>>>
>>>>> This problem has troubled me for weeks. How to solve this problem?
>>>>>
>>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/93a66e9b-0d7a-4290-8883-7b945b660925%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Problem Graylog upgrade from 2.1.2 to 2.1.3 - API

2017-02-06 Thread Jochen Schalanda 
Hi Yiannis,

please make sure to clear your browser cache.

On Monday, 6 February 2017 11:00:17 UTC+1, Yiannis wrote:
>
> Where can i find a list of compatible plugins with graylog 2.1.3 ?
>

To be quite frank, there is none. You'll have to check that for every 
plugin yourself (and maybe share your findings).

Plugins distributed with Graylog itself, such as the Beats plugin or the 
Map widget plugin, are of course compatible with the Graylog version 
they've been distributed with.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5d75931e-7e4d-49ff-a781-f79c2c73ed90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Nodes with too long GC pauses

2017-02-06 Thread Jochen Schalanda 
Hi Nitzan,

you've configure a very high number of processbuffer_processors and 
outputbuffer_processors in your Graylog configuration which usually 
counterproductive.

Please revert to the default values and only increase these values very 
conservatively.

Cheers,
Jochen

On Sunday, 5 February 2017 07:55:25 UTC+1, Nitzan Haimovich wrote:
>
> Hi Jochen,
>
> Thanks for you help. I attached one file of the configuration - The 
> configuration is the same in all 3 Graylog machines in our cluster (except 
> is_master parameter and the IP parameter).
> I also attached one file of the logs, again - same logs are all around the 
> cluster (except the master periodical duties).
>
> Our cluster:
> 3 Amazon instances, each one sized as m4.2xlarge - 8 cores and 32GB mem. 
> With Disks of 2.5TB.
>
> Let me know if you need anything else!
>
> Nitzan
>
> On Thursday, February 2, 2017 at 6:38:57 PM UTC+2, Jochen Schalanda wrote:
>>
>> Hi Nitzan,
>>
>> please post the configuration and logs of all Graylog nodes and a 
>> description of your hardware.
>>
>> Cheers,
>> Jochen
>>
>> On Thursday, 2 February 2017 17:18:12 UTC+1, Nitzan Haimovich wrote:
>>>
>>> Hi all,
>>>
>>> I'm getting this message (*Nodes with too long GC pauses*) on my 
>>> Graylog cluster. I saw many people were posting about it but not a single 
>>> thread with solutions for how to solve/fix/approach it.
>>> I would be glad for any help.
>>>
>>> My cluster - 3 Graylog instances, each one with 8 cores and 16GB memory 
>>> (heap size is configured to be : Xms - 1GB , Xmx - 8GB).
>>> If you need any more details please let me know.
>>>
>>> Thanks!!
>>>
>>> Nitzan
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/276bc8b7-10be-4388-9a5b-c2ae2cef7f99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Field histogram query failed. Make sure that field [HTTP_CODE_V2] is a numeric type.

2017-02-06 Thread Jochen Schalanda 
Hi Vojtech,

how exactly did you configure Graylog to extract the data you want from 
these messages?

Also make sure that there are no old messages in your query time range 
which have a non-numeric value in the relevant fields.

Cheers,
Jochen

On Sunday, 5 February 2017 16:40:19 UTC+1, Vojtech Vavra wrote:
>
> Hi All
>
> After couple of hours without success I am writing you about question with 
> error message about.
> I have created extractor for HTTP code from message:
> "|HTTP:200|Size:98|-|X-Forward:192.168.1.1.|X-Backend:web194|pass"
>
> output is allways number. But I have not created Generate chart with erro 
> message about numeric type.
> So I have modify extractor and added convert to number but still without 
> success :(
>
> Could you pls help me?
>
> Thank you
>
> Vojtech
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5f86ec0b-65a5-44d2-b4e4-2a31be318693%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: json array parsing issue with logstash

2017-02-06 Thread Jochen Schalanda 
Hi Akshay,

you can use the Logstash split filter to split your message into individual 
events by splitting by the "data" field.

See https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html 
for details.

If you need more help with Logstash, please post 
to https://discuss.elastic.co/c/logstash

Cheers,
Jochen

On Monday, 6 February 2017 07:27:45 UTC+1, Akshay Agarwal wrote:
>
> Hi All,
>
> Want to implement service request trace using http plugin of logstash in 
> JSON Array format.
>
> Getting the following error when trying to parse the JSON array:
>
> error: 
>
> :message=>"gsub mutation is only applicable for Strings, skipping", 
> :field=>"message", :value=>nil, :level=>:debug, 
> :file=>"logstash/filters/mutate.rb", :line=>"322", :method=>"gsub"}
> :message=>"Exception in filterworker", 
> "exception"=># are splittable. field:message is of type = NilClass>
>
>
>
> My json array is :
>
> {
> "data": [
> {
> "appName": "DemoApp",
> "appVersion": "1.1",
> "deviceId": "1234567",
> "deviceName": "moto e",
> "deviceOSVersion": "5.1",
> "packageName": "com.tcs.DemoApp",
> "message": "testing null pointer exception",
> "errorLog": "null pointer exception"
> },
> {
> "appName": "DemoApp",
> "appVersion": "1.1",
> "deviceId": "1234567",
> "deviceName": "moto e",
> "deviceOSVersion": "5.1",
> "packageName": "com.tcs.DemoApp",
> "message": "testing illegal state exception",
> "errorLog": "illegal state exception"
> }
> ]
> }
>
>
>
>
> my logstash config is :
>
> input {
> http {
> codec => "json"
> }
> }
> filter{
> json {
>   source => "message"
>  }
>mutate { gsub => [ "message", "},\r\n\r\n{", "}shr{" ] }
> split {
>   terminator => "shr"
>}
> }
> }
>
>
> output {
>  stdout { codec => "json" }
> gelf{
> host => localhost
> facility => "%{type}"
> level =>["%{SeverityLevel}", "INFO"]
> codec => "json"
> }
>file{
> path => "/chroot/result.log"
> }
> }
>
>
>
> Any help would be appreciated.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/59120b27-c002-4737-813f-5a6bec979c9e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SysLog-udp traffic ignored from tomcat

