[graylog2] Re: Troubleshooting logs
I've found this article on the right place to put the certs...but not sure what format or how to get them out of the master server http://docs.graylog.org/en/2.0/pages/faq.html#i-have-configured-an-smtp-server-or-an-output-with-tls-connection-and-receive-handshake-errors-what-should-i-do -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5b469fe8-40d1-4a2f-856c-53cbce58f870%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Troubleshooting logs
That's the problem then. What files need to move from the server 2 took the server 1 machines? Getting to find doc on that, but it's sparse Thanks Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/69273b19-c00f-4e59-890c-7e19909cee68%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Troubleshooting logs
OK...so here's the scoop. All Graylog Servers in use are built from the OVA...all version 2.13 Graylog Server 1 - Sits at our remote office. Collects Windows Events for the site. It has a series of streams setup. Each stream is using a GELF TCP port 12203 output to my main office Graylog Server 2 - Sits at main office. It has a Gelf TCP input for 12203 to receive streams from remote office. Trying to send the stream through the internet over TLS. My firewall at main office has 12203 open and pointing to graylog server 2 Issue: If I leave TLS off, then the system works great. If I turn TLS on for the Input side (Server 2), and click the Verify TLS on the client side(server1) (like I have done in my test lab), then the Server2 doesn't receive anything on the input. I see traffic in the firewall over 12203 Logs on servers are showing no errors (though admittedly...I may not be looking in the right area) I assume I have not setup TLS correctly and the docs are a bit vague on that Any insight is appreciated Thanks TP On Wednesday, February 15, 2017 at 4:00:28 PM UTC-6, Tom Powers wrote: > > Hello, > > If I'm trying to troubleshoot why an output from a stream , being > forwarded to another graylog server, and the stream populates but the > receiving server shows nothing, which logs on the graylog boxes would I > check to see if I have an output or an input problem? > > Thanks > > TP > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/54ce3680-8daf-4a98-9c60-6843e685b460%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Troubleshooting logs
Hello, If I'm trying to troubleshoot why an output from a stream , being forwarded to another graylog server, and the stream populates but the receiving server shows nothing, which logs on the graylog boxes would I check to see if I have an output or an input problem? Thanks TP -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1f6fc1c5-0d1e-4728-9e65-603aab5abf54%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Regex Question
I got closer.In further investigation, it tags if the case is the same. but not if it comes in all lower case for example On Friday, February 10, 2017 at 3:54:01 PM UTC-6, Tom Powers wrote: > > Looking to do a Regex for a string in full_message > > I have the first stream rule tagging EventID:4688 (works great) > > Trying to then do a second rule where it will match any .exe that ran out > of any user appdata folder. > > For example... (AppData\\Local\\Temp\\.+.exe) works for my powershell > queries but not for Graylog. > > What am I missing here? I have other Regexes working fine, searching for > different keywords, but this one eludes me > > The goal is to tag into the stream any Event 4688 with any exe that ran > out of any users appdata\local\temp folder > > All insight is appreciated > > Thanks > TP > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5fdd9e5f-450a-4635-af2b-9765a3e6c24f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Regex Question
Looking to do a Regex for a string in full_message I have the first stream rule tagging EventID:4688 (works great) Trying to then do a second rule where it will match any .exe that ran out of any user appdata folder. For example... (AppData\\Local\\Temp\\.+.exe) works for my powershell queries but not for Graylog. What am I missing here? I have other Regexes working fine, searching for different keywords, but this one eludes me The goal is to tag into the stream any Event 4688 with any exe that ran out of any users appdata\local\temp folder All insight is appreciated Thanks TP -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6b120e53-90d8-41d7-b3b3-2451a3db9717%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Forward from One graylog to another
Is there any good doc on setting up the tls on the stream output and then the receiving side at the new graylog instance? Been combing through doc and posts for a couple hours and only have fragments of an idea on how to do this Self signed certs will be fine for this All insight is appreciated Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/36298fef-575c-4a60-8b4a-61759677b296%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Forward from One graylog to another
Is there any good doc on setting up the tls on the stream output and then the receiving side at the new graylog instance? Been combing through doc and posts for a couple hours and only have fragments of an idea on how to do this Self signed certs will be fine for this All insight is appreciated Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/06fa8cdf-e4b5-4509-bebe-9d3c7fc4ca53%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Forward from One graylog to another
I have 2 sites. One office is the main office, the other is a branch office I am wondering if this is possible. If I put a graylog server at each site in regular setup, I can collect the logs of that site. Simple enough so far. Now...the Streams I have setup on those 2 servers, which is polling the events I really care about, is there any way to get the streams to forward those matching events to a 3rd graylog server at our parent office? That way, the parent office only sees the info that the streams grabbed and nothing else. We are only tracking windows events here, so If I read this right, could i set the stream output in Gelf format and send it to the Parent office Graylog server (over TLS of course)? All insight is appreciated Thanks TP -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e97dedc2-6a3b-4435-97f5-1eb42075564e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Changing timestamps?
