[graylog2] Re: Is it possible to setup a stream to alert if number of messages from a single source exceeds a count?
Thanks. Looks promising for many things. I think this can do what I'm looking for since it is aggregating by source - Name: TooManyMessagesFromOneSource - Stream: syslog - Query: * - Field : message - Matches : more or equal - Number: 100,000 - Interval: 60min - Email receivers: some...@somewhere.com The current version 0.0.11 requires graylog 2.0+ Since my Prod one is still 1.3.2, checking if their prior vers like 0.0.7 has it... I've built a 2.0.2 ver but I have problems with getting SSL to work with a load balancer in front (with SSL passthru). I'll try rebuilding it all with 2.1 and see if that works better. Also had issues with elasticsearch index directory disappearing each time graylog did the rotating... not sure if graylog issue or es issue or something else. Thanks, On Thursday, September 8, 2016 at 8:07:00 AM UTC-4, Ben Scott wrote: > > Have you had a look at this plugin? > > https://marketplace.graylog.org/addons/0d01a899-138a-4f77-a9e7-04be4cc5e190 > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1d5e2836-4e22-4b59-89c1-c2da8a92ea51%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Is it possible to setup a stream to alert if number of messages from a single source exceeds a count?
Graylog 1.3.2 (for now and looking to implement graylog 2.1) = Is it possible to setup a stream to alert if the number of messages from a single sources exceeds a count? I have some misbehaving apps on hosts which suddenly send over a million syslogs in say an hour or two because of a faulty app. It would be great to have a stream which can alert with the source and message count over last 1 hour if say > 1million. Thanks, -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6fa722e6-38cf-4acd-8586-3c760c76d15d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Requesting help with setting up ssl with graylog 2.0.2. Error in getting pkcs5.pem key properly
So I managed to resolve the issue with private key in step 7 of my first
post and proceeded and completed step 9 above and imported the self-signed
cert into the copied cacerts.jks)
(I cannot query the new cacert.jks though as it gives this error
keytool -keystore ./cacerts.jks -list |grep graylog-self-signed
keytool error: java.security.cert.CertificateParsingException:
java.io.IOException: RFC822Name may not be null or empty
). Since I get the same error when quering the main
/usr/java/jdk1.8/.../cacerts.jks I decided to proceed.
However restarting graylog-server doesn't work still as I keep getting this
error -
Server currently unavailable
We are experiencing problems connecting to the Graylog server running on
*https://graylog-web01:12900/
*
Please verify that the server is healthy and working correctly.
You will be automatically redirected to the previous page once we can
connect to the server.
Also, I switched to using just one graylog-server which is the simplest
case - 1 graylog server with https setup, to see if just https works and
I'm seeing another weird behavior -
in graylog-server/server.conf I set
rest_listen_uri = https://graylog-web01
web_listen_uri = https://graylog-web01
rest_enable_tls = true
web_enable_tls = true
(I left the is_master=true in there)
I didn't point it to my self signed cert as the doc says it will generate
its own which it did checking the browser presented cert.
However, when connecting to https://graylog-web01:9000 I get the same
Server Unavailable error.
Whats interesting is More Details shows
Error message
Bad requestOriginal RequestGET
https://graylog-web01:12900/system/sessionsStatus
codeundefinedFull error messageError: Request has been terminated Possible
causes: the network is offline, Origin is not allowed by
Access-Control-Allow-Origin, the page is being unloaded, etc.
But if I open a new tab and go to https://graylog-web01:12900/system/sessions,
then I get "
{"is_valid":false}" in that tab.
And the other tab with the main graylog web interface then starts working for
most part.
System -> Logging or System -> Nodes fails with a picture of a monkey with a
banana hat (!?) when querying the node.
Logs show
2016-07-28T09:34:46.954-04:00 WARN [ProxiedResource] Unable to call
https://graylog-web01:12900/system/metrics/multiple on node
<90a4086e-d119-...>, caught exception: java.security.cert.CertificateException:
No X509TrustManager implementation available (class
javax.net.ssl.SSLHandshakeException)
*What is going wrong here and what is the fix and proper way to get https going
with graylog 2.0.2? Also has anyone else managed to get it working behind a
load balancer like haproxy (with ssl passthrough or ssl termination)*
Note that without ssl, everything works well via haproxy load_balancer to 2
graylog-web app clusters and 3 backend ES nodes and mongodb on 2 graylog-app
cluster + 1 mongod arbiter on load_balancer node.
