[graylog2] Re: Graylog2 Regex extractor help

[kaiser]

My test was done on my graylog test server.

Which graylog version  do you have?

Which kind of input did you use? Gelf (in that case maybe the (?mi) could 
solve the issue) ?

I have made the test with graylog 2.0.3

If it still doesn't work you should try the grok pattern





-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/48594df8-bd66-4f5b-90b1-2ca46284bbbf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog2 Regex extractor help

[kaiser]

Your regex is ok.

Worked for me.

You can otherwise try:

(?mi)Nom du compte :  ([a-zA-Z0-9.-]{1,50})

And for the second one you just need to capture Compte cible :D:

(?mi)Compte cible : .*Nom du compte :  ([a-zA-Z0-9.-]{1,50})

@peluche



Le lundi 4 juillet 2016 11:52:03 UTC+2, Zoizo a écrit :
>
> Hello,
>
> I am looking for a solution to my problem since several hours in vain, so 
> I'm posting here in hope you could help me.
>
> I have some logs who follow this scheme (it's in french) :
>
>
>
> domain.name.com MSWinEventLog 1 Security 665240 Thu Jun 30 14:35:38 2016 
> 4724 Microsoft-Windows-Security-Auditing N/A N/A Success Audit 
> domain.name.com Gestion des comptes d’utilisateur Une tentative de 
> réinitialisation de mot de passe d’un compte a été effectuée. Sujet : ID de 
> sécurité : S-1-5-21-151410-1935793592-2975913076-1170 Nom du compte : 
> firstname.lastname Domaine du compte : DOMAIN123 ID d’ouverture de 
> session : 0x21CACB1 Compte cible : ID de sécurité : 
> S-1-5-21-151410-1935793592-2975913076-1650 Nom du compte : 
> firstname.lastname Domaine du compte : DOMAIN123 256107419
>
> I want to make a regex extractor that will return the value of 
> "firstname.lastname" after "Nom du compte :  ". Since there are two "Nom du 
> compte :  ", I will use a regex for each of them (and create two fields).
>
> I tried to extract the first one with this regex but it's not working 
> (regular expression did not match) :
>
> Nom du compte :  ([a-zA-Z0-9.-]{1,50})
>
> This regex works in a regex tester so I'm kinda lost here... Could anyone 
> provide an answer to this please ?
>
> Also, my second question is : if I want to extract the second 
> "firstname.lastname", how would I change my regex to do so ?
>
> Would really appreciate some help.
>
> Thanks!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3e546d01-60f5-4031-8ad4-34e483042444%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

[kaiser]

NUMBER is based on BASE10NUM variable

so replace NUMBER with BASE10NUM.

The same for IP is based on IPV4 and IPV6

If you have only IPV4 replace IP by IPV4


Le vendredi 1 juillet 2016 15:05:38 UTC+2, Keamas M a écrit :
>
> This looks good now:
>
> I added some additional fields:
>
>
> %{GREEDYDATA:UNWANTED}.*srcIP=%{IP:srcip}\|srcPort=%{NUMBER:srcport}\|srcMAC=%{COMMONMAC:srcmac}\|dstIP=%{IP:dstcip}
>
> This is my output now:
>
> BASE10NUM52064IPV410.244.134.247dstcip10.244.134.247srcip10.244.120.16
> srcmac44:1e:a1:44:f7:c8srcport52064
> Is is also possible to remove the first entry?
>  I don't know why I get this:
>
> BASE10NUM52064
>
>
> Am Donnerstag, 30. Juni 2016 07:18:30 UTC+2 schrieb Keamas M:
>>
>> Hey,
>>
>> I log my firewall logs into Graylog.
>>
>> The log File looks like this:
>>
>>
>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
>> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
>> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
>> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
>> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
>> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
>> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
>> content=|urlcat=Search Engines/Portals
>>
>>
>> I tried to extract the fields with gork patterns, I tried it like this:
>>
>>
>>
>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>
>> But it does not work I can only extract the first field. How can I create 
>> the pattern that I can use all Fields?
>> Has anyone an example for me how I can use work patterns to extract this?
>>
>> Or is there any other extraction mechanism which is better to use to 
>> extract this kind of date?
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2e45ae1a-f647-4a94-ae40-14150664c69f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

[kaiser]

Would you try the good command please?

You tried with /| instead of \|

%{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}

OR

%{GREEDYDATA:UNWANTED}.*srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bd694742-ed33-465e-b464-4122841721d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

[kaiser]

Can you try:

srcIP=%{IP:srcip} 

then 

scrPort=%{NUMBER:srcport}

Is there any error on those patterns?

If no errors are displayed can you try:
%{GREEDYDATA:UNWANTED}srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}



Le vendredi 1 juillet 2016 09:19:53 UTC+2, Keamas M a écrit :
>
> I also tried it to escape it with the \ and / ans so on... but it does not 
> work.
> I always geht this message when I press try:
>
> Attention
> We were not able to run the grok extraction. Please check your parameters.
>
> See the screenshot int the attachtment.
>
>
>
>
>
> Am Donnerstag, 30. Juni 2016 09:23:11 UTC+2 schrieb kaiser:
>>
>> '|' stands for a logic OR so you have to escape it with '\|'.
>>
>>
>> srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
>> dstip}\|dstPort=%{NUMBER:dstport}
>>
>> Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>>>
>>> Hey,
>>>
>>> I log my firewall logs into Graylog.
>>>
>>> The log File looks like this:
>>>
>>>
>>> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info 
>>> C-WN02-FW Detect: type=FWD|proto=TCP|srcIF=port7.101|
>>> srcIP=10.244.130.143|srcPort=52365|srcMAC=00:00:00:00:00:00|
>>> dstIP=194.232.104.167|dstPort=80|dstService=|dstIF=port7.910|rule=|
>>> info=Normal Operation|srcNAT=80.120.132.156|dstNAT=194.232.154.127|
>>> duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|
>>> sentPackets=0|user=n600771|protocol=HTTP direct|application=Web browsing
>>> |target=steiermark.orf.at|content=|urlcat=Search Engines/Portals
>>>
>>>
>>> I tried to extract the fields with gork patterns, I tried it like this:
>>>
>>>
>>>
>>> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>>>
>>> But it does not work I can only extract the first field. How can I 
>>> create the pattern that I can use all Fields?
>>> Has anyone an example for me how I can use work patterns to extract this?
>>>
>>> Or is there any other extraction mechanism which is better to use to 
>>> extract this kind of date?
>>>
>>>
>>>
> <https://lh3.googleusercontent.com/-Ltf_0gQsscU/V3YZbc1LTpI/AP4/NKiARLA1CI82O_DEue824Hz1dMl9hGFSACLcB/s1600/graylog1.JPG>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1cc952ca-f635-4f61-87d1-897ed7c6eb08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: help with Gork pattern

[kaiser]

'|' stands for a logic OR so you have to escape it with '\|'.


srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP:
dstip}\|dstPort=%{NUMBER:dstport}

Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit :
>
> Hey,
>
> I log my firewall logs into Graylog.
>
> The log File looks like this:
>
>
> <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW 
> Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143|
> srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80|
> dstService=|dstIF=port7.910|rule=|info=Normal Operation|
> srcNAT=80.120.132.156|dstNAT=194.232.154.127|duration=0|count=1|
> receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=n600771|
> protocol=HTTP direct|application=Web browsing|target=steiermark.orf.at|
> content=|urlcat=Search Engines/Portals
>
>
> I tried to extract the fields with gork patterns, I tried it like this:
>
>
>
> srcIP=%{IP:srcip}|scrPort=%{NUMBER:srcport}|dstIP=%{IP:dstip}|dstPort=%{NUMBER:dstport}
>
> But it does not work I can only extract the first field. How can I create 
> the pattern that I can use all Fields?
> Has anyone an example for me how I can use work patterns to extract this?
>
> Or is there any other extraction mechanism which is better to use to 
> extract this kind of date?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/713f8a53-1be4-48b1-9cb5-3c9e350f69d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

Maybe you can give it a try:

http://www.pc-freak.net/blog/auto-insert-password-for-a-trusted-ssl-certificate-automatically-enter-password-for-an-ssl-certificate-during-apache-startup-on-debian-lenny/

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/63d9d047-267d-4974-9340-a7b5a0238004%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

If you access graylog with ip you will have to add exception each time

You have to access to graylog with https://.:9000 or 
https://.:12900

because you created the certificate with the hostname not the  ip  address

You have to set the https link with hostname in your config server file.

Cheers

Le mardi 7 juin 2016 10:35:15 UTC+2, Earest a écrit :
>
> It work, thank for the help! But I don't understand why i need to add an 
> exception in my browser for the cert at port 9000 and 12900. (I had it to 
> the trusted cert for java :s). Maybe 'cause it's a selfed signed one and my 
> browser don't know he have to trust him ^^
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/283c2196-d14d-42c6-90be-f2505f914af2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

keytool -genkey -alias buildforge -keyalg RSA -keysize 2048 -validity 5475 
-dname "CN=.domain>" -keystore buildForgeKeyStore.p12 -storepass 
PASS -storetype pkcs12 -alias graylog2

keytool -importkeystore -deststorepass "***PASS***" -destkeypass 
"***PASS***" -destkeystore graylog.keystore -srckeystore 
/tmp/buildForgeKeyStore.p12 -srcstoretype PKCS12 -srcstorepass "***PASS***" 
-alias graylog2


openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout pkcs5-plain.pem 
-out cert.pem


openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem


openssl pkcs8 -in pkcs5-plain.pem -topk8 -v2 des3 -out pkcs8-encrypted.pem 
-passout pass:secret


keytool -list -v -keystore graylog.keystore -alias graylog2


keytool -importkeystore -srckeystore  graylog.keystore  -destkeystore 
keystore.p12 -deststoretype PKCS12


openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem


openssl pkcs12 -in keystore.p12 -nocerts -out graylog-pkcs5.pem


openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem


head graylog-key.pem graylog-certificate.pem


If you have some error with proxiedresource, maybe you should ask for 
certificate wildcard from your company and do the following:


keytool -import -trustcacerts -file company-certificate.cer -alias company

  -keystore  $JAVA_HOME/jre/lib/security/cacerts

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4bcca715-e0ce-435c-9f61-aface28528ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

 

I have created my keystore like this:


keytool -genkey -alias buildforge -keyalg RSA -keysize 2048 -validity 5475 
-dname "CN=.domain>" -keystore buildForgeKeyStore.p12 -storepass 
PASS -storetype pkcs12 -alias graylog2

keytool -importkeystore -deststorepass "***PASS***" -destkeypass 
"***PASS***" -destkeystore graylog.keystore -srckeystore 
/tmp/buildForgeKeyStore.p12 -srcstoretype PKCS12 -srcstorepass "***PASS***" 
-alias graylog2





-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2a236e53-d312-4c4e-9a43-236dfde2b7c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

Are you working in a company?

In that case you should ask for your enterprise certificate (with the 
passphrase for graylog)  and do the following

http://mikepilat.com/2011/05/adding-a-certificate-authority-to-the-java-runtime.html


Le lundi 9 mai 2016 11:24:09 UTC+2, Earest a écrit :
>
> Hello,
>
> After some hours trying to configure tls encripting without success, i 
> come here to ask for some help.
>
> *Server configuration :*
>
> Derbian 8
> Graylog 2.0.0
> Mongodb 2.4.10
> Java 8u92+8u91
> Elasticsearch 2.3.2
>
>
> *Graylog tls options *:
>
> rest_enable_tls = true
>> rest_tls_cert_file = /etc/ssl/temp/graylog.pem
>> rest_tls_key_file = /etc/ssl/temp/key_pk8.pem
>> rest_tls_key_password =
>> web_enable_tls = true
>> web_tls_cert_file = /etc/ssl/temp/graylog.pem
>> web_tls_key_file = /etc/ssl/temp/key_pk8.pem
>> web_tls_key_password =
>
>
>
> *Now my tls configuration step by step :*
>
>
> #cert and key creation (-x509 and pkcs10)
>
>> sudo openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout 
>> key.pem -out graylog.pem
>
>
> #converting to pkcs8 as indicated in the conf file
>
>> sudo openssl pkcs8 -nocrypt -topk8 -in key.pem -out key_pk8.pem
>>
>
> #adding cert to keystore
>
>> sudo $JAVA_HOME/bin/keytool -import -alias gray_key -file 
>> /etc/ssl/temp/graylog.pem -keystore /etc/ssl/graylog.jks
>>
>
> #adding keystore to java truststore with the following shell script :
>>
>> #!/bin/bash
>> export JAVA_OPTIONS="-Djavax.net.ssl.trustStore=/etc/ssl/graylog.jks 
>> -Djavax.net.ssl.trustStorePassword=mypassword"
>
>
> After that i restart my graylog server and get some warn in my log 
> (looping without interruption):
>
> 2016-05-09T11:09:48.176+02:00 WARN  [ProxiedResource] Unable to call 
>> https://serverIp:12900/system/metrics/multiple on node 
>> , caught exception: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target (class 
>> javax.net.ssl.SSLHandshakeException)
>> 2016-05-09T11:09:48.178+02:00 WARN  [ProxiedResource] Unable to call 
>> https://serverIp:12900/system/inputstates on node 
>> , caught exception: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target (class 
>> javax.net.ssl.SSLHandshakeException)
>
>
> If i connect to the the web page of graylog all my input are stop and  I 
> can't start them:
>
> I got the following error on the web page (pop-up message):
>
>> Input 'Input_name' could not be started
>> Request to start input 'Input_name' failed. Check your Graylog logs for 
>> more information.
>
>
> And here the associated log :
>
>> 2016-05-09T11:15:28.122+02:00 WARN  [ProxiedResource] Unable to call 
>> https://serverIp:12900/system/inputstates/5727554fe4b0c113c6180c6e on 
>> node , caught exception: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target (class 
>> javax.net.ssl.SSLHandshakeException)
>
>
> PS: After adding an exception for login page : https://serverIp:9000/ i 
> need to add one for https://serverIp:12900/system/cluster/node or i get 
> this error :
>
> We are experiencing problems connecting to the Graylog server running on 
> *https://serverIp:12900// 
>> *. Please verify that the server is healthy 
>> and working correctly.
>>
>> You will be automatically redirected to the previous page once we can 
>> connect to the server.
>>
>> Do you need a hand? We can help you 
>> .
>>
>> --
>>
>>> This is the last response we received from the server:
>>> Error message
>>> Bad request
>>> Original Request
>>> GET https://serverIp:12900/system/cluster/node
>>> Status code
>>> undefined
>>> Full error message
>>> Error: Request has been terminated Possible causes: the network is 
>>> offline, Origin is not allowed by Access-Control-Allow-Origin, the page is 
>>> being unloaded, etc.
>>> Possible causes: the network is offline, Origin is not allowed by 
>>> Access-Control-Allow-Origin, the page is being unloaded, etc.
>>
>>  
> If you have any question to ask, I stay at your disposal.
>
> Earest
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8941b59e-80da-446a-a78d-0be3412ad080%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Disable TLS REST only]