Ok...and interesting issue here. We have 3 Inputs running into Graylog 2.12 Input 1 : Gelf-UDP Port 12202 - For Windows machines (sending with nxlog) Input 2 : Syslog UDP 514 - Novell Suse Linux sending via Syslog-ng Input 3 : Syslog UDP 15514 - ASA firewall sending via Cisco IOS syslogging My issue is with time stamps of the syslog messages coming in. All of our devices have the same local timezones and are all set to NTP so that their times are correct across the board. We are in central time, so UTC is 6 hours ahead (future devices will be in other time zones) Graylog is set to UTCand Windows Events and ASA events are coming in just fine and are showing up in real time, so if it's noon here...the UTC time stamp for Input 1 and 3 devices says 1800which is good. Input 2 is coming in as Central Time Zone...so the Novell Suse syslog timestamps are showing up as 1200 in the Graylog system, even though they are coming at the right time and in line with inputs 1 and 3. The net result is that Graylog is showing the Novell Events happening 6 hours earlier than they actually did We cannot mess with the time zones of the Novell systems because of what they all integrate to. So...how can one alter the timestamps either through Novell Suse Linux syslog, or by some sort of conversion inside of Graylog so that all times are reflected in UTC? All insight is appreciated Thanks TP -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1076c61f-bd67-4d90-8030-a66be832000f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
Gotcha...I was hoping that some of the more complex searches that one can write and save could simply be called and used by a stream I'll dig into what pipelines can give me in that case Thanks Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/9032e0f2-99ac-4542-856b-5812994a624a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
OhOK... so I have a couple ways to try out. What is the syntax to use a saved search in a Stream? That is eluding me right now Thanks TP On Monday, January 23, 2017 at 5:37:17 PM UTC-6, Tom Powers wrote: > > OK...streams and alerts for them are very cool...but it seems I can do > much more in the search field than the stream field. > > For Example if I want (EventID:4688 AND ((cscript OR wscript))) the > search is pretty straightforward > > How can I do that in a Stream? If I set the EventID field AND Cscript > match (with 2 rules), then how do I get the OR wscript match? > > Seems like it's almost there...but just not quite. The Search works > great, but if I want to alert off this, then I'm forced into 2 streams? > EventID:4688 AND cscript and the Other EvenID:4688 AND wscript this > would seem cumbersome at best > > Where am I going off the rails here? > > Thanks > > TP > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/7b329f79-2a46-4854-b0c3-3c6020cafe80%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Complex Search in a Stream
I may have the terms off here In the stream rules, I can select a field...Event ID for exampleselect the operatormatch exactly for example, and then the field of what I want it to match...4688 for example The rule only seems to give me the one category/operator/criteria choice per rule. So in the search abovewhat would the rule structure look like to get the same result? Thanks for bearing with my noob-Ness Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/9cbe6e60-4c0d-47fc-8aa7-820ca71d9aa9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Can you import Exchange 2013 Audit logs into Graylog?
I got farther on this todayyou did say you wanted XML format? TP On Monday, January 23, 2017 at 5:51:58 AM UTC-6, Wil Hutchins wrote: > > Hey Tom, > > Message tracking logs primarily. > > Sent from my iPhone > > > On 23 Jan 2017, at 12:14 pm, Tom Powers <thomas.p...@gmail.com > > wrote: > > > > Have you tried powershell? As I recallthere's a Get-Auditlog > cmdletmy syntax may be off. But...if you could grab it that way, even > in a scheduled task...you could use export-csv syntax to get it to output > > > > I can turn it in at my office and figure it outwhat info do you want > out of it? > > > > Tp > > > > -- > > You received this message because you are subscribed to the Google > Groups "Graylog Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to graylog2+u...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/807410fd-3d84-4db2-9910-74978cfeeae1%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c146b248-357d-41d4-b960-c0695a9d861a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Can you import Exchange 2013 Audit logs into Graylog?
Have you tried powershell? As I recallthere's a Get-Auditlog cmdletmy syntax may be off. But...if you could grab it that way, even in a scheduled task...you could use export-csv syntax to get it to output I can turn it in at my office and figure it outwhat info do you want out of it? Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/807410fd-3d84-4db2-9910-74978cfeeae1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Good list of rules?
GL2 is an incredible tool...and I'm learning more and more each day. I've been through the docs and ask through the groups here...great info. Just a questionthe more rules I build, the more I wonder what I'm missing Ate there any good places to go for rules creation? I work on Windows networks primarily. All insight is appreciated Tp -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/227637ca-8476-40ea-bde8-1832b9726d74%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] I know Reports don't Exist in GL2
What are some of you using to pull reports from Graylog...if anything? The doc refers to calling the REST-API , so there's got to be some sort of reporting tools out there Thoughts? All insight is appreciated Thanks TP -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2a0f4e1e-97ff-4279-aa26-ac0e7b3ab534%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Simple Stream question
Actually...I found it...Source was capitalized and in the regular search it is not. I see that this is extremely case sensitive Thanks TP On Friday, January 20, 2017 at 3:44:54 PM UTC-6, Tom Powers wrote: > > Hello Everyone!! > > Total Noob to Graylog...but I have read the docs and have scoured the net > for this. > > Brand new Graylog2.1 from OVA. > > Sending data into it from windows event logs via nxlog > > Everything works great...I can get searches on ExventIDs, create streams > and dashboards. > > here's the question: > > If I do a simple search from the main screen like > source:tp2015.ssi.private I get all the messages from the node with > that name. > > If I go to make a stream for this...and select thesource match > exactly tp2015.ssi.private as the only ruleI get nothing > > What am I missing or not understanding here? > > All insight is appreciated > > Thanks > > TP > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/99bc4e61-70cc-4e39-8081-fbea15f5208e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Simple Stream question
Hello Everyone!! Total Noob to Graylog...but I have read the docs and have scoured the net for this. Brand new Graylog2.1 from OVA. Sending data into it from windows event logs via nxlog Everything works great...I can get searches on ExventIDs, create streams and dashboards. here's the question: If I do a simple search from the main screen like source:tp2015.ssi.private I get all the messages from the node with that name. If I go to make a stream for this...and select thesource match exactly tp2015.ssi.private as the only ruleI get nothing What am I missing or not understanding here? All insight is appreciated Thanks TP -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c76ab297-38ad-4a58-a0b1-e8675fb04b5d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.