[graylog2] converters in grok pattern

[Андрей Грошев]

Hello people! Again stupid question:)
I try processed syslog message through grok pattern.
I get all the required fields.
But all them have string type.
And for example request http_code:<204 don't worked.
I found example define pattern as %{INT:http_code;int} (a semicolon, not a 
colon as in elastic)
And it worked, index mapped in elastic as:

  "http_code": {
"type": "long"
  }
where exists manual as right use grok patter in graylog with converters?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e8629948-9a5c-4f9e-bdc1-88761e45a70a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] NXlog and Graylog Collector Sidecar on SUSE Linux Server

[sailing-lin]

I try to install NXlog and Graylog Collector Sidecar on my SUSE Linux 
Server Enterprise 11. But there is no rpm package for SUSE, does anyone 
know how to use these two package on SESUE?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/718b9de7-9734-4520-8471-d919ed8d8019%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] NXlog and Graylog Collector Sidecar on SUSE Linux Server

[Jan Doberstein]

Hi,

On 23. Juni 2016 at 11:16:16, sailing-lin (saito...@gmail.com) wrote:
> I try to install NXlog and Graylog Collector Sidecar on my SUSE Linux
> Server Enterprise 11. But there is no rpm package for SUSE, does anyone
> know how to use these two package on SESUE?

just install the present rpms or use the .tgz

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZ4DLksrcEAir0TSAhoTW9vmYcgMb_p%3Dja1kSiM1V%2B_0g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: RPM update from 2.0.2 to 2.0.3 breaks Graylog

[Marius Sturm]

Hi,
looks like your receiving some binary data on a plain text Gelf input. Did 
you switch to TLS encryption or soemthing like that after the update? Could 
you please post the generated configuration of NXlog?

Cheers,
Marius

On Wednesday, 22 June 2016 16:27:41 UTC+2, Shon Nixon wrote:
>
> Built a Graylog 2.0 cluster two weeks ago with three servers running 2.0.2 
> behind a HAProxy server. Server accepts logs from all Windows boxes using 
> Graylog Sidecar and Nxlog. Was working perfectly until I upgraded the 
> server to 2.0.3 (yum upgrade). Restarted the services and now I get a 
> constant flow of the log info below. Also can no longer access *System/Inputs 
> -> Configurations* page. Just shows blank. I do have another two box 
> cluster I built yesterday that started with 2.0.3 and has no issues at all 
> getting data from the HAProxy box. I would rather not rebuild this cluster 
> if possible...
>
>
> Reoccurring logging on all three boxes:
>
>
> 2016-06-22T10:15:13.732-04:00 ERROR [GelfCodec] Could not parse JSON, 
> first 400 characters: ���vb�  wxz�Tv��<�Q���u]?�I��z��
> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
> (code 65533 / 0xfffd)): expected a valid value (number, String, array, 
> object, 'true', 'false' or 'null')
>  at [Source: ���vb�   wxz�Tv��<�Q���u]?�I�  �z��; line: 1, column: 2]
> at 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272) 
> ~[graylog.jar:?]
> at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115) 
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>  
> [graylog.jar:?]
> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
> [graylog.jar:?]
> at 
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>  
> [graylog.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
> 2016-06-22T10:15:13.732-04:00 ERROR [DecodingProcessor] Unable to decode 
> raw message bc89d68a-3883-11e6-a89e-005056934db8 (journal offset 56420554) 
> encoded as gelf received from /10.100.150.89:41076.
> 2016-06-22T10:15:13.732-04:00 ERROR [DecodingProcessor] Error processing 
> message RawMessage{id=bc89d68a-3883-11e6-a89e-005056934db8, 
> journalOffset=56420554, codec=gelf, payloadSize=41, 
> timestamp=2016-06-22T14:15:13.640Z, remoteAddress=/10.100.150.89:41076}
> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
> (code 65533 / 0xfffd)): expected a valid value (number, String, array, 
> object, 'true', 'false' or 'null')
>  at [Source: ���vb�   wxz�Tv��<�Q���u]?�I�  �z��; line: 1, column: 2]
> at 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
>  
> ~[graylog.jar:?]
> at 

Re: [graylog2] converters in grok pattern

[Jan Doberstein]

Hej,



On 23. Juni 2016 at 09:22:40, Андрей Грошев (greenx...@gmail.com) wrote:

> And for example request http_code:<204 don't worked.
> I found example define pattern as %{INT:http_code;int} (a semicolon, not a
> colon as in elastic)
> And it worked, index mapped in elastic as:
>
> "http_code": {
> "type": "long"
> }


> where exists manual as right use grok patter in graylog with converters?

i guess you are asking for this documentation link:

http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#using-grok-patterns-to-extract-data

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLaT%2B3LcQtRAPQtGfc3Q-5r38aCAZfq_crLj%2Bnsrpv0azg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Exception in thread "elasticsearch[graylog2-server][generic][T#1]"

[Jan Doberstein]

Hej Anant,


On 23. Juni 2016 at 09:40:05, Anant Sawant (sawantanan...@gmail.com) wrote:
> Graylog server is throwing following error. Exception in thread


> Exception: java.lang.OutOfMemoryError thrown from the
> UncaughtExceptionHandler in thread
> "elasticsearch[graylog2-server][generic][T#10]"
> Exception in thread "eventbus-handler-8" Exception in thread
> "restapi-boss-0" Exception in thread "eventbus-handler-9"
> Exception: java.lang.OutOfMemoryError thrown from the
> UncaughtExceptionHandler in thread "eventbus-handler-8"
>
> Exception: java.lang.OutOfMemoryError thrown from the
> UncaughtExceptionHandler in thread "restapi-boss-0”


Does this happen from one day to the other? Did you check you Memory
usage and the Heap of the Graylog server?

Would it be possible for you to Update to the latest 1.3.5 release or
Update to the most current 2.0.3 Version?


> Is the issue related to the Graylog server or elasticsearch??
>
> Using Graylog 1.1.6 and elasticsearch 1.7.2 on CentOS release 6.7.

This is related to Graylog - as you can see it gives and out-of-memory-error

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLZL%2B0TojRDi-9vpRKUZvCKbY8d%3DUJM70dQg6GUKLp7xTw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] converters in grok pattern

[Андрей Грошев]

четверг, 23 июня 2016 г., 12:43:21 UTC+3 пользователь Jan Doberstein 
написал:
>
> Hej, 
>
>
>
> On 23. Juni 2016 at 09:22:40, Андрей Грошев (gree...@gmail.com 
> ) wrote: 
>
> > And for example request http_code:<204 don't worked. 
> > I found example define pattern as %{INT:http_code;int} (a semicolon, not 
> a 
> > colon as in elastic) 
> > And it worked, index mapped in elastic as: 
> > 
> > "http_code": { 
> > "type": "long" 
> > } 
>
>
> > where exists manual as right use grok patter in graylog with converters? 
>
> i guess you are asking for this documentation link: 
>
>
> http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#using-grok-patterns-to-extract-data
>  
>
> Damn, I was never read this page until the end. :D Thank you!

 

> with kind regards 
> Jan 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/fc6b19c3-de6c-4de1-9bcc-197fe0c14146%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Alerts not getting triggered Graylog v2.0.1

[Justin Hildreth]

Ah, bummer that it came to that. I suppose that works though. :) Thanks for 
the update!

On Thursday, June 23, 2016 at 9:15:24 AM UTC-4, Rakesh R wrote:
>
> I could not find any solution for this. So I have created a job that 
> restarts graylog server every one hour
>
> On Monday, May 30, 2016 at 2:12:44 PM UTC+5:30, Rakesh R wrote:
>>
>> Hi, 
>>
>>   Graylog is setup properly and there seems to be some issue with the 
>> alerts being triggered. Test mails are working fine. The alerts are 
>> triggered from the streams when the server is restarted and after some time 
>> the alerts are not triggered. I have checked the configuration and 
>> everything is fine. Can some one help me. 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0ff66165-f149-4d7b-a9d8-021ce901c98c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] what is the best way of creating fields in graylog?

[Jason Haar]

On Thu, Jun 23, 2016 at 6:00 AM, Jan Doberstein  wrote:

> Pipeline is stored in the MongoDB and shared with all Servers.
> As this (pipelines) is the future and extractors will become part of
> the pipeline you should look into them.
>

OK, so to restore existing pipeline configs after a reinstall, would that
just be restoring pipeline_processor_pipelines* from backup, or would more
mongodb fiddling be required?