2017-02-06 Thread Jochen Schalanda 
Hi Alaa,


On Sunday, 5 February 2017 17:50:04 UTC+1, alaa barqawi wrote:
>
> i added SYSLOG appender in *logback.xml *
>

Just FYI, there are also GELF appenders for Logback which can be used to 
send messages directly to 
Graylog: https://marketplace.graylog.org/addons?tag=logback

 

> also if tested simple message send using syslog from any source machine 
> its working fine and appear in the search 
> like : nc -w0 -u 10.102.1.227 514 <<< "Test"
>
 
This is not a valid syslog message according to RFC 3164 
 or RFC 5424 
.
 
 

> is there any restriction on the graylog server to ignore the traffic?
>

Yes, messages have to conform to the syslog protocol, if you want to use a 
syslog input.


Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/895f850f-7eb3-4405-911f-87a16fcbada0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

2017-02-06 Thread Jochen Schalanda 
Hi,

when you click on one of these messages, you can see on which input they 
were received next to the "Received by" field.

Once you have identified the input, you can use tools like Wireshark, 
tcpdump, or simply lsof to identify where these messages come from.

Cheers,
Jochen


On Monday, 6 February 2017 04:06:00 UTC+1, ql.w...@163.com wrote:
>
> Hi,
>
> I deleted the command that send logs to graylog server in the switch, But, 
> graylog can receive the logs of this switch as before. I don't know where 
> those logs received by the graylog server come from?  
>
>
> <https://lh3.googleusercontent.com/-s1zELVGLS_4/WJfnIXR4eLI/AAM/JLr0beJpbmgyHv6RFo_8ZVuVDuW6WNxpgCLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206110452.png>
>
>
> The switch do not send logs to graylog,  But, graylog can receive the logs 
> of this switch as before. As shown in FIG. 
>
>
>
> 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道:
>>
>> Hi,
>>
>> please elaborate on your problem. I'm not sure what you're trying to say.
>>
>> What did you expect to happen or retrieve? What did actually happen?
>> As far as I see, the timestamps of the log messages are correct.
>>
>> Cheers,
>> Jochen
>>
>> On Saturday, 4 February 2017 10:48:25 UTC+1, ql.w...@163.com wrote:
>>>
>>> My graylog server always collect expired logs, these logs are generated 
>>> long before , and now the switch has no such logs.
>>> [image: image] 
>>> <https://www.google.com/url?q=https%3A%2F%2Fcloud.githubusercontent.com%2Fassets%2F24647716%2F22615473%2F4bef9a9a-ead0-11e6-9fc6-16e97d29dc70.png=D=1=AFQjCNHn4s-cddXkUqyzVtF1SmKgF5blNw>
>>>
>>> The current log's source is 2017, The log whose source is 
>>> G1-K115-ACC-SW-48 is very early, but the server is collecting now.
>>>
>>> This problem has troubled me for weeks. How to solve this problem?
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/56bc1f50-1b9f-4e52-ada3-c9dc92430280%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: RDBMS plugin on marketplace

2017-02-06 Thread Jochen Schalanda 
Hi Richard,

from looking at the plugin source code, it seems like it was written for 
Graylog 1.3.x, so it's not given that it will work with Graylog 2.x.

Have you considered opening a bug report at 
https://github.com/wizecore/graylog2-output-jdbc/issues?

Cheers,
Jochen

On Monday, 6 February 2017 07:01:07 UTC+1, Richard S. Westmoreland wrote:
>
> Hello,
>
> I'm trying to use this plugin on the graylog marketplace:
>
> https://marketplace.graylog.org/addons/9699f645-0d53-4654-864a-fbb08fb6d7ae
>
> I'm doing something wrong.  Here is my config:
>
> JDBC URL: jdbc:mysql://myhost.local:3306/graylog
> Driver to use:  mariadb-java-client-1.5.7.jar
>
> Originally I used jdbc:mariadb:// but didn't work, and driver was the full 
> path, also didn't work.  Based on some other non-graylog mysql driver 
> questions I tried setting my CLASSPATH variable to include the full path to 
> the driver as well.  Still no good.
>
> I had setup a Stream that used this Output and I can see msg/s trickling 
> through.  But nothing ends up in my mariadb table, and a tcpdump shows no 
> packets hitting the port.  Yes mariadb is set to listen on 0.0.0.0 and the 
> user was updated to accept remote connections (as well as local).
>
> There is one step in the instructions that doesn't make any sense to me:
>
> Add following line to graylog2-output-jdbc.jar/META-INF/MANIFEST.MF
>
> What does this mean?
>
> thanks
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/80f06347-8060-47de-b252-566af2d887fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: OutOfMemoryError for Beats plugin

2017-02-06 Thread Jochen Schalanda 
Hi Richard,

Which version of the Graylog Beats plugin are you using?
Which version of Graylog are you using?
What are the hardware specs of the machine(s) running Graylog?