Thanks,
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/bf5a014f-2cd8-4947-8118-25ad86f8eb6c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Requesting help with setting up ssl with graylog 2.0.2. Error in getting pkcs5.pem key properly
Hello, Can someone who's familiar with the https setup for graylog please assist with above. The error is in step 07 above getting the private key. Thanks, -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/afffcaad-5213-4509-8b1c-a742750f4ad0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Requesting help with setting up ssl with graylog 2.0.2. Error in getting pkcs5.pem key properly
Env:
graylog 2.0.2 / elasticsearch 2.3.2
RHEL 6.8
So I have followed the graylog https setup here
http://docs.graylog.org/en/latest/pages/configuration/https.html and
followed along to create a keystore, creating a self-signed cert and
converting it to PKCS5 and exporting it out to a cert and key in use for
graylog-server.
However, the issue faced is that the final key step is generating a file
which looks invalid, presumably because the interim pkcs5 key step is not
working. Can someone point me to what mistake I'm making and how to fix it?
On side topic, I'm using haproxy load balancer with ssl pass through.
((using it with ssl termination on load balancer failed as Firefox, Chrome
etc. all complain about mixed content and I get the "
Server currently unavailable
We are experiencing problems connecting to the Graylog server running on...
"
error
So I think I can only get proper ssl working if I do ssl end to end via ssl
passthrough on load balancer.
))
Here's the log of steps followed -
create keystore for graylog - gen key and import into a new keystore
01. keytool -genkey -alias graylog-web01 -keyalg RSA -keysize 2048
-validity 1000 -dname "CN=graylog-web01" -keystore
graylog-web01KeyStore.p12 -storepass -storetype pkcs12
02. keytool -importkeystore -deststorepass "" -destkeypass ""
-destkeystore graylog.keystore -srckeystore graylog-web01KeyStore.p12
-srcstoretype PKCS12 -srcstorepass "" -alias graylog-web01
create a self signed cert
03. openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout
pkcs5-plain.pem -out cert.pem
convert key to pkcs8 format
04. openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
convert keystore above to PKCS12 format so openssl can work with it
05. keytool -importkeystore -srckeystore graylog-web01.keystore
-destkeystore keystore.p12 -deststoretype PKCS12
get the cert to use
06. openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
cat graylog-certificate.pem
Bag Attributes
friendlyName: CN=graylog-web01
localKeyID: 54 69 6E 66 20 31 34 36 39 34 36 37 35 37 39 33 32 30
subject=/CN=graylog-web01
issuer=/CN=graylog-web01
-BEGIN CERTIFICATE-
get the key to use
07. openssl pkcs12 -in keystore.p12 -nocerts -out graylog-pkcs5.pem
This is where the issue is - the pkcs5 key file doesn't seem to contain
the actual key. I was expecting to see "BEGIN PRIVATE KEY" line in
the file below
cat graylog-pkcs5.pem
Bag Attributes
friendlyName: graylog2
localKeyID: 54 69 6E 66 20 31 34 36 39 34 36 38 35 35 32 30 33 36
Key Attributes:
but the file ends right there above at "Key Attributes" line.
08. Consequently, this fails -
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
unable to load key
140626096863048:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
09. I understand that after this step 08 works above I still need to
cp -a "${JAVA_HOME}/jre/lib/security/cacerts" /path/to/cacerts.jks
keytool -importcert -keystore /path/to/cacerts.jks -storepass changeit -alias
graylog-self-signed -file cert.pem
to import this into the local JVM Trust store and point to it by adding these
to the graylog-server GRAYLOG_SERVER_ARGS in /etc/sysconfig/graylog-server
(or JAVA_OPTS in /etc/init.d/graylog-server)
GRAYLOG_SERVER_ARGS="-Djavax.net.ssl.trustStore=/path/to/cacerts.jks
-Djavax.net.ssl.trustStorePassword=secret"
and then restart graylog-server and it will be SSL ready.
Where is the error happening? Does anyone have a straightforward list of
steps to follow to get this working?
I have 2 graylog-web front ends in a cluster so I'm assuming in step 09
above I need to add the cert from both graylog-web servers.
Thanks,
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/b206e420-7c6b-4d1f-bd1d-df6f091e279e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Graylog 2.0.2 fails to connect to Elasticsearch 2.3.3
Perfect. That worked. Graylog-server connected now properly to the elasticsearch. For the record: I set the following in my graylog-server/server.conf elasticsearch_network_host = Thanks much, -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/484bfe74-117b-4c53-aa22-ba4b581f75e7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Graylog 2.0.2 fails to connect to Elasticsearch 2.3.3
I am testing out graylog 2.0.2 with elasticsearch 2.3.3 (with 2 nodes for
now for elasticsearch, will become 3 to avoid split-brain ) and mongodb
2.4.14 (in 3-way replica set running on 2 graylog nodes and 1 mongo arbiter
on the loadbalancer in front of graylog ).