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgLFXMSwe6ecVTX5TOM1gfCFhVKFNtHgbwxZjo%3DbOmthCA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Alerts not getting triggered Graylog v2.0.1

[Rakesh R]

I could not find any solution for this. So I have created a job that 
restarts graylog server every one hour

On Monday, May 30, 2016 at 2:12:44 PM UTC+5:30, Rakesh R wrote:
>
> Hi, 
>
>   Graylog is setup properly and there seems to be some issue with the 
> alerts being triggered. Test mails are working fine. The alerts are 
> triggered from the streams when the server is restarted and after some time 
> the alerts are not triggered. I have checked the configuration and 
> everything is fine. Can some one help me. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/47f1a887-775b-43ff-abfa-a6181eca289b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: server not running even though graylog-ctl says it is

[Marius Sturm]

Thanks for investigating in this, please open a new issue here:
https://github.com/Graylog2/omnibus-graylog2
This is not a server issue per se.

Thanks,
Marius

On 23 June 2016 at 16:06, 123Dev  wrote:

> Found the offending code.
>
> /opt/graylog/service/graylog-server/run
>
> Hardcoded mongodb to be localhost, even though graylog.conf has it set to
> the primary mongodb.
>
> #!/bin/sh
> exec 2>&1
>
> umask 077
>
> if [ -f "/opt/graylog/embedded/share/graylog/installation-source.sh" ];
> then
> . "/opt/graylog/embedded/share/graylog/installation-source.sh"
> fi
>
> export JAVA_HOME=/opt/graylog/embedded/jre
> export GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1500m -XX:NewRatio=1 -server
> -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled
> -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC
> -XX:-OmitStackTraceInFastThrow"
>
> # check if mongodb is up
> timeout 600 bash -c "until curl -s http://*127.0.0.1*:27017; do sleep 1;
> done"
> exec chpst -P -U graylog -u graylog /opt/graylog/embedded/bin/authbind
> $JAVA_HOME/bin/java $GRAYLOG_SERVER_JAVA_OPTS -jar -Dlog4j.
> configurationFile=file:///opt/graylog/conf/log4j2.xml
> -Djava.library.path=/opt/graylog/server/lib/sigar/
> -Dgraylog2.installation_source=${GRAYLOG_INSTALLATION_SOURCE:=unknown}
> /opt/graylog/server/graylog.jar server -f /opt/graylog/conf/graylog.conf
>
>
>
> I changed 127.0.0.1 to 10.20.1.229 (address of mongodb) and the server is
> running fine
>
> I would consider this an oversight and suggest to reopen
> https://github.com/Graylog2/graylog2-server/issues/2370
>
> I'll update that ticket with this info.
>
> Thanks for helping to narrow it down.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/7a168454-fe7f-4412-8da6-335c385c66dc%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbJgRAXB0JAEVB%3DmF39zerAXPjn1OB8mJnrL%2B_YM_%2BvoUQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: server not running even though graylog-ctl says it is

[123Dev]

Found the offending code.

/opt/graylog/service/graylog-server/run

Hardcoded mongodb to be localhost, even though graylog.conf has it set to 
the primary mongodb.

#!/bin/sh
exec 2>&1

umask 077

if [ -f "/opt/graylog/embedded/share/graylog/installation-source.sh" ]; then
. "/opt/graylog/embedded/share/graylog/installation-source.sh"
fi

export JAVA_HOME=/opt/graylog/embedded/jre
export GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1500m -XX:NewRatio=1 -server 
-XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled 
-XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC 
-XX:-OmitStackTraceInFastThrow"

# check if mongodb is up
timeout 600 bash -c "until curl -s http://*127.0.0.1*:27017; do sleep 1; 
done"
exec chpst -P -U graylog -u graylog /opt/graylog/embedded/bin/authbind 
$JAVA_HOME/bin/java $GRAYLOG_SERVER_JAVA_OPTS -jar -Dlog4j.configurationFile
=file:///opt/graylog/conf/log4j2.xml 
-Djava.library.path=/opt/graylog/server/lib/sigar/ 
-Dgraylog2.installation_source=${GRAYLOG_INSTALLATION_SOURCE:=unknown} 
/opt/graylog/server/graylog.jar server -f /opt/graylog/conf/graylog.conf



I changed 127.0.0.1 to 10.20.1.229 (address of mongodb) and the server is 
running fine

I would consider this an oversight and suggest to reopen
https://github.com/Graylog2/graylog2-server/issues/2370

I'll update that ticket with this info.