Cheers,
Jochen

On Monday, 6 February 2017 09:03:09 UTC+1, Richard S. Westmoreland wrote:
>
> I'm getting this error in my server.log:
>
> 2017-02-06T07:55:17.016Z ERROR [NettyTransport] Error in Input 
> [Beats/58785c6a57fe51420e73e1ea] (channel [id: 0x8183ee45, /
> 127.0.0.1:52554 :> /127.0.0.1:5051])
> *java.lang.OutOfMemoryError: Java heap space*
> at 
> org.graylog.plugins.beats.BeatsFrameDecoder.processCompressedFrame(BeatsFrameDecoder.java:201)
>  
> ~[?:?]
> at 
> org.graylog.plugins.beats.BeatsFrameDecoder.decode(BeatsFrameDecoder.java:120)
>  
> ~[?:?]
> at 
> org.graylog.plugins.beats.BeatsFrameDecoder.decode(BeatsFrameDecoder.java:49) 
> ~[?:?]
> at 
> org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:500)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.handler.codec.replay.ReplayingDecoder.cleanup(ReplayingDecoder.java:554)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.handler.codec.frame.FrameDecoder.channelDisconnected(FrameDecoder.java:365)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
>  
> ~[graylog.ja
> r:?]
> ...etc...
>
> The thing is, my heap is fine when this happens.  I can watch it on the 
> Nodes page, and with a min and slightly higher max set, I never see it grow 
> beyond the original min.  Why would this happen?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d3e8440d-5ec0-4ea6-b937-589856664a57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-04 Thread Jochen Schalanda 
Hi Rob,

the configuration looks good so far. Make sure that the host "re.da.ct.ed" 
can be accessed by your Windows machine and that port 5441/udp is open and 
not blocked by a firewall.

Cheers,
Jochen

On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote:
>
> Okay, in order:
>
> 1. I'm using the OVA VM image from Graylog, so most of the configuration 
> is already done. All I did was add a Connector with one nxlog input and one 
> nxlog output, and then the GELF UDP input that the WinDHCP json created.
>
> The WinDHCP input is configured like this:
>
> WinDHCPLogs-gelf GELF UDP RUNNING
> On node 771f3128 / graylog 
> <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf>
>
>- bind_address:
>0.0.0.0
>- decompress_size_limit:
>8388608
>- override_source:
>**
>- port:
>5441
>- recv_buffer_size:
>1048576
>
>
> 2. The nxlog.conf file is:
>
> define ROOT C:\Program Files (x86)\nxlog
>
> 
>   Module xm_gelf
> 
>
> Moduledir %ROOT%\modules
> CacheDir %ROOT%\data
> Pidfile %ROOT%\data\nxlog.pid
> SpoolDir %ROOT%\data
> LogFile %ROOT%\data\nxlog.log
> LogLevel INFO
>
> 
> Module  xm_fileop
> 
> When@daily
> Execfile_cycle('%ROOT%\data\nxlog.log', 7);
>  
> 
>
> 
> Module im_file
> File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
> PollInterval 1
> SavePos True
> ReadFromLast True
> Recursive False
> RenameCheck True
> Exec $FileName = file_name(); # Send file name with each message
> 
>
> 
> Module om_udp
> Host re.da.ct.ed
> Port 5441
> OutputType  GELF
> Exec $short_message = $raw_event; # Avoids truncation of the short_message 
> field.
> Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32';
> Exec $Hostname = hostname_fqdn();
> 
>
> 
>   Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0
> 
>
> 3. collector_sidecar.yml is this:
>
> server_url: http://re.da.ct.ed:9000/api 
> update_interval: 10
> tls_skip_verify: false
> send_status: true
> list_log_files:
> node_id: NS1
> collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id
> cache_path: C:\Program Files\graylog\collector-sidecar\cache
> log_path: C:\Program Files\graylog\collector-sidecar\logs
> log_rotation_time: 86400
> log_max_age: 604800
> tags: dhcp
> backends:
> - name: nxlog
>   enabled: true
>   binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
>   configuration_path: C:\Program 
> Files\graylog\collector-sidecar\generated\nxlog.conf
> - name: winlogbeat
>   enabled: false
>   binary_path: C:\Program 
> Files\graylog\collector-sidecar\winlogbeat.exe
>   configuration_path: C:\Program 
> Files\graylog\collector-sidecar\generated\winlogbeat.yml
> - name: filebeat
>   enabled: false
>   binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe
>   configuration_path: C:\Program 
> Files\graylog\collector-sidecar\generated\filebeat.yml
>
>
>
>
>
> On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda wrote:
>>
>> Hi Rob,
>>
>> How did you configure Graylog? Which inputs did you create and how did 
>> you configure them?
>> How did you configure the Graylog Collector Sidecar and what's the 
>> generated nxlog configuration?
>>
>> Cheers,
>> Jochen
>>
>> On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote:
>>>
>>> I set up a Graylog 2.1.2 server by deploying the downloadable OVA from 
>>> graylog.org. I'm trying to monitor a Windows 2008 R2 server with the 
>>> DHCP role installed. The DHCP server deposits activity data into log files 
>>> at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have collector-sidecar and 
>>> nxlog installed on the Windows machine, and configured to send the log data 
>>> back to a collector input on the Graylog server.
>>>
>>> My configuration is based on the WindowsDHCP content pack available in 
>>> the Graylog marketplace. I imported the content pack json, 
>>> configured collector-sidecar on Windows and the Graylog collector starting 
>>> from the sample code at https://github.com/JulioQc/WinDHCP. 
>>> Unfortunately, when I do "show messages" for the collector, there's nothing 
>>> coming in.
>>>
>>> Has anyone had any success with this configuration? If not, is there a 
>>> better method for monitoring Windows DHCP activity with Graylog? Thanks!
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b5d0ddb0-009a-4f2a-8164-b3a3641f5acf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: View Dashboard Data