[kaiser]

Hello,

is there a way to enable TLS web only and disabling TLS rest api?

Regards.


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ba28bc6f-2796-4252-b51c-de80fc90ab1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

Hi Earest,

did you managed to resolve your problem?

Regards.

Le lundi 9 mai 2016 11:24:09 UTC+2, Earest a écrit :
>
> Hello,
>
> After some hours trying to configure tls encripting without success, i 
> come here to ask for some help.
>
> *Server configuration :*
>
> Derbian 8
> Graylog 2.0.0
> Mongodb 2.4.10
> Java 8u92+8u91
> Elasticsearch 2.3.2
>
>
> *Graylog tls options *:
>
> rest_enable_tls = true
>> rest_tls_cert_file = /etc/ssl/temp/graylog.pem
>> rest_tls_key_file = /etc/ssl/temp/key_pk8.pem
>> rest_tls_key_password =
>> web_enable_tls = true
>> web_tls_cert_file = /etc/ssl/temp/graylog.pem
>> web_tls_key_file = /etc/ssl/temp/key_pk8.pem
>> web_tls_key_password =
>
>
>
> *Now my tls configuration step by step :*
>
>
> #cert and key creation (-x509 and pkcs10)
>
>> sudo openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout 
>> key.pem -out graylog.pem
>
>
> #converting to pkcs8 as indicated in the conf file
>
>> sudo openssl pkcs8 -nocrypt -topk8 -in key.pem -out key_pk8.pem
>>
>
> #adding cert to keystore
>
>> sudo $JAVA_HOME/bin/keytool -import -alias gray_key -file 
>> /etc/ssl/temp/graylog.pem -keystore /etc/ssl/graylog.jks
>>
>
> #adding keystore to java truststore with the following shell script :
>>
>> #!/bin/bash
>> export JAVA_OPTIONS="-Djavax.net.ssl.trustStore=/etc/ssl/graylog.jks 
>> -Djavax.net.ssl.trustStorePassword=mypassword"
>
>
> After that i restart my graylog server and get some warn in my log 
> (looping without interruption):
>
> 2016-05-09T11:09:48.176+02:00 WARN  [ProxiedResource] Unable to call 
>> https://serverIp:12900/system/metrics/multiple on node 
>> , caught exception: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target (class 
>> javax.net.ssl.SSLHandshakeException)
>> 2016-05-09T11:09:48.178+02:00 WARN  [ProxiedResource] Unable to call 
>> https://serverIp:12900/system/inputstates on node 
>> , caught exception: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target (class 
>> javax.net.ssl.SSLHandshakeException)
>
>
> If i connect to the the web page of graylog all my input are stop and  I 
> can't start them:
>
> I got the following error on the web page (pop-up message):
>
>> Input 'Input_name' could not be started
>> Request to start input 'Input_name' failed. Check your Graylog logs for 
>> more information.
>
>
> And here the associated log :
>
>> 2016-05-09T11:15:28.122+02:00 WARN  [ProxiedResource] Unable to call 
>> https://serverIp:12900/system/inputstates/5727554fe4b0c113c6180c6e on 
>> node , caught exception: 
>> sun.security.validator.ValidatorException: PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
>> valid certification path to requested target (class 
>> javax.net.ssl.SSLHandshakeException)
>
>
> PS: After adding an exception for login page : https://serverIp:9000/ i 
> need to add one for https://serverIp:12900/system/cluster/node or i get 
> this error :
>
> We are experiencing problems connecting to the Graylog server running on 
> *https://serverIp:12900// 
>> *. Please verify that the server is healthy 
>> and working correctly.
>>
>> You will be automatically redirected to the previous page once we can 
>> connect to the server.
>>
>> Do you need a hand? We can help you 
>> .
>>
>> --
>>
>>> This is the last response we received from the server:
>>> Error message
>>> Bad request
>>> Original Request
>>> GET https://serverIp:12900/system/cluster/node
>>> Status code
>>> undefined
>>> Full error message
>>> Error: Request has been terminated Possible causes: the network is 
>>> offline, Origin is not allowed by Access-Control-Allow-Origin, the page is 
>>> being unloaded, etc.
>>> Possible causes: the network is offline, Origin is not allowed by 
>>> Access-Control-Allow-Origin, the page is being unloaded, etc.
>>
>>  
> If you have any question to ask, I stay at your disposal.
>
> Earest
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d847004a-4b7f-4677-bc80-bca9758a7efb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Graylog WEB TLS] proxiedresource error

[kaiser]

Here is the issue: https://github.com/Graylog2/graylog2-server/issues/2193

"The remaining error (sun.security.validator.ValidatorException: PKIX path 
building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target (class 
javax.net.ssl.SSLHandshakeException)) means that you Graylog server does 
not trust the certificate of the Graylog server it connects to (even if it 
connects back to itself). Therefore make sure you have added the *correct* 
certificate (preferably the CA cert) to the *correct* keystore used by the 
Graylog server"

What does it mean when it s saying "make sure you have added the *correct* 
certificate (preferably the CA cert) to the *correct* keystore used by the 
Graylog server"

How do you do that?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7898dcd9-e5bb-4538-8f24-2a73848e234b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Graylog WEB TLS] proxiedresource error

[kaiser]

Hello 

I have got the message that issuer certificate CN is invalid

Le jeudi 26 mai 2016 15:55:13 UTC+2, kaiser a écrit :
>
> Hello,
>
> I tried to setup the tls security for web and rest api.
>
> Everything is ok; I managed to access the graylog-web but all inputs are 
> not running.
>
> In my logs  I have the following type of logs:
>
> 2016-05-05T13:38:03.685Z WARN  [ProxiedResource] Unable to call 
> http://10.0.26.10:12900/system/metrics/multiple on node 
> , caught exception: unexpected end of 
> stream on okhttp3.Address@2b5fd040 (class java.io.IOException)
> 2016-05-05T13:38:04.836Z WARN  [ProxiedResource] Unable to call 
> http://10.0.26.10:12900/system/me
>
>
> Someone know how to resolve thi issue?
>
> regards.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b95c184a-943a-4d2d-83cc-960663ac7259%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Graylog WEB TLS] proxiedresource error

[kaiser]

Hello,

I tried to setup the tls security for web and rest api.