Thanks for helping to narrow it down.


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7a168454-fe7f-4412-8da6-335c385c66dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] NXlog and Graylog Collector Sidecar on SUSE Linux Server

[Darin Perusich]

A bunch of openSUSE/SUSE collaborators and I are working on providing
rpm packages for various logging utilities via the openSUSE Build
Service, project link below. NXlog is currently not building on SLE_11
and I haven't had the opportunity to dig into it, and it wasn't a
priority since I'm running SLE_12, and Graylog Collector Sidecar
hasn't been packaged yet and I won't have an opportunity to look into
it for a few weeks. If you're interested in contributing we'd
appreciate the effort!

https://build.opensuse.org/project/show/security:logging

--
Later,
Darin


On Thu, Jun 23, 2016 at 5:16 AM, sailing-lin  wrote:
> I try to install NXlog and Graylog Collector Sidecar on my SUSE Linux Server
> Enterprise 11. But there is no rpm package for SUSE, does anyone know how to
> use these two package on SESUE?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/718b9de7-9734-4520-8471-d919ed8d8019%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CADaviKsA5_GP_qw5X_JVZ1jM626hiL7%2BVBHGuxU5tbP%2B%2BVFZFA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: RPM update from 2.0.2 to 2.0.3 breaks Graylog

[Shon Nixon]

Thanks Marius,

No, all I did was perform the upgrade of Graylog, nothing more. I always 
check log files to make sure the new upgrade took and that's when this 
started happening--immediately. Nxlog config is pretty vanilla and on all 
servers that report to this stack:


define ROOT C:\Program Files (x86)\nxlog



Module xm_gelf



define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules 

CacheDir %ROOT%\data 

Pidfile %ROOT%\data\nxlog.pid 

SpoolDir %ROOT%\data 

LogFile %ROOT%\data\nxlog.log 

 

Module xm_gelf 

 

 

Module im_msvistalog 

 

 

Module om_tcp

Host  

Port 12201

OutputType GELF 



 

Path in => out




Thanks - Shon


On Wednesday, June 22, 2016 at 10:27:41 AM UTC-4, Shon Nixon wrote:

> Built a Graylog 2.0 cluster two weeks ago with three servers running 2.0.2 
> behind a HAProxy server. Server accepts logs from all Windows boxes using 
> Graylog Sidecar and Nxlog. Was working perfectly until I upgraded the 
> server to 2.0.3 (yum upgrade). Restarted the services and now I get a 
> constant flow of the log info below. Also can no longer access *System/Inputs 
> -> Configurations* page. Just shows blank. I do have another two box 
> cluster I built yesterday that started with 2.0.3 and has no issues at all 
> getting data from the HAProxy box. I would rather not rebuild this cluster 
> if possible...
>
>
> Reoccurring logging on all three boxes:
>
>
> 2016-06-22T10:15:13.732-04:00 ERROR [GelfCodec] Could not parse JSON, 
> first 400 characters: ���vb�  wxz�Tv��<�Q���u]?�I��z��
> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
> (code 65533 / 0xfffd)): expected a valid value (number, String, array, 
> object, 'true', 'false' or 'null')
>  at [Source: ���vb�   wxz�Tv��<�Q���u]?�I�  �z��; line: 1, column: 2]
> at 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272) 
> ~[graylog.jar:?]
> at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115) 
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
>  
> [graylog.jar:?]
> at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>  
> [graylog.jar:?]
> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
> [graylog.jar:?]
> at 
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>  
> [graylog.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
> 2016-06-22T10:15:13.732-04:00 ERROR [DecodingProcessor] Unable to decode 
> raw message bc89d68a-3883-11e6-a89e-005056934db8 (journal offset 56420554) 
> encoded as gelf received from /10.100.150.89:41076.
> 2016-06-22T10:15:13.732-04:00 ERROR [DecodingProcessor] Error processing 
> message RawMessage{id=bc89d68a-3883-11e6-a89e-005056934db8, 
> journalOffset=56420554, codec=gelf, payloadSize=41, 
> timestamp=2016-06-22T14:15:13.640Z, remoteAddress=/10.100.150.89:41076}
> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
> (code 65533 / 0xfffd)): expected a valid value (number, String, array, 
> object, 'true', 'false' or 'null')
>  at [Source: ���vb�   wxz�Tv��<�Q���u]?�I�  �z��; line: 1, column: 2]
> at 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
>  
> ~[graylog.jar:?]
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
>  
> ~[graylog.jar:?]
> at 
> 

Re: [graylog2] Exception in thread "elasticsearch[graylog2-server][generic][T#1]"

[Anant Sawant]

Hi Jan!