2017-02-04 Thread Jochen Schalanda 
Hi Sridhar,

On Saturday, 4 February 2017 00:20:19 UTC+1, Sridhar wrote:
>
> My question is if i click on a bar in histogram, will that show me there 
> in some pop-up or any other way what are the logging messages associated 
> with that bar?
>

No.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/fcc5b3c3-f0b9-4222-8fc3-9cdf6a674aee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog build and package

2017-02-04 Thread Jochen Schalanda 
Hi Rayees,

the Graylog OS packages (DEB and RPM) are built from this 
repository: https://github.com/Graylog2/fpm-recipes/

Cheers,
Jochen

On Friday, 3 February 2017 20:46:26 UTC+1, Rayees Namathponnan wrote:
>
> I tired to create rpm with > mvn rpm:rpm -X  build it failed with below 
> error
>
>
> I am not seeing any spec file also no instruction to create RPM in main 
> POM.xml,  someone please help to understand how the RPM works here 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4191adfd-e48c-4504-a330-f9b56ed9ef2e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Problem Graylog upgrade from 2.1.2 to 2.1.3 - API

2017-02-03 Thread Jochen Schalanda 
Hi César,

make sure to use only plugins in a compatible version.

For example the Threat Intelligence Plugin for Graylog is currently not 
compatible with Graylog 2.1.3.

Cheers,
Jochen

On Friday, 3 February 2017 18:08:43 UTC+1, CESAR Fabre wrote:
>
> Hi,
>
> I'm trying the upgrade from 2.1.2 to 2.1.3 on CentOS 7 but I had some 
> problems. Follows the popup that appears frequently after upgrade.
>
> Server currently unavailable
> We are experiencing problems connecting to the Graylog server running on 
> http://192.168.10.5:9000/api. Please verify that the server is healthy 
> and working correctly.
>
>
> PS: Graylog 2.1.2 is working very well. 
>
> My scenario is this:
>
> graylog-server-2.1.2-1.noarch
>
> elasticsearch-2.4.4-1.noarch
>
> mongodb-org-server-3.2.11-1.el7.x86_64
>
>
> I have some plugins as well:
>
> graylog-plugin-beats-1.1.3.jar
>
> graylog-plugin-collector-1.1.2.jar
>
> graylog-plugin-enterprise-integration-1.1.2.jar
>
> graylog-plugin-input-cef-1.1.1.jar
>
> graylog-plugin-map-widget-1.1.2.jar
>
> graylog-plugin-pipeline-processor-1.1.2.jar
>
> graylog-plugin-threatintel-0.9.0.jar
>
> usage-statistics-2.1.2.jar
>
>
> Can you help me?
>
>
> Thank you so much!!!
>
> César
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1df53f9b-28a9-4acb-a894-7d9e6c8d68fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Quick Values not working

2017-02-03 Thread Jochen Schalanda 
Hi Steve,

On Friday, 3 February 2017 18:05:26 UTC+1, Steve Kuntz wrote:
>
> There is an error in the graylog.log
>
> WARN  [SearchResource] Unable to execute search: [reduce]  
>

Is there more context around that warning message?

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/790e896c-0f15-4e54-b9e8-2b12e3f7e05b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Quick Values not working

2017-02-03 Thread Jochen Schalanda 
Hi Steve,

the "quick values" functionality only works if the field is numeric in all 
messages of the queried time range. If there are some non-numeric values 
for that message field within the queried time range, you'll receive the 
error message you've already mentioned.