Everything is ok; I managed to access the graylog-web but all inputs are 
not running.

In my logs  I have the following type of logs:

2016-05-05T13:38:03.685Z WARN  [ProxiedResource] Unable to call 
http://10.0.26.10:12900/system/metrics/multiple on node 
, caught exception: unexpected end of 
stream on okhttp3.Address@2b5fd040 (class java.io.IOException)
2016-05-05T13:38:04.836Z WARN  [ProxiedResource] Unable to call 
http://10.0.26.10:12900/system/me


Someone know how to resolve thi issue?

regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5cd9c002-ab12-423f-8c05-83a10bcc9b94%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: load balancer

[kaiser]

hello,

Someone have a clue on this subject?

Thank you :)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/576aa5ab-3edf-4c15-bd74-c04cf151594e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Pipeline] verifying dropped messages

[kaiser]

Hi Jochen,

Great answer :D

Thank you very much.

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/05dac2ce-d1a5-4990-b5f8-f06e5fcee30e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Pipeline] verifying dropped messages

[kaiser]

Hello,

I have created a pipeline rule so that some messages are dropped.

Someone knows how to check that the message has been dropped?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/fd0ff8e0-0494-4447-8989-3cd33838f57c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Source] doesn't display the servers

[kaiser]

Hello,

With graylog 2.0 when I try to display sources, no servers are shown if I 
select last hour or last day.

Nevertheless the servers are displayed if I select last week.

How can I display the servers for the last hour or last day?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2ae931d7-3862-42dc-b8e5-b364f04bb024%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: load balancer

[kaiser]

Hello,

When setting multiple nodes, is it possible to set one node as the web 
server only and the other nodes as data server only?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2abba26a-8ee1-49aa-9139-26a4551bf72d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

I solved my problem using my keystroke file located in 
/opt/graylog-key/graylog.keystore 

regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d73513d2-d689-42c7-902a-8fbef8b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

Hello,

I am trying to set tls security from graylog 2.0 documentation.

When trying to generate graylog-key.pem and graylog-pkcs5.pem

the two files are empty:

-rw-r--r--  1 root root0 20 mai   11:55 graylog-key.pem
-rw-r--r--  1 root root0 20 mai   11:56 graylog-pkcs5.pem


Someone knows how to resolve this?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/56c24a11-104b-43ff-8f20-90fc497a660a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to setup tls security?

[kaiser]

Hello,

I am trying to set tls security from graylog 2.0 documentation.

I have the following issue when following the instructions:
read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY

My two following files are empty:

-rw-r--r--  1 root root0 20 mai   11:55 graylog-key.pem
-rw-r--r--  1 root root0 20 mai   11:56 graylog-pkcs5.pem


Someone knows how to resolve this?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/517cdcba-38e7-4eea-8d50-90633a2d2ab6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: load balancer

[kaiser]

Thank you very much Jochen.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/98a20df2-bdc6-496e-aec0-04ced1a7239e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog indicies

[kaiser]

The same here, the other solutions doesn't work

Le mardi 17 mai 2016 02:59:49 UTC+2, Mark Moorcroft a écrit :
>
>
> Personally I changed all the references to graylog in the conf files back 
> to graylog2, and so far no issues with that stuff. All my indices came back 
> as expected.
>
> On Thursday, May 12, 2016 at 11:52:22 PM UTC-7, kaiser wrote:
>>
>> Hello,
>>
>> I have updated graylog with current version 2.0
>>
>> After the update new indices are prefixed with graylog.
>>
>> My indices prefixed by graylog2 from graylog 1.3.4 are not displayed in 
>> graylog.
>>
>> Is there a way to add them?
>>
>> regards.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e4af4a93-c3fb-41a2-b20b-bd7028047d80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: load balancer

[kaiser]

Hi Jochen 

Is load balancer mandatory to use multiple graylog nodes?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ed7bf281-9ccc-4ee1-8ef0-c65322ddeb35%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] load balancer

[kaiser]

Hello,

I would like to create 2 graylog nodes.

I have 3 servers:

What is the best load balancer?

Is there a free load balancer?

Is there some specific hardware to buy to use a load balancer?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9ea251d8-92dd-475e-95b4-90fff7f300a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog indicies

[kaiser]

Ok thank you for your help

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/71cef0a7-3e2e-4cc0-b183-18dedfaede0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Graylog2.0] experiencing

[kaiser]

Hello Jochen,

Thank you for your reply.

I have managed to install graylog successfuly and make it work.

I will post details on how to upgrade on a centos6 ; I think it could be 
useful for someone else.

Regards,


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4b6367da-72a7-4c7c-a523-c43ad4bfc04b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Graylog2.0] experiencing

[kaiser]

Hello,

I have installed graylog 2.0 on centos6

I have acces to the web interface.

Nevertheless I have the folowing issue:

1=> When makjing a search , I have got a prompt telling "...service 
unvailable, we are experiencing problem connecting to http://10.X.X.X:12900


 curl -XGET 'http://10.X.X.X:12900/'
returns me : {"type":"ApiError","message":"HTTP 404 Not Found"}


Thank you for your help!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/70435a63-11ec-4c00-aa52-38627b7db71f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] [Graylog 2.0] Web interface

[kaiser]

Hi Jochen,

I managed to access graylog web interface.

Nevertheless I obtain graylog interface with empty inputs, empty streams, 
empty dashboard.

I have followed the instructions on elasticsearch website and the graylog 
documentation ...

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/81f57125-eee9-46d1-a786-06a330715269%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Graylog multi node]

[kaiser]

Hi guys,

Could someone help me on this subject please?

regards.


Le lundi 9 mai 2016 15:16:05 UTC+2, kaiser a écrit :
>
> Hello,
>
> Is there some documents talking about how to install graylog multi nodes, 
> how to install load balancer, what to replicate, 
> which log to put in which node, ...
>
> I already red the official graylog document but it's very light on this 
> subject.
>
> Regards. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2a9bd68a-f8f1-4b98-ba18-ee981b23da8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] [Graylog 2.0] Web interface

[kaiser]

Hello Edmundo,

my graylog server is on a specific machine.