Thanks for the reply.
This is the first time this issue has occurred. Could you please tell me 
how can I check and increase heap size for graylog server, I searched but 
got nothing for graylog server about how to increase the heap size. 

On Thursday, 23 June 2016 15:10:41 UTC+5:30, Jan Doberstein wrote:
>
> Hej Anant, 
>
>
> On 23. Juni 2016 at 09:40:05, Anant Sawant (sawant...@gmail.com 
> ) wrote: 
> > Graylog server is throwing following error. Exception in thread 
>
>
> > Exception: java.lang.OutOfMemoryError thrown from the 
> > UncaughtExceptionHandler in thread 
> > "elasticsearch[graylog2-server][generic][T#10]" 
> > Exception in thread "eventbus-handler-8" Exception in thread 
> > "restapi-boss-0" Exception in thread "eventbus-handler-9" 
> > Exception: java.lang.OutOfMemoryError thrown from the 
> > UncaughtExceptionHandler in thread "eventbus-handler-8" 
> > 
> > Exception: java.lang.OutOfMemoryError thrown from the 
> > UncaughtExceptionHandler in thread "restapi-boss-0” 
>
>
> Does this happen from one day to the other? Did you check you Memory 
> usage and the Heap of the Graylog server? 
>
> Would it be possible for you to Update to the latest 1.3.5 release or 
> Update to the most current 2.0.3 Version? 
>
>
> > Is the issue related to the Graylog server or elasticsearch?? 
> > 
> > Using Graylog 1.1.6 and elasticsearch 1.7.2 on CentOS release 6.7. 
>
> This is related to Graylog - as you can see it gives and 
> out-of-memory-error 
>
> with kind regards 
> Jan 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d6891248-26c5-4057-b195-cb44cbc4fac7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: RPM update from 2.0.2 to 2.0.3 breaks Graylog

[Shon Nixon]

It would appear that Graylog is adding additional lines in the NXlog file. 
My snippet is:

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules 
CacheDir %ROOT%\data 
Pidfile %ROOT%\data\nxlog.pid 
SpoolDir %ROOT%\data 
LogFile %ROOT%\data\nxlog.log 

 
 Module xm_gelf 
 

 
 Module im_msvistalog 
 

 
 Module om_tcp
 Host  10.100.150.89
 Port  12201
 OutputType GELF 


 
 Path  in => out



Graylog is adding:

define ROOT C:\Program Files (x86)\nxlog



Module xm_gelf




to the top of every Nxlog file.


Many Thanks - Shon



On Thursday, June 23, 2016 at 6:05:55 AM UTC-4, Marius Sturm wrote:

> Hi,
> looks like your receiving some binary data on a plain text Gelf input. Did 
> you switch to TLS encryption or soemthing like that after the update? Could 
> you please post the generated configuration of NXlog?
>
> Cheers,
> Marius
>
> On Wednesday, 22 June 2016 16:27:41 UTC+2, Shon Nixon wrote:
>>
>> Built a Graylog 2.0 cluster two weeks ago with three servers running 
>> 2.0.2 behind a HAProxy server. Server accepts logs from all Windows boxes 
>> using Graylog Sidecar and Nxlog. Was working perfectly until I upgraded the 
>> server to 2.0.3 (yum upgrade). Restarted the services and now I get a 
>> constant flow of the log info below. Also can no longer access 
>> *System/Inputs 
>> -> Configurations* page. Just shows blank. I do have another two box 
>> cluster I built yesterday that started with 2.0.3 and has no issues at all 
>> getting data from the HAProxy box. I would rather not rebuild this cluster 
>> if possible...
>>
>>
>> Reoccurring logging on all three boxes:
>>
>>
>> 2016-06-22T10:15:13.732-04:00 ERROR [GelfCodec] Could not parse JSON, 
>> first 400 characters: ���vb�  wxz�Tv��<�Q���u]?�I��z��
>> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
>> (code 65533 / 0xfffd)): expected a valid value (number, String, array, 
>> object, 'true', 'false' or 'null')
>>  at [Source: ���vb�   wxz�Tv��<�Q���u]?�I�  �z��; line: 1, column: 2]
>> at 
>> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
>> ~[graylog.jar:?]
>> at 
>> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
>>  
>> ~[graylog.jar:?]
>> at 
>> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
>>  
>> ~[graylog.jar:?]
>> at 
>> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
>>  
>> ~[graylog.jar:?]
>> at 
>> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
>>  
>> ~[graylog.jar:?]
>> at 
>> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
>>  
>> ~[graylog.jar:?]
>> at 
>> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
>>  
>> ~[graylog.jar:?]
>> at 
>> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272) 
>> ~[graylog.jar:?]
>> at 
>> org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115) 
>> [graylog.jar:?]
>> at 
>> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
>>  
>> [graylog.jar:?]
>> at 
>> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
>>  
>> [graylog.jar:?]
>> at 
>> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
>>  
>> [graylog.jar:?]
>> at 
>> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>>  
>> [graylog.jar:?]
>> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
>> [graylog.jar:?]
>> at 
>> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>>  
>> [graylog.jar:?]
>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>> 2016-06-22T10:15:13.732-04:00 ERROR [DecodingProcessor] Unable to decode 
>> raw message bc89d68a-3883-11e6-a89e-005056934db8 (journal offset 56420554) 
>> encoded as gelf received from /10.100.150.89:41076.
>> 2016-06-22T10:15:13.732-04:00 ERROR [DecodingProcessor] Error processing 
>> message RawMessage{id=bc89d68a-3883-11e6-a89e-005056934db8, 
>> journalOffset=56420554, codec=gelf, payloadSize=41, 
>> timestamp=2016-06-22T14:15:13.640Z, remoteAddress=/10.100.150.89:41076}
>> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
>> (code 65533 / 0xfffd)): expected a valid value (number, String, array, 
>> object, 'true', 'false' or 'null')
>>  at [Source: ���vb�   wxz�Tv��<�Q���u]?�I�  �z��; line: 1, column: 2]
>> at 
>> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
>> ~[graylog.jar:?]
>> at 
>> 

[graylog2] Re: RPM update from 2.0.2 to 2.0.3 breaks Graylog

[Shon Nixon]

All my NXlog files look like:


define ROOT C:\Program Files (x86)\nxlog



Module xm_gelf



define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules 

CacheDir %ROOT%\data 

Pidfile %ROOT%\data\nxlog.pid 

SpoolDir %ROOT%\data 

LogFile %ROOT%\data\nxlog.log 

 

Module xm_gelf 

 

 

Module im_msvistalog 

 

 

Module om_tcp

Host  

Port 12201

OutputType GELF 



 

Path in => out





All I did was perform the upgrade of Graylog, nothing more. I always check 
log files to make sure the new upgrade took and that's when this started 
happening--immediately.




Thanks - Shon



On Thursday, June 23, 2016 at 11:05:56 AM UTC-4, Shon Nixon wrote:

> It would appear that Graylog is adding additional lines in the NXlog file. 
> My snippet is:
>
> define ROOT C:\Program Files (x86)\nxlog
> Moduledir %ROOT%\modules 
> CacheDir %ROOT%\data 
> Pidfile %ROOT%\data\nxlog.pid 
> SpoolDir %ROOT%\data 
> LogFile %ROOT%\data\nxlog.log 
>
>  
>  Module xm_gelf 
>  
>
>  
>  Module im_msvistalog 
>  
>
>  
>  Module om_tcp
>  Host  10.100.150.89
>  Port  12201
>  OutputType GELF 
> 
>
>  
>  Path  in => out
> 
>
>
> Graylog is adding:
>
> define ROOT C:\Program Files (x86)\nxlog
>
> 
>
> Module xm_gelf
>
> 
>
>
> to the top of every Nxlog file.
>
>
> Many Thanks - Shon
>
>
>
> On Thursday, June 23, 2016 at 6:05:55 AM UTC-4, Marius Sturm wrote:
>
>> Hi,
>> looks like your receiving some binary data on a plain text Gelf input. 
>> Did you switch to TLS encryption or soemthing like that after the update? 
>> Could you please post the generated configuration of NXlog?
>>
>> Cheers,
>> Marius
>>
>> On Wednesday, 22 June 2016 16:27:41 UTC+2, Shon Nixon wrote:
>>>
>>> Built a Graylog 2.0 cluster two weeks ago with three servers running 
>>> 2.0.2 behind a HAProxy server. Server accepts logs from all Windows boxes 
>>> using Graylog Sidecar and Nxlog. Was working perfectly until I upgraded the 
>>> server to 2.0.3 (yum upgrade). Restarted the services and now I get a 
>>> constant flow of the log info below. Also can no longer access 
>>> *System/Inputs 
>>> -> Configurations* page. Just shows blank. I do have another two box 
>>> cluster I built yesterday that started with 2.0.3 and has no issues at all 
>>> getting data from the HAProxy box. I would rather not rebuild this cluster 
>>> if possible...
>>>
>>>
>>> Reoccurring logging on all three boxes:
>>>
>>>
>>> 2016-06-22T10:15:13.732-04:00 ERROR [GelfCodec] Could not parse JSON, 
>>> first 400 characters: ���vb�  wxz�Tv��<�Q���u]?�I��z��
>>> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
>>> (code 65533 / 0xfffd)): expected a valid value (number, String, array, 
>>> object, 'true', 'false' or 'null')
>>>  at [Source: ���vb�   wxz�Tv��<�Q���u]?�I�  �z��; line: 1, column: 2]
>>> at 
>>> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
>>> ~[graylog.jar:?]
>>> at 
>>> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
>>>  
>>> ~[graylog.jar:?]
>>> at 
>>> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
>>>  
>>> ~[graylog.jar:?]
>>> at 
>>> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
>>>  
>>> ~[graylog.jar:?]
>>> at 
>>> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
>>>  
>>> ~[graylog.jar:?]
>>> at 
>>> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
>>>  
>>> ~[graylog.jar:?]
>>> at 
>>> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
>>>  
>>> ~[graylog.jar:?]
>>> at 
>>> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272)
>>>  
>>> ~[graylog.jar:?]
>>> at 
>>> org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115) 
>>> [graylog.jar:?]
>>> at 
>>> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
>>>  
>>> [graylog.jar:?]
>>> at 
>>> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
>>>  
>>> [graylog.jar:?]
>>> at 
>>> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
>>>  
>>> [graylog.jar:?]
>>> at 
>>> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>>>  
>>> [graylog.jar:?]
>>> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
>>> [graylog.jar:?]
>>> at 
>>> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>>>  
>>> [graylog.jar:?]
>>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>> 2016-06-22T10:15:13.732-04:00 ERROR [DecodingProcessor] Unable to decode 
>>> raw message 

[graylog2] Additional DateTime column sourced as epoch time

[craig . hancock]

 I am trying to get graylog to interrupt a field I am sending over a field 
that I would like to interpret as a timestamp however the issue that I am 
having is that it is coming across as UNIX epoch

1) Is there an operation I can do on the graylog to convert this as a 
datetimestamp
2) Once converted is there a way to have this data searchable as a 
datetimestamp just like the current timestamp variable

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7b11aeea-322a-4fbb-89e9-75baaae6cc4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Exception in thread "elasticsearch[graylog2-server][generic][T#1]"

[Jan Doberstein]

Hej Anant,


On 23. Juni 2016 at 16:34:21, Anant Sawant (sawantanan...@gmail.com) wrote:
> This is the first time this issue has occurred. Could you please tell me
> how can I check and increase heap size for graylog server, I searched but
> got nothing for graylog server about how to increase the heap size.

it depend how you had installed graylog. in your startup script you
can place additional java opts and you need to raise the heap at this
location.

/jd

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbSM8R7WTAAin_3EUw3dHoXVDoPpJ3XweDgsvPqLT45xg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: RPM update from 2.0.2 to 2.0.3 breaks Graylog

[Jan Doberstein]

Hej SHon,

all what you describe looks like a bug, can you please open a ticket
https://github.com/Graylog2/graylog2-server/issues that the issue can
be fixed.

thank you
Jan


On 23. Juni 2016 at 19:11:37, Shon Nixon (shon.ni...@gmail.com) wrote:
> Decided to run nxlog solo with the correct information and still get the
> same problem:
>
>
> 2016-06-23T12:58:18.248-04:00 ERROR [GelfCodec] Could not parse JSON, first
> 400 characters: `�)�V���C�
>
> �a?�n
> �n�r��埯o}ۍvdY>_"~g��rgИ:�
> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('`'
> (code 96)): expected a valid value (number, String, array, object, 'true',
> 'false' or 'null')
> at [Source: `�)�V���C�
> �a?�n
> �n�r��埯o}ۍvdY>_"~g��rgИ:�; line: 1, column: 2]
> at
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272)
> ~[graylog.jar:?]
> at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
> [graylog.jar:?]
> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139)
> [graylog.jar:?]
> at
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
> [graylog.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
> 2016-06-23T12:58:18.253-04:00 ERROR [DecodingProcessor] Unable to decode
> raw message af0450e2-3963-11e6-ae65-005056937893 (journal offset 84466333)
> encoded as gelf received from /10.100.150.89:34338.
>
>
>
> Then took HAProxy out of the picture and pushed to one of the servers
> directly and STILL get the same problem:
>
>
> 2016-06-23T13:01:41.359-04:00 ERROR [GelfCodec] Could not parse JSON, first
> 400 characters: �p]3
> b�Q��F!��0�и
> i�D��
> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�'
> (code 65533 / 0xfffd)): expected a valid value (number, String, array,
> object, 'true', 'false' or 'null')
> at [Source: �p]3
> b�Q��F!��0�и
> i�D��; line: 1, column: 2]
> at
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
> ~[graylog.jar:?]
> at
> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272)
> ~[graylog.jar:?]
> at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
> [graylog.jar:?]
> at
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
> [graylog.jar:?]
> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139)
> [graylog.jar:?]
> at
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
> [graylog.jar:?]
> at java.lang.Thread.run(Thread.java:745) 

[graylog2] Re: RPM update from 2.0.2 to 2.0.3 breaks Graylog

[Shon Nixon]

Decided to run nxlog solo with the correct information and still get the 
same problem:


2016-06-23T12:58:18.248-04:00 ERROR [GelfCodec] Could not parse JSON, first 
400 characters: `�)�V���C�

  
�a?�n
�n�r��埯o}ۍvdY>_"~g��rgИ:�
com.fasterxml.jackson.core.JsonParseException: Unexpected character ('`' 
(code 96)): expected a valid value (number, String, array, object, 'true', 
'false' or 'null')
 at [Source: `�)�V���C�
   �a?�n
�n�r��埯o}ۍvdY>_"~g��rgИ:�; line: 1, column: 2]
at 
com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
~[graylog.jar:?]
at 
com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272) 
~[graylog.jar:?]
at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115) 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
 
[graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
[graylog.jar:?]
at 
com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
2016-06-23T12:58:18.253-04:00 ERROR [DecodingProcessor] Unable to decode 
raw message af0450e2-3963-11e6-ae65-005056937893 (journal offset 84466333) 
encoded as gelf received from /10.100.150.89:34338.



Then took HAProxy out of the picture and pushed to one of the servers 
directly and STILL get the same problem: 


2016-06-23T13:01:41.359-04:00 ERROR [GelfCodec] Could not parse JSON, first 
400 characters: �p]3
b�Q��F!��0�и
i�D��
com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
(code 65533 / 0xfffd)): expected a valid value (number, String, array, 
object, 'true', 'false' or 'null')
 at [Source: �p]3
b�Q��F!��0�и
i�D��; line: 1, column: 2]
at 
com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
~[graylog.jar:?]
at 
com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
 
~[graylog.jar:?]
at 
com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272) 
~[graylog.jar:?]
at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115) 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
 
[graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
[graylog.jar:?]
at 
com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) 

Re: [graylog2] Re: RPM update from 2.0.2 to 2.0.3 breaks Graylog

[Shon Nixon]

Done - Two tickets created.

On Thursday, June 23, 2016 at 2:26:47 PM UTC-4, Jan Doberstein wrote:
>
> Hej SHon, 
>
> all what you describe looks like a bug, can you please open a ticket 
> https://github.com/Graylog2/graylog2-server/issues that the issue can 
> be fixed. 
>
> thank you 
> Jan 
>
>
> On 23. Juni 2016 at 19:11:37, Shon Nixon (