Cheers,
Jochen

On Friday, 3 February 2017 16:08:14 UTC+1, Steve Kuntz wrote:
>
> I'm having a new issue getting quick values since I modified some fields. 
> This is just to get the HTTP status codes but there is some issue. All 
> values are being converted to numeric but I'm getting an error. I've 
> attached the error and the stats to show what the data is.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/33c4642f-6ead-4b30-9e20-63b0e97ffead%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Indices and edit Extractor page timing out

2017-02-03 Thread Jochen Schalanda 
Hi Steve,

On Friday, 3 February 2017 16:03:04 UTC+1, Steve Kuntz wrote:
>
> Thanks, I guess I'll wait until 2.2. I need 2 weeks of archive and my 
> settings are keeping about 2100 indices @20,000,000 messages per index, 
> which is about 2 weeks for me. 
>

Have you thought about using a time-based rotation/retention policy for 
your Graylog setup, e. g. 1 index every few hours?

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/015368d0-0c8f-42bc-a7cb-754af44d81ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Custom GrayLog Web Plugin Error "Cannot read property 'call' of undefined"

2017-02-03 Thread Jochen Schalanda 
Hi Bill,

On Friday, 3 February 2017 13:00:19 UTC+1, Bill Murrin wrote:
>
> Any assistance you can provide would be appreciated. Here is a link to the 
> plugin to see if you guys might be able to help me figure out what is 
> causing it. Once we figure this out, I plan on sharing the plugin on the 
> marketplace and my Github page.
>

Why not put it on GitHub now so we can see the code?

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9015b475-010a-4f55-97f3-bc8070b4817e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-03 Thread Jochen Schalanda 
Hi Rob,

How did you configure Graylog? Which inputs did you create and how did you 
configure them?
How did you configure the Graylog Collector Sidecar and what's the 
generated nxlog configuration?

Cheers,
Jochen

On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote:
>
> I set up a Graylog 2.1.2 server by deploying the downloadable OVA from 
> graylog.org. I'm trying to monitor a Windows 2008 R2 server with the DHCP 
> role installed. The DHCP server deposits activity data into log files 
> at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have collector-sidecar and 
> nxlog installed on the Windows machine, and configured to send the log data 
> back to a collector input on the Graylog server.
>
> My configuration is based on the WindowsDHCP content pack available in the 
> Graylog marketplace. I imported the content pack json, 
> configured collector-sidecar on Windows and the Graylog collector starting 
> from the sample code at https://github.com/JulioQc/WinDHCP. 
> Unfortunately, when I do "show messages" for the collector, there's nothing 
> coming in.
>
> Has anyone had any success with this configuration? If not, is there a 
> better method for monitoring Windows DHCP activity with Graylog? Thanks!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/556abf93-9eb8-4de3-bd37-209742509186%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Indices and edit Extractor page timing out

2017-02-03 Thread Jochen Schalanda 
Hi Steve,

the issue with the extractor page might have been fixed in Graylog 2.2.0, 
see https://github.com/Graylog2/graylog2-server/issues/3366 for the related 
GitHub issue.

Cheers,
Jochen

On Thursday, 2 February 2017 21:56:32 UTC+1, Steve Kuntz wrote:
>
> Hi
>
> This is still a big issue for me. Is there anything I can do? Is there any 
> more information I can provide to get help?
>
> On Wednesday, December 14, 2016 at 10:46:36 AM UTC-5, Steve Kuntz wrote:
>>
>> Hi,
>>
>> Has anyone else seen this behavior? Everything works well until I hit the 
>> Indices page or the try to edit an extractor. After this sometimes I have 
>> to restart Graylog to get the interface to respond again. Could I have too 
>> many Indices and/or shards? I'm currently processing about 40,000 
>> messages/second. I have 1,700 indices, 24,500 shards and I've just lowered 
>> my shards from 8 primaries and 1 replica to 4 primaries and 1 replica. 
>> Currently my ES usage is ~40TB
>>
>> Thanks
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/80bf6344-c206-4895-9d78-f1cf2dbdd577%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Indices and edit Extractor page timing out

2017-02-03 Thread Jochen Schalanda 
Hi Steve,

I haven't seen that behavior personally, but I wouldn't rule out that it 
can happen with a large number of indices.

Please think about reducing the number of open indices in your system, 
either by closing them (System / Indices page) or by archiving them, for 
example with the Graylog Archiving 
plugin: http://docs.graylog.org/en/2.1/pages/archiving.html

Cheers,
Jochen

On Thursday, 2 February 2017 21:56:32 UTC+1, Steve Kuntz wrote:
>
> Hi
>
> This is still a big issue for me. Is there anything I can do? Is there any 
> more information I can provide to get help?
>
> On Wednesday, December 14, 2016 at 10:46:36 AM UTC-5, Steve Kuntz wrote:
>>
>> Hi,
>>
>> Has anyone else seen this behavior? Everything works well until I hit the 
>> Indices page or the try to edit an extractor. After this sometimes I have 
>> to restart Graylog to get the interface to respond again. Could I have too 
>> many Indices and/or shards? I'm currently processing about 40,000 
>> messages/second. I have 1,700 indices, 24,500 shards and I've just lowered 
>> my shards from 8 primaries and 1 replica to 4 primaries and 1 replica. 
>> Currently my ES usage is ~40TB
>>
>> Thanks
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ec88e254-b6c2-45e4-be8a-f3e497dda295%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.22.5.24 not verified - https

2017-02-03 Thread Jochen Schalanda 
Hi Giwenn,

On Friday, 3 February 2017 10:04:51 UTC+1, Giwenn Launay wrote:
>
> It's good?
>

As long as you're using serv-XXX-log-2.XXX.XXX.com in your 
rest_transport_uri setting, it should be fine.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e55b0f9e-45db-4862-ac0a-581783afffdb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to solve this alert? Notification condition [NO_MASTER] has been fixed.

