[graylog2] Syslog TCP throws expection with integer as first parsed character
Hey,
Encountered a rather strange issue. If a number is the first character
parsed by a syslog tcp input, the following exception is thrown. However,
sending the same input to a syslog UDP input works fine.
2016-02-18 15:19:28,898 ERROR:
org.graylog2.plugin.inputs.transports.NettyTransport - Error on Input
[Syslog TCP/56c5c485c2dc44d0b90ad60c] (channel [id: 0xa83b6845,
/10.0.xxx.xxx:44304 :> /10.0.xxx.xxx:5142])
java.lang.NumberFormatException: For input string: "1/1
yYb_yvcQTzqQzSDdeBAOqQ
default
{"_counter":1,"_type_str":"msg"
at
java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
~[?:1.8.0_71]
at java.lang.Integer.parseInt(Integer.java:580) ~[?:1.8.0_71]
at java.lang.Integer.parseInt(Integer.java:615) ~[?:1.8.0_71]
at
org.graylog2.inputs.syslog.tcp.SyslogOctetCountFrameDecoder.decode(SyslogOctetCountFrameDecoder.java:44)
~[graylog.jar:?]
at
org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
~[graylog.jar:?]
at
org.jboss.netty.handler.codec.frame.FrameDecoder.cleanup(FrameDecoder.java:482)
~[graylog.jar:?]
at
org.jboss.netty.handler.codec.frame.FrameDecoder.channelDisconnected(FrameDecoder.java:365)
~[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
~[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.channelDisconnected(SimpleChannelUpstreamHandler.java:208)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelHandler.channelDisconnected(SimpleChannelHandler.java:199)
[graylog.jar:?]
at
org.graylog2.plugin.inputs.util.ConnectionCounter.channelDisconnected(ConnectionCounter.java:55)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:120)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelHandler.channelDisconnected(SimpleChannelHandler.java:199)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:120)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.channelDisconnected(SimpleChannelUpstreamHandler.java:208)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.channelDisconnected(SimpleChannelUpstreamHandler.java:208)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
[graylog.jar:?]
at
org.jboss.netty.channel.Channels.fireChannelDisconnected(Channels.java:396)
[graylog.jar:?]
at
org.jboss.netty.channel.socket.nio.AbstractNioWorker.close(AbstractNioWorker.java:360)
[graylog.jar:?]
at
org.jboss.netty.channel.socket.nio.NioServerSocketPipelineSink.handleAcceptedSocket(NioServerSocketPipelineSink.java:81)
[graylog.jar:?]
at
org.jboss.netty.channel.socket.nio.NioServerSocketPipelineSink.eventSunk(NioServerSocketPipelineSink.java:36)
[graylog.jar:?]
at
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendDownstream(DefaultChannelPipeline.java:779)
[graylog.jar:?]
at
org.jboss.netty.channel.SimpleChannelHandler.closeRequested(SimpleChannelHandler.java:334)
[graylog.jar:?]
at
Re: [graylog2] Importing content pack fails
Thanks for your input, the problem was that extractor_type has changed to type, apparently. (sorry for hijacking the thread) On Wednesday, February 17, 2016 at 3:29:43 PM UTC+1, Edmundo Alvarez wrote: > > Hi thePretender, > > Thank you for testing the alphas! > > If you are referring to the extractor's import/export pages, that is a > different issue I'm afraid. Could you please use alpha 2 and try again? > > It would also be extremely helpful if you could try with your browser's > Javascript console open, and share any errors in the console and the > Graylog server logs with us. Regarding the errors exporting extractors, > please also share with us the resulting extractor for further analysis. > > Regards, > > Edmundo > > > On 17 Feb 2016, at 14:56, thePretender <the.pre...@gmail.com > > wrote: > > > > Somewhat same problem when importing extractors on alpha 1, getting > import errors but there is no error message containing additional > information anywhere. Exporting a simple extractor results in lots of > additional fields containing metrics information as well(?). Seems like > extractors/content packs from graylog 1.x is incompatible with 2.x? > > > > -- > > You received this message because you are subscribed to the Google > Groups "Graylog Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to graylog2+u...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/658f3e45-55be-43d5-a40f-0ed00828d960%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e5a448ae-a1e4-48eb-90e5-8a595c0a5414%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Importing content pack fails
Somewhat same problem when importing extractors on alpha 1, getting import errors but there is no error message containing additional information anywhere. Exporting a simple extractor results in lots of additional fields containing metrics information as well(?). Seems like extractors/content packs from graylog 1.x is incompatible with 2.x? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/658f3e45-55be-43d5-a40f-0ed00828d960%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: rewrite incoming messages
There is a built in function which does exactly that. Inputs -> Manage extractors -> click on desired IP field -> copy input -> choose same name and add Anonymize IPv4 addresses as a converter. The IP should now be i.e 192.168.1.xxx On Wednesday, February 17, 2016 at 1:44:42 PM UTC+1, Stefan Krüger wrote: > > Hello, > > I would like to send apache-logs to graylog ( at the moment i don't know > whcih variant i would choose) is it possible to change the IP from the > access.log? for example I would like to change the IP from 192.168.1.123 to > 192.168.x.x > > Thanks for help! > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6793e251-48f8-415b-9b71-091b384417a5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Graylog 2.0.0 alpha - can't log into web-gui
Hi, I'm messing around trying to get the alpha up and running, but i get this error when trying to log in to the gui: Error - the server returned: undefined - Bad request I can't seem to able to find any corresponding errors in the log files, can someone point me in the right direction? mongodb v3.0.9 elasticsearch v2.2.0 (cluster status green) -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e8ec5f59-ed21-4877-af2a-eedd5a394b66%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Renaming fields
Thanks, that seems to do the trick. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5bb2e482-1127-4858-8405-c928ad4e30dc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Renaming fields
Hi, For normalization purposes, I want to rename certian fields from a JSON-extracted message. I have tried using the copy input extractor and make it cut the field, and that seems to work. However, I am left with both the new field with the correct value, and the old field with the value "fullyCutByExtractor", why isn't this being removed? That seems rather ineffective. regards, thePretender -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/cc775d64-a297-49a4-9e7b-f427c776dcb8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Autostart with -Dhttps.port=443
I believe the reason is that systemctl starts graylog-web as the user graylog-web, who are not allowed to bind anything to ports below 1024. A dirty fix is to change user/group to root in the file graylog-web.service, I'm sure there are other best practice solutions. On Tuesday, January 26, 2016 at 12:45:59 PM UTC+1, Xisco wrote: > > Sorry, but it was not the answer I want. > > I wanted to start the service with port 443 systemctl. > > in the end I created a script for this method. > > thx :) > > El viernes, 22 de enero de 2016, 21:18:12 (UTC+1), Manu escribió: >> >> Hi, >> >> Is it possible to configure configure graylog-web for autostart with >> -Dhttps.port=443? >> >> I have debian 8 with last version graylog server and web. >> >> systemctl start graylog-web.service , only start at port 9000 and I can >> not find where to configure this option. >> >> Thx >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5d0072a4-0f25-4272-b6d7-f3cdad9f4181%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] CEF parser
Hi, I would like to know if anyone here have been able to successfully parse logs in CEF (common event format) used by ArcSight? Regards, thePretender -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/ac856804-13c4-4e29-b292-eda5022e20ea%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