I am trying to acces the web page from my local computer.

In the previous graylog version the configuration was set to 127.0.0.1

I have tried with the network ip address instead but it doesn't work. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/778d60bb-1adc-41f4-8678-c44f5691483d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Graylog 2.0] Web interface

[kaiser]

here is my log:

2016-05-11T10:18:28.909+02:00 INFO  [AbstractJerseyService] Enabling CORS 
for HTTP endpoint
2016-05-11T10:18:31.209+02:00 INFO  [NetworkListener] Started listener 
bound to [127.0.0.1:9000]
2016-05-11T10:18:31.211+02:00 INFO  [HttpServer] [HttpServer] Started.
2016-05-11T10:18:31.211+02:00 INFO  [WebInterfaceService] Started Web 
Interface at 
2016-05-11T10:18:31.740+02:00 WARN  [discovery] 
[graylog-f0f25e13-bf2d-4eeb-9c34-c95ad2c40dbf] waited for 3s and no initial 
state was set by the discovery
2016-05-11T10:18:31.740+02:00 INFO  [node] 
[graylog-f0f25e13-bf2d-4eeb-9c34-c95ad2c40dbf] started
2016-05-11T10:18:31.825+02:00 INFO  [service] 
[graylog-f0f25e13-bf2d-4eeb-9c34-c95ad2c40dbf] detected_master {Scarlet 
Spiders}{uhh_FksXRYWVTomjmPAifA}{127.0.0.1}{127.0\
.0.1:9300}, added {{Scarlet 
Spiders}{uhh_FksXRYWVTomjmPAifA}{127.0.0.1}{127.0.0.1:9300},}, reason: 
zen-disco-receive(from master [{Scarlet Spiders}{uhh_FksXRYWVTomjmPA\
ifA}{127.0.0.1}{127.0.0.1:9300}])
2016-05-11T10:18:31.828+02:00 INFO  [decider] 
[graylog-f0f25e13-bf2d-4eeb-9c34-c95ad2c40dbf] updating 
[cluster.routing.allocation.enable] from [ALL] to [NONE]
2016-05-11T10:18:31.829+02:00 INFO  [decider] 
[graylog-f0f25e13-bf2d-4eeb-9c34-c95ad2c40dbf] updating 
[cluster.routing.allocation.disk.watermark.low] to [92%]
2016-05-11T10:18:31.829+02:00 INFO  [decider] 
[graylog-f0f25e13-bf2d-4eeb-9c34-c95ad2c40dbf] updating 
[cluster.routing.allocation.disk.watermark.high] to [99%]
2016-05-11T10:18:33.747+02:00 INFO  [NetworkListener] Started listener 
bound to [127.0.0.1:12900]
2016-05-11T10:18:33.748+02:00 INFO  [HttpServer] [HttpServer-1] Started.
2016-05-11T10:18:33.749+02:00 INFO  [RestApiService] Started REST API at 

2016-05-11T10:18:33.750+02:00 INFO  [ServerBootstrap] Services started, 
startup times in ms: {KafkaJournal [RUNNING]=9, JournalReader [RUNNING]=68, 
InputSetupService [\
RUNNING]=72, OutputSetupService [RUNNING]=89, MetricsReporterService 
[RUNNING]=96, BufferSynchronizerService [RUNNING]=98, PeriodicalsService 
[RUNNING]=209, WebInterfa\
ceService [RUNNING]=2795, IndexerSetupService [RUNNING]=3439, 
RestApiService [RUNNING]=5341}
2016-05-11T10:18:33.752+02:00 INFO  [ServiceManagerListener] Services are 
healthy
2016-05-11T10:18:33.754+02:00 INFO  [ServerBootstrap] Graylog server up and 
running.
2016-05-11T10:18:33.758+02:00 INFO  [InputSetupService] Triggering 
launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] 
to Running [LB:ALIVE]

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b4c8a473-f47e-4d3e-9936-0987057e9e23%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Graylog 2.0] Web interface

[kaiser]

Hello,

I have installed graylog 2.0 with elasticsearch 2.3.2 on centos 6

I started graylog-server but I canno't get any web interface

Any idea?

regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/985a12d4-3507-4619-a251-663ab71925a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Graylog multi node]

[kaiser]

Hello,

Is there some documents talking about how to install graylog multi nodes, 
how to install load balancer, what to replicate, 
which log to put in which node, ...

I already red the official graylog document but it's very light on this 
subject.

Regards. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a26f555a-353a-4e3c-8d62-c132de0e5152%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Upgrade] 1.3.4 to 2.0

[kaiser]

Ok Thank you Jochen

>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2556ff79-f891-4181-982a-16bd6203efeb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Upgrade] 1.3.4 to 2.0

[kaiser]

My system is centos 6

Le jeudi 28 avril 2016 11:35:50 UTC+2, kaiser a écrit :
>
> Hello,
>
> Is there a method to ugrade from 1.3.4 to 2.0 please?
>
> regards.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c912c4d6-e486-4495-97c5-2e5fb91d724e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Upgrade] 1.3.4 to 2.0

[kaiser]

Hello,

Is there a method to ugrade from 1.3.4 to 2.0 please?

regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/08b042bb-78f6-4dcd-80c6-dcc0059cb42f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Drools and Graylog

[kaiser]

Hello,

I would like to use drools with graylog.

Do I need to install some drool plugin so that I can write some drool rules?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/be4f9a94-acbb-4c56-b695-77865d3e4dd1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [CSV separator]

[kaiser]

Ok Jochen,

Do I have to add a csv converter for each extractor of each input to have 
the separator ";" each time?

Reagrds.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6ed8378c-5a61-4eeb-b8b1-dadf11a768c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [CSV separator]

[kaiser]

Hi Jochen,

thank you for your answer.

Graylog converter is a graylog plugin?

regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0ddab2a7-b99c-406b-8988-267ca4f74649%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [CSV separator]

[kaiser]

Hello,

is it possible to config graylog so that the csv separator field is ";" 
instead of ","?

regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/36f46e4e-fe2c-424e-9c7c-517b8765088e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: [Disk Journal] Deletion

[kaiser]

Hello Joi,

I ll make a try.

Thx.

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d1b2ed88-1f9a-4a7a-9f24-5846b8e8469d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Export CSV] full_message field

[kaiser]

Hello Jochen,

The full_message field is present in my logs.

I have filtered on the full_message field on my query search.

For me to make it work I have to modify the export csv url with 
full_message field.

regards,

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3954c026-2c93-407a-939d-17d63b7b66e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Disk Journal] Deletion

[kaiser]

Ok thank you Jochen.

if I delete some events in the journal files by filtering only on a 
specific host, would it be safe?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1c6a43b4-3c6f-4414-845f-091919087cbf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Disk Journal] Deletion

[kaiser]

Hello,

One of my server had a script generating a lot of errors:

5 millions logs in ten minutes

As a consequence, my graylog process buffer is used at 100%

The disk journal utilization is at 70% with millions of unprocessed 
messages.