2017-02-03 Thread Jochen Schalanda 
Hi Aitor,

as I already mentioned, your ES cluster doesn't have enough hardware 
resources to keep up with the data ingestion from Graylog. Assign at least 
4 GiB of memory for each Elasticsearch node.

Cheers,
Jochen

On Friday, 3 February 2017 08:05:27 UTC+1, Aitor Mendoza wrote:
>
> Hello Jochen,
>
> But the problem of disk space is from yesterday because a vmware datastore 
> problem that is already solved. But I want to solve the alert "NO MASTER 
> fixed" that appears till the first day...
>
> Thanks
>
> El jueves, 2 de febrero de 2017, 15:22:58 (UTC+1), Jochen Schalanda 
> escribió:
>>
>> Hi Aitor,
>>
>> these logs clearly show that your Elasticsearch cluster is not healthy: 
>> It ran out of disk space multiple times and it can't keep up with indexing 
>> messages sent by Graylog (full task queues etc.).
>>
>> You'll have to provide more hardware (esp. more memory, at least 4 GiB) 
>> to your Elasticsearch nodes.
>>
>> Cheers,
>> Jochen
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0e49bbdf-bfc1-421f-98af-07c05f632309%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Unable to connect elastic search

2017-02-03 Thread Jochen Schalanda 
Hi Sridhar,

127.0.0.1 is the loopback address, which means that it's only accessible 
from the very same machine.

If you're trying to create an Elasticsearch cluster, you have to use a 
public IP address of all affected nodes.

See 
http://docs.graylog.org/en/2.1/pages/configuration/elasticsearch.html#configuration
 
for details.

Cheers,
Jochen

On Thursday, 2 February 2017 19:42:58 UTC+1, Sridhar wrote:
>
> Hi,
>
> I am configuring graylog in my pc, I am unable to connect elasticserach 
> server from graylog
>
> Exception: 
>
> com.google.common.util.concurrent.UncheckedExecutionException: 
> ClusterBlockException[blocked by: [SERVICE_UNAVAILABLE/1/state not 
> recovered / initialized];]
> at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2207) 
> ~[graylog.jar:?]
> at com.google.common.cache.LocalCache.get(LocalCache.java:3953) 
> ~[graylog.jar:?]
> at 
> com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) 
> ~[graylog.jar:?]
> at 
> org.graylog2.rest.resources.sources.SourcesResource.list(SourcesResource.java:89)
>  
> ~[graylog.jar:?]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:1.8.0_121]
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
> ~[?:1.8.0_121]
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  
> ~[?:1.8.0_121]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_121]
> at 
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)
>  
> ~[graylog.jar:?]
> at 
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144)
>  
> ~[graylog.jar:?]
> at 
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161)
>  
> ~[graylog.jar:?]
> at 
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205)
>  
> ~[graylog.jar:?]
> at 
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99)
>  
> ~[graylog.jar:?]
> at 
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)
>  
> ~[graylog.jar:?]
> at 
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)
>  
> ~[graylog.jar:?]
> at 
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)
>  
> ~[graylog.jar:?]
> at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) 
> [graylog.jar:?]
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) 
> [graylog.jar:?]
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) 
> [graylog.jar:?]
> at org.glassfish.jersey.internal.Errors.process(Errors.java:315) 
> [graylog.jar:?]
> at org.glassfish.jersey.internal.Errors.process(Errors.java:297) 
> [graylog.jar:?]
> at org.glassfish.jersey.internal.Errors.process(Errors.java:267) 
> [graylog.jar:?]
> at 
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)
>  
> [graylog.jar:?]
> at 
> org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) 
> [graylog.jar:?]
> at 
> org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)
>  
> [graylog.jar:?]
> at 
> org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384)
>  
> [graylog.jar:?]
> at 
> org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) 
> [graylog.jar:?]
> at 
> com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
>  
> [graylog.jar:?]
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>  
> [?:1.8.0_121]
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>  
> [?:1.8.0_121]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
> Caused by: org.elasticsearch.cluster.block.ClusterBlockException: blocked 
> by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];
> at 
> org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedException(ClusterBlocks.java:158)
>  
> ~[graylog.jar:?]
> at 
> org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedRaiseException(ClusterBlocks.java:144)
>  
> ~[graylog.jar:?]
> at 
> org.elasticsearch.action.search.AbstractSearchAsyncAction.(AbstractSearchAsyncAction.java:94)
>  
> ~[graylog.jar:?]
> at 
> org.elasticsearch.action.search.SearchQueryThenFetchAsyncAction.(SearchQueryThenFetchAsyncAction.java:53)
>  
> ~[graylog.jar:?]
> at 
> org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:93)
>  
> ~[graylog.jar:?]
> at 
>

[graylog2] Re: Source Name is not displayed.