However, I'm constantly encountering an error where graylog-server is
unable to connect to Elasticsearch and now I'm not sure why it is not
working. I had tested with the 2.0-Beta before and that worked without
issues.
Details :
---
Elasticsearch -
rpm version: elasticsearch-2.3.3-1.noarch
config:
cluster.name: graylognew
node.name: graylog-es01
path.data: /elasticsearch
network.host: 10.30.20.58
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["10.30.20.58:9300","10.30.20.59:9300"]
log:
[2016-06-21 09:33:08,599][WARN ][bootstrap] unable to
install syscall filter: seccomp unavailable: CONFIG_SECCOMP not compiled
into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
[2016-06-21 09:33:08,697][INFO ][node ] [graylog-es01]
version[2.3.3], pid[3850], build[218bdf1/2016-05-17T15:40:04Z]
[2016-06-21 09:33:08,697][INFO ][node ] [graylog-es01]
initializing ...
[2016-06-21 09:33:09,034][INFO ][plugins ] [graylog-es01]
modules [reindex, lang-expression, lang-groovy], plugins [], sites []
[2016-06-21 09:33:09,048][INFO ][env ] [graylog-es01]
using [1] data paths, mounts [[/elasticsearch (/dev/md2)]], net
usable_space [733.1gb], net total_space [733.2gb], spins? [possibly], types
[ext4]
[2016-06-21 09:33:09,048][INFO ][env ] [graylog-es01]
heap size [31.8gb], compressed ordinary object pointers [false]
[2016-06-21 09:33:09,048][WARN ][env ] [graylog-es01]
max file descriptors [65535] for elasticsearch process likely too low,
consider increasing to at least [65536]
[2016-06-21 09:33:09,999][INFO ][node ] [graylog-es01]
initialized
[2016-06-21 09:33:09,999][INFO ][node ] [graylog-es01]
starting ...
[2016-06-21 09:33:10,141][INFO ][transport] [graylog-es01]
publish_address {10.30.20.58:9300}, bound_addresses {10.30.20.58:9300}
[2016-06-21 09:33:10,144][INFO ][discovery] [graylog-es01]
graylognew/aFMNHpUWScWRtr6AmpMa0Q
[2016-06-21 09:33:13,193][INFO ][cluster.service ] [graylog-es01]
new_master
{graylog-es01}{aFMNHpUWScWRtr6AmpMa0Q}{10.30.20.58}{10.30.20.58:9300},
reason: zen-disco-join(elected_as_master, [0] joins received)
[2016-06-21 09:33:13,208][INFO ][http ] [graylog-es01]
publish_address {10.30.20.58:9200}, bound_addresses {10.30.20.58:9200}
[2016-06-21 09:33:13,208][INFO ][node ] [graylog-es01]
started
[2016-06-21 09:33:13,223][INFO ][gateway ] [graylog-es01]
recovered [0] indices into cluster_state
[2016-06-21 09:34:25,603][INFO ][cluster.service ] [graylog-es01]
added
{{graylog-es02}{2Ty5iLUTSbWe5QznunoHkA}{10.30.20.59}{10.30.20.59:9300},},
reason: zen-disco-join(join from
node[{graylog-es02}{2Ty5iLUTSbWe5QznunoHkA}{10.30.20.59}{10.30.20.59:9300}])
<-- nothing else seen after this, was expecting to see graylog2 server
connect to elasticsearch
{
"cluster_name" : "graylognew",
"nodes" : {
"2Ty5iLUTSbWe5QznunoHkA" : {
"name" : "graylog-es02",
"transport_address" : "10.30.20.59:9300",
"host" : "10.30.20.59",
"ip" : "10.30.20.59",
"version" : "2.3.3",
"build" : "218bdf1",
"http_address" : "10.30.20.59:9200",
"process" : {
"refresh_interval_in_millis" : 1000,
"id" : 3267,
"mlockall" : false
}
},
"aFMNHpUWScWRtr6AmpMa0Q" : {
"name" : "graylog-es01",
"transport_address" : "10.30.20.58:9300",
"host" : "10.30.20.58",
"ip" : "10.30.20.58",
"version" : "2.3.3",
"build" : "218bdf1",
"http_address" : "10.30.20.58:9200",
"process" : {
"refresh_interval_in_millis" : 1000,
"id" : 3850,
"mlockall" : false
}
}
}
}
graylog-es02:/var/log/elasticsearch# curl
http://10.30.20.58:9200/_cluster/health?pretty
{
"cluster_name" : "graylognew",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 2,
"number_of_data_nodes" : 2,
"active_primary_shards" : 0,
"active_shards" : 0,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
---
Graylog
rpmversion : graylog-server-2.0.2-1.noarch
config :
is_master = true
node_id_file =