Is it possible to delete the unprocessed messages because I don't need to 
get those logs?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2f4381be-f73a-40ed-9c6f-74de99d8853e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Truncated message field

[kaiser]

Thank you very much.

regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3fe910b1-b5fd-4e4a-bf08-520600cad3b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Truncated message field

[kaiser]

Ok thank you Jochen.

The problem is that the message field doesn't contain all the information 
given in the full_message.

How does graylog process to create the message field?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7f396231-bb50-430f-8984-db42155b87a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Truncated message field

[kaiser]

Hello Jochen,

I am using graylog 1.3.3
I have an input for cisco with udp protocol.
full_message is set in the input

Here is an example:


application_name
[user:

facility
syslogd

full_message
<45>36551: Feb 5 23:45:44: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: 
_user1] [Source: X.X.X.X] [localport: 22] at 23:45:44 TZ Fri Feb 5 2016

gl2_remote_ip
X.X.X.X

gl2_remote_port
1069

level
5

message
[Source: X.X.X.X] [localport: 22] at 23:45:44 TZ Fri Feb 5 2016

cheers.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cd925b90-bb32-448e-bc63-b7928aab01b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Truncated message field

[kaiser]

Hello,

I have activated the full message field on some input.

Nevertheless sometimes the message field is truncated.

How does the message field is computed?

How to avoid the message field to be truncated?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d135f420-be2b-484f-8d1a-687ed27c8a78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Indicies retention]

[kaiser]

Hello,

Thank you for your answer.

When does an indice is reopened?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9e7f1268-0d0f-4a80-9ddd-847099c40004%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Indicies retention]

[kaiser]

Hello,

I have reach my indices retention number:20

I have now a new indice.

What I see is that the oldest indice one is reopened.

Why is it reopened?

How many time does it take to delete the oldest indice?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/dd54d071-271d-437b-ac25-ee55ff8822d3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Email alert] Issue

[kaiser]

Hello,

I have set a lot of alert conditions in one stream.

I have set an email alert call back.

I am not receiving all the alerts by mail; just some of them.

Can you tell me how to verify if there is a problem when sending the email 
alert call back?

Regards. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cc19fc79-66d5-4131-bf39-724eca1a1632%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Email alert]

[kaiser]

Hello,

I have some questions about email alert.

[Email alert conditions]

--One can use regex in alert conditions. Is there a way to specify that the 
string matches is not case sensitive?
For instance the condition :  "*hello*" will match "HeLlO" string?

--Will it be possible to add possibility in email alert condition an option 
to exclude some string matches like in stream rules?

--How can one test easily if the alert condition is correct without waiting 
for the event to occur?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/24ec98ae-427d-43ad-8c8a-55d3a47e38b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [Graylog] Mysql

[kaiser]

Thank you Jochen, I ll give it a try.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/66f36a0f-5781-4540-b83a-0c6f75fcaed1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Wrong Timestamp] in alert email callback

[kaiser]

Hi,

I have configured a set of alert email callback.

The alert is configured with the date value:

Date: ${check_result.triggeredAt}

I have configured graylog-web, graylog-server, node server with UTC+1

On graylog web interface the time information is set to UTC+1

When receiving the mail, the value of the date is set to UTC timezone 
instead of UTC+1

Any clue on this problem?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c87a1c4d-9aef-478a-bbee-5a44e309a31b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Email notifications using extractors

[kaiser]

Documentation is not specifying the way you access specific fields.

Assuming Ip and Command are specific fields you extracted,

Just try:

${foreach backlog message}${message.fields.Ip} ${message.fields.Command} - my 
version ${end}



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/12ff-2001-43a9-ad50-027fbd908a18%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Email notifications using extractors

[kaiser]

Hi Stan

This should work:

${foreach backlog message}${message.fields.Ip} ${message.fields.Command} - my 
version ${end}

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d63c29b4-7f19-417f-aeea-69badeb94e64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Intermittent Stream Throughput Display Errors

[kaiser]

Hello,

Same problem on 1.3.0

Did you figure out how to solve this problem?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9f3c0cea-75b8-4105-8e7c-091328159d74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Upgrade

[kaiser]

Hi,

Did you try this?

http://docs.graylog.org/en/1.3/pages/installation/operating_system_packages.html

Le lundi 11 janvier 2016 20:33:25 UTC+1, Phil Bailey a écrit :
>
> Hi Everyone 
>
> Very new to both Ubuntu and Graylog, was wondering if somebody could help 
> me, i have followed this guide 
> 
>  for 
> installing and setting up Graylog, but just noticed its a very old version.
>
> after getting everything up and running, i tried to just install the 
> latest version but had all sorts of problems with both the web and server 
> not connecting.
>
> Assuming i had done something wrong i have started again, but i dont want 
> to make the same mistake.
>
> I would be very grateful if somebody could give me a idiots guide to 
> upgrading Graylog2 V0.20.2 to the latest install.
>
> Thanks guys.
>
> Phil
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3037a6e2-8202-4028-8049-33d89591206e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Email callback] Variables issue

[kaiser]

Hello,

I try to add some fields variables in the subject field of my email alert 
callback.

When trying  subject:${message.source}

it only returns subject:

Is it possible to use variables in subject email field?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7ac9e104-60ff-4fdb-b84e-dcf19395b672%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Alert email Callback link returns no result

[kaiser]

I have to recalculate indices each time to access the alert email link.

Any clue?

Regards.

Le jeudi 7 janvier 2016 12:27:37 UTC+1, kaiser a écrit :
>
> Hello,
>
> I have set some email alert callback in graylog.
>
> When the email is received there is a link refering to the event in the 
> related stream.
>
> When I click on this link it returns no results.
>
> Nevertheless when manually searching on the stream the event can be found.
>
> Any idea on this problem?
>
> I have no errors on indexes and shards
>
> Regards
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c88c9240-393e-44a1-9149-734ee7c2404e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Alert email Callback link returns no result

[kaiser]

Hello,

I have set some email alert callback in graylog.

When the email is received there is a link refering to the event in the 
related stream.

When I click on this link it returns no results.

Nevertheless when manually searching on the stream the event can be found.

Any idea on this problem?