2017-02-02 Thread Jochen Schalanda 
Hi Sridhar,

Which GELF appender are you using?
Did you configure a GELF UDP or a GELF TCP input in Graylog?
How did you configure these inputs?
Did you check your firewall rules to allow access on port 12201/tcp or 
12201/udp?

Cheers,
Jochen

On Thursday, 2 February 2017 16:21:08 UTC+1, Sridhar wrote:
>
> Hi,
>
> I am very new to graylog. I am using following configuration,
>
> Virtualbox version: Version 5.1.14 r112924 (Qt5.6.2)
> Graylog OVA file: graylog-2.1.3-1
>
> I am able to open Graylog web interface with out any issue and I am using 
> the following logging configuration for sending messages from my local java 
> application to Graylog.
>
> 
> 
>  xmlns:log4j='http://jakarta.apache.org/log4j/'>
>
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
> 
> 
> 
> 
> 
>
> 
>
> When I run the application, I can see the input message count coming from 
> my java application on top right corner of the web interface, but I am not 
> able to find the source name under Top Sources section. Could any one know 
> what is the issue here?
>
> Please find the attachment for more details, I have highlighted the input 
> and source sections with red color
>
> Your help is much more appreciated.
>
> Thanks,
> Sridhar
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/490b60cc-d483-4750-b240-c8b9f59b0a9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Nodes with too long GC pauses

2017-02-02 Thread Jochen Schalanda 
Hi Nitzan,

please post the configuration and logs of all Graylog nodes and a 
description of your hardware.

Cheers,
Jochen

On Thursday, 2 February 2017 17:18:12 UTC+1, Nitzan Haimovich wrote:
>
> Hi all,
>
> I'm getting this message (*Nodes with too long GC pauses*) on my Graylog 
> cluster. I saw many people were posting about it but not a single thread 
> with solutions for how to solve/fix/approach it.
> I would be glad for any help.
>
> My cluster - 3 Graylog instances, each one with 8 cores and 16GB memory 
> (heap size is configured to be : Xms - 1GB , Xmx - 8GB).
> If you need any more details please let me know.
>
> Thanks!!
>
> Nitzan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/67436c8a-659b-4dce-b24a-3fec658852ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.22.5.24 not verified - https

2017-02-02 Thread Jochen Schalanda 
Hi Giwenn,

what are the attributes of your self-signed certificate, especially the 
CommonName (CN) and optionally the AltSubjName?

In your first message, it looks like it was CN=10.22.5.24:9000, which is 
wrong (it has to be the host name of the Graylog node, i. e. CN=10.22.5.24 
or CN=graylog.example.com).

Cheers,
Jochen

On Thursday, 2 February 2017 16:48:43 UTC+1, Giwenn Launay wrote:
>
> Hi Jochen,
>
>
> Here are the commands that I pass to put my server graylog in HTTPS:
>
> 1- 
>
> openssl req -x509 -days 7300 -nodes -newkey rsa:2048 -keyout graylogkey.pem 
> -out graycert.pem
>
> 2- openssl pkcs8 -in graylogkey.pem -topk8 -nocrypt -out graykey.pem
>
> 3- configuration this server.conf:
>
> rest_enable_tls = true
> rest_tls_cert_file = /path/to/graycert.pem
> rest_tls_key_file = /path/to/graylog-key.pem
> web_enable_tls = true
> web_tls_cert_file = /path/to/graycert.pem
> web_tls_key_file = /path/to/graykey.pem
>
> I have not set a password for the keys yet.
>
> 4 - keytool -importcert -keystore 
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64-debug/jre/lib/security/cacerts
>  -storepass changeit -alias graylog-self-signed -file graycert.pem
>
> 5 - Verify that the certificate has been added:
>
> keytool -keystore 
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64-debug/jre/lib/security/cacerts
>  -storepass changeit -list | grep graylog-self-signed -A1
>
> answer: 
> graylog-self-signed, 2 févr. 2017, trustedCertEntry,
> Empreinte du certificat (SHA1) : 
> 78:1B:E5:57:92:7C:65:43:69:E2:4E:20:34:E3:BB:7D:F7:33:D8:08
>
> 6- Addition of the instruction in the jvm trust:
>
> GRAYLOG_SERVER_JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64-debug/jre/lib/security/cacerts"
>
> 7- restart the server
>
>
> The error message appears when connecting to the web page. The inputs and 
> outputs do not work, they are in not running mode.
> Is my configuration good? 
>
> Thank =)
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1656783b-f336-4d0a-83b2-f7e363454bc5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to solve this alert? Notification condition [NO_MASTER] has been fixed.

2017-02-02 Thread Jochen Schalanda 
Hi Aitor,

these logs clearly show that your Elasticsearch cluster is not healthy: It 
ran out of disk space multiple times and it can't keep up with indexing 
messages sent by Graylog (full task queues etc.).

You'll have to provide more hardware (esp. more memory, at least 4 GiB) to 
your Elasticsearch nodes.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c0a90c4c-c6b3-4f5e-9ce6-cc79a3c0dee9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Error on start

2017-02-02 Thread Jochen Schalanda 
Hi Tzvi,


On Thursday, 2 February 2017 15:14:46 UTC+1, Tzvi Moshe Arnstein wrote:
>
> However I'm getting an errr in the browser now: 
> https://gyazo.com/2398b5bd57aa1e860192ec445ae04ee6 the IP there is the 
> internal IP
>

Try setting web_endpoint_uri to http://104.196.203.4:9000/api/. This is the 
URI the Graylog web interface will use to communicate with the Graylog REST 
API.