I have no errors on indexes and shards

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d234a60a-839c-4b96-9efc-dd23b6b18be0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Concatenating Fields or Charting two fields

[kaiser]

Hello,

To do that I guess I would make a first copy of the log into another field.
Then I would use several replace extractors to replace "user:" with empty 
string, ",Machine:" with | and ",VirusFound:(true|false)"
 with empty string.
I would also add the condition that the log would contain user machine and 
VirusFound

regards

Le mercredi 30 décembre 2015 10:36:07 UTC+1, Arik Nachmias a écrit :
>
> Hello Everyone !
>
> I Have been using graylog for a while now , i know my way in Regex / Grok 
> and everything (but not so on Drools)
> Is there a way you can think of which will allow me to concatenate two 
> fields ? , I Would like to do a statistics on Users/Machines (from a log i 
> have) , Only implementation i saw was using Drools - but not so sure it 
> works (i can post my rule) , 
>
> Is there a way to do it via Extractor ?
>
> I.E - Log Example :
>
> User:Arik,Machine:Pork,VirusFound:Yes
>
> Would like to have one field which will be 
>
> Arik|Pork 
> So i can do a stacked chart on it - if there was a way to do a chart on 
> Two Fields instead of one - that would solve the problem as well
>
> Thanks!
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9678d0d5-ef90-4bf2-a901-0fa2ba2e7733%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Concatenating Fields or Charting two fields

[kaiser]

When selecting the field of your message choose create extractor for field 
message -> replace with regular expression

in regular expression you can for instance try User:  or something like  
(User:|,VirusFound:(Yes|No))
and in replacement ""

only attempt if field matches regular expression:
User*Machine*VirusFound  somethink like that


Le mercredi 30 décembre 2015 10:36:07 UTC+1, Arik Nachmias a écrit :
>
> Hello Everyone !
>
> I Have been using graylog for a while now , i know my way in Regex / Grok 
> and everything (but not so on Drools)
> Is there a way you can think of which will allow me to concatenate two 
> fields ? , I Would like to do a statistics on Users/Machines (from a log i 
> have) , Only implementation i saw was using Drools - but not so sure it 
> works (i can post my rule) , 
>
> Is there a way to do it via Extractor ?
>
> I.E - Log Example :
>
> User:Arik,Machine:Pork,VirusFound:Yes
>
> Would like to have one field which will be 
>
> Arik|Pork 
> So i can do a stacked chart on it - if there was a way to do a chart on 
> Two Fields instead of one - that would solve the problem as well
>
> Thanks!
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/22f00ea0-996a-4dec-ae51-272cda152b2e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Cant find Regex command for extractor

[kaiser]

you can try:
categoryname="[a-zA-Z \/]+"
or
(?m)categoryname="([a-zA-Z \/]+)"

regards

Le jeudi 7 janvier 2016 14:59:45 UTC+1, toni.fro...@scaltel.de a écrit :
>
> Hello!
>
> We are new at Graylog and would like to discover several functionality of 
> it, for that reason we had to extract specific fields in our logs.
>
>
> This is an example of our log:
>
> <30>2016:01:07-10:26:09 sophos_utm_9 httpproxy[5403]: id="0001" 
> severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" 
> method="GET" srcip="10.10.70.48" dstip="92.123.194.105" user="" 
> ad_domain="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile 
> (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction 
> (Default content filter action)" size="0" request="0xd4df9800" url="
> http://wetter.bild.de/img/icons/svg/Schneefall.svg; referer="
> http://wetter.bild.de/web2014/wetterwidget.html?ifw=110=61=no=bild.de;
>  
> error="" authtime="0" dnstime="73332" cattime="630" avscantime="0" 
> fullreqtime="107258" device="0" auth="0" ua="Mozilla/5.0 (X11; Ubuntu; 
> Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0" exceptions="" 
> category="108" reputation="neutral" *categoryname=**"Public Information"* 
> country="Europe" application="bildde" app-id="625"
>
> Our goal is to extract the value of the field "categoryname", this field 
> could be at severas positions and can contain several values like 
> "Internet Services"
> "Software/Hardware"
> "Online Shopping"
>
> and so on...
>
> We are not very familiar with regex commands and try to extract this field 
> with commands like: ^*categoryname=".*" without success.
>
> Could somebody help and explain us how this works with the right command?
>
> Thanks in advance,
>
> Greetings
> Toni 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/efd72b86-f393-4c76-87b8-e47a1b855a42%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Cant find Regex command for extractor

[kaiser]

Hello,

Hope this message to be displayed correctly :]

You can try : categoryname="[a-zA-Z \/]+"

or

(?m)categoryname="([a-zA-Z \/]+)"

regards

Le jeudi 7 janvier 2016 14:59:45 UTC+1, toni.fro...@scaltel.de a écrit :
>
> Hello!
>
> We are new at Graylog and would like to discover several functionality of 
> it, for that reason we had to extract specific fields in our logs.
>
>
> This is an example of our log:
>
> <30>2016:01:07-10:26:09 sophos_utm_9 httpproxy[5403]: id="0001" 
> severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" 
> method="GET" srcip="10.10.70.48" dstip="92.123.194.105" user="" 
> ad_domain="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile 
> (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction 
> (Default content filter action)" size="0" request="0xd4df9800" url="
> http://wetter.bild.de/img/icons/svg/Schneefall.svg; referer="
> http://wetter.bild.de/web2014/wetterwidget.html?ifw=110=61=no=bild.de;
>  
> error="" authtime="0" dnstime="73332" cattime="630" avscantime="0" 
> fullreqtime="107258" device="0" auth="0" ua="Mozilla/5.0 (X11; Ubuntu; 
> Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0" exceptions="" 
> category="108" reputation="neutral" *categoryname=**"Public Information"* 
> country="Europe" application="bildde" app-id="625"
>
> Our goal is to extract the value of the field "categoryname", this field 
> could be at severas positions and can contain several values like 
> "Internet Services"
> "Software/Hardware"
> "Online Shopping"
>
> and so on...
>
> We are not very familiar with regex commands and try to extract this field 
> with commands like: ^*categoryname=".*" without success.
>
> Could somebody help and explain us how this works with the right command?
>
> Thanks in advance,
>
> Greetings
> Toni 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1b6f5fee-1779-43a6-a82d-500d89a00551%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Update Graylog 1.2 -> 1.3 via repositories

[kaiser]

Hi,

I have upgraded graylog 1.3 from 1.2.1 by:

/etc/init.d/mongod stop
/etc/init.d/elasticsearch stop
/etc/init.d/graylog-server stop
/etc/init.d/graylog-web stop

wget 
https://packages.graylog2.org/el/6/1.3/x86_64/graylog-web-1.3.0-3.noarch.rpm
wget 
https://packages.graylog2.org/repo/el/6/1.3/x86_64/graylog-server-1.3.0-3.noarch.rpm

yum upgrade graylog-server-1.3.0-3.noarch.rpm
yum ugrade graylog-web-1.3.0-3.noarch.rpm

yum info graylog-server
yum info graylog-web

/etc/init.d/mongod start
/etc/init.d/elasticsearch start
/etc/init.d/graylog-server start
/etc/init.d/graylog-web start

everything worked without problem and without any side effects.