Also make sure to read and 
understand 
http://docs.graylog.org/en/2.1/pages/configuration/web_interface.html 
before continuing.

Cheers,
Jochen

>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/808c97da-bfa0-46ba-bd40-780b5dff5233%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Error on start

2017-02-02 Thread Jochen Schalanda 
Hi Tzvi,

On Thursday, 2 February 2017 14:40:13 UTC+1, Tzvi Moshe Arnstein wrote:
>
> Im not sure what you mean? This is the instance running graylog and this 
> is the assigned IP, unless I have to do additional configuration to make 
> this IP work?
>

The IP addresses set up on the machine are those which you have seen in the 
output of *ip addr show*. If you want or need to use other IP addresses, 
you need to set them up on your machine first.

FWIW, using 0.0.0.0 should just be fine.


Cheers,
Jochen

>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/47ba5be4-6e23-48e1-9003-650a96955a78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: You are running an outdated Graylog version even after upgrade from 2.1.x to 2.1.3

2017-02-02 Thread Jochen Schalanda 
Hi Sinai,

are you running multiple Graylog nodes? Have all been updated? Did you 
restart all Graylog nodes after upgrading the files via the package 
management system of your operating system?

Cheers,
Jochen

On Thursday, 2 February 2017 13:03:15 UTC+1, Sinai Rijkov wrote:
>
> Hi,
>  Yes I know it, but its coming back. :)  
> Pretty annoying when all is "green" and OK. 
>
>
> On Wednesday, February 1, 2017 at 5:42:54 PM UTC+2, Jochen Schalanda wrote:
>>
>> Hi Sinai,
>>
>> you can close/delete that notification by clicking on the 'X' in the 
>> upper right corner of the notification in the Graylog web interface.
>>
>> Cheers,
>> Jochen
>>
>> On Wednesday, 1 February 2017 16:31:43 UTC+1, Sinai Rijkov wrote:
>>>
>>>
>>> Hi , guys! 
>>>
>>> Issue error from web interface - 
>>>
>>>
>>> You are running an outdated Graylog version. (triggered 5 hours ago)
>>> The most recent stable Graylog version is *2.1.3 (Smuttynose) released 
>>> at 2017-01-26T00:00:00.000Z*. Get it from https://www.graylog.org/.
>>>
>>>
>>>
>>>
>>> So I did update through yum install before w/o updating repositroy 
>>> first, 
>>> After reading article I've checked this from my server and it looks 
>>> fine, but still have error that server is Outdated:
>>>  
>>>
>>> *1 *.[root@graylog]# rpm -Uvh 
>>> https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.rpm
>>> Retrieving 
>>> https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.rpm
>>> Preparing...  # 
>>> [100%]
>>> package graylog-2.1-repository-1-3.noarch is already installed
>>>
>>>
>>> *2.* [root@graylog]# yum install graylog-server
>>> Loaded plugins: fastestmirror, langpacks
>>> Loading mirror speeds from cached hostfile
>>>  * epel: mirror.nonstop.co.il
>>> Package graylog-server-2.1.3-1.noarch already installed and latest 
>>> version
>>> Nothing to do
>>>
>>>
>>> Some bug? (any changes,that I can do manually? )
>>>  
>>>
>>> Thank you.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d2a7e69b-9484-429a-a2bb-1a9947cbad56%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Error on start

2017-02-02 Thread Jochen Schalanda 
Hi Tzvi,

you have to use an IP address or hostname in rest_listen_uri an 
web_listen_uri, which has been setup *on the machine* running Graylog.

Cheers,
Jochen

On Thursday, 2 February 2017 14:19:05 UTC+1, Tzvi Moshe Arnstein wrote:
>
> Hi,
> Thats the IP assigned to the instance in GCP
> When I run: host myip.opendns.com resolver1.opendns.com
> *This is the response*
> Using domain server:
> Name: resolver1.opendns.com
> Address: 208.67.222.222#53
> Aliases:
>
> myip.opendns.com has address 104.196.203.4
> Host myip.opendns.com not found: 3(NXDOMAIN)
> Host myip.opendns.com not found: 3(NXDOMAIN)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/67dd0685-6b11-48d3-8294-5ab438a540ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to solve this alert? Notification condition [NO_MASTER] has been fixed.

2017-02-02 Thread Jochen Schalanda 
Hi Aitor,

On Thursday, 2 February 2017 14:06:55 UTC+1, Aitor Mendoza wrote:
>
> *For example: (/var/log/graylog/elasticsearch/graylog.log)*
>

Please post the *complete* logs of your Graylog and Elasticsearch nodes as 
text (for example as an attachment to this discussion).

Did you run out of disk space? There is at least 1 corrupted Elasticsearch 
index (graylog_58) according to your logs.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/be3b7b52-5736-41c1-ba6b-725b7982f647%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

  1   2   3   4   5   6   7   8   9   10   >