Le jeudi 10 décembre 2015 18:15:13 UTC+1, Emerson Coimbra a écrit :
>
> Hi,
>
> I have a Graylog 1.2 server running on a CentOS 7. The installation is 
> done with yum in the official Graylog repositories.
>
> I would like to upgrade to 1.3, but I found no information on updating in 
> the official documentation and I think: 
>
> And if I change the /etc/yum.repos.d/graylog.repo file for version, point 
> to version 1.3 and then run yum update - This surely will upgrade to 
> version 1.3, but it will have any side effects?
>
> I looked at the new graylog-server.conf file and there are few new 
> entries. Is there any major change in the core Graylog to prevent an update 
> over the old version?
>
>
> Thanks,
> Emerson
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e8ada2e4-f84e-4999-9e98-99a5f45efa2e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to make a version check on Graylog2 server and web interface

[kaiser]

yum info graylog-server


Le lundi 29 septembre 2014 16:12:06 UTC+2, Spirit a écrit :
>
> Where can I find the current version of my Graylog server and web 
> interface?
>
> Just out of curiosity..
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/207ca36c-66b9-4c4a-91de-278721a45455%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Upgrade from 1.2 to 1.3 yum

[kaiser]

Hi,

I have upgraded graylog 1.3 from 1.2.1 by:

/etc/init.d/mongod stop
/etc/init.d/elasticsearch stop
/etc/init.d/graylog-server stop
/etc/init.d/graylog-web stop

Choose your distrib from https://packages.graylog2.org 


wget 
https://packages.graylog2.org/el/6/1.3/x86_64/graylog-web-1.3.0-3.noarch.rpm
wget 
https://packages.graylog2.org/repo/el/6/1.3/x86_64/graylog-server-1.3.0-3.noarch.rpm

yum upgrade graylog-server-1.3.0-3.noarch.
rpm
yum upgrade graylog-web-1.3.0-3.noarch.rpm

yum info graylog-server
yum info graylog-web

/etc/init.d/mongod start
/etc/init.d/elasticsearch start
/etc/init.d/graylog-server start
/etc/init.d/graylog-web start

everything worked without problem and without any side effects.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c8482467-fb07-40e5-ad2e-9bf7349db4a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: importing old logs from syslog server

[kaiser]

Hello,

in graylog doc:

the y re saying :

Reading from files 

Graylog is currently not providing an out-of-the-box way to read log 
messages from files. We do however recommend two fantastic tools to do that 
job for you. Both come with native Graylog (GELF) outputs:


   - fluentd 
   - logstash 


Someone ever tried this?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7d758ce2-3587-4299-938d-6cc2ee111749%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Saved_searches] exexute save search from any stream

[kaiser]

Hi guys,

Need some help on save_search.

I have two streams:

stream1
stream2

I have build two saved_searches

save_search_on_stream1
save_search_on_stream2


-- When I am on stream1 page, the execution of save_search_on_stream1 
return the wanted result.
-- When I am on stream2 page, the execution of save_search_on_stream1 
doesn't return anything.

==> Is it possible to make save_search work whenever I am on stream1, 
stream2 streamX?
Because I have to go the search panel each time I want to use a save search.

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d547ffc6-ee59-4e8c-97d0-14f3c3b88b49%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Key=value pairs of field

[kaiser]

Hi,

Could you explain me how does the converter key=value pairs of field work?

Do you have an example?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/367d059a-9c63-4418-ae76-7a21af680167%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Hash and split conversion examples

[kaiser]

Hello,

Thank you for the answer.

Oh I thought hash was standing for hashtable key value :D

Regards.

Le lundi 26 octobre 2015 23:33:48 UTC+1, Jochen Schalanda a écrit :
>
> Hi,
>
> what exactly do you need to know?
>
> Converters can be applied to the result of an extractor and can be used to 
> transform the input (the result of an extractor) in an arbitrary way.
>
> The Hash converter simply calculates the MD5 hash of the input and 
> replaces the respective field with this hash.
> The Split & Count converter splits the input according to a given 
> delimiter and replaces the value with the number of elements in the input 
> value (e. g. "one, two, three" with delimiter "," would result in 3).
>
>
> Cheers,
> Jochen
>
> On Monday, 26 October 2015 21:23:20 UTC+1, kaiser wrote:
>>
>> Hi,
>>
>> Does anybody have some examples on how hash and split conversion are 
>> working?
>>
>> Didn't find any example on graylog documentation.
>>
>> Thanx a lot!
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4b7ae288-7948-4f42-9ea0-b99369c1bcfa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Hash and split conversion examples

[kaiser]

Hi,

Does anybody have some examples on how hash and split conversion are 
working?

Didn't find any example on graylog documentation.

Thanx a lot!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9860299b-bb1c-4818-92a8-1320eb5c069e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog: set default value with GROK

[kaiser]

Hello,

I would like to generate charts from string value: "AUDIT_SUCCESS"

I can't do that with strings.

As a consequence, is there a way to set default value for the string 
AUDIT_SUCCESS to 1 with grok pattern?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/603d3c08-09d6-491a-949c-201607a005d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog: set default value with GROK

[kaiser]

Hi,

thank you for your answer.

Nevertheless this method will not allow to generate charts and for instance 
merge two graphs for AUDIT_SUCCESS and AUDIT_FAILURE.

Regards

Le mercredi 14 octobre 2015 11:46:16 UTC+2, Jochen Schalanda a écrit :
>
> Hi,
>
> you could extract that string into a dedicated message field and then use 
> quick values to come up with a pie chart (and data table) for that field.
>
>
> Cheers,
> Jochen
>
> On Wednesday, 14 October 2015 09:49:19 UTC+2, kaiser wrote:
>>
>> Hello,
>>
>> I would like to generate charts from string value: "AUDIT_SUCCESS"
>>
>> I can't do that with strings.
>>
>> As a consequence, is there a way to set default value for the string 
>> AUDIT_SUCCESS to 1 with grok pattern?
>>
>> Regards.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9643dc88-252d-4bfa-b225-71401e794276%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Delete Saved Queries With No Results

[kaiser]

Hello,

someone knows how to delete a saved search queries in graylog web?

Saved search queries with results can be deleted

but saved search queries with no results couldn't be deleted from 
graylog-web interface.

Any ideas?

Regards.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6dc819e0-0e3a-4842-96ef-1ed399c865c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog GROK and INPUTS

[kaiser]

Hello,

could you please tell me in which file GROK patterns and INPUT 
configuration are stored?

Regards,

Kaiser.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/aa394c0c-6012-4ea6-bd07-f9b9494ccf84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog GROK and INPUTS

[kaiser]

Thanx a lot :)

Le mardi 13 octobre 2015 22:30:58 UTC+2, Jochen Schalanda a écrit :
>
> Hi,
>
> the configuration of inputs and grok patterns are stored in MongoDB in the 
> inputs and grok_patterns collections.
>
>
> Cheers,
> Jochen
>
> On Tuesday, 13 October 2015 21:24:40 UTC+2, kaiser wrote:
>>
>> Hello,
>>
>> could you please tell me in which file GROK patterns and INPUT 
>> configuration are stored?
>>
>> Regards,
>>
>> Kaiser.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a2254ed5-407b-4be6-ac1c-7ebba4f0d8b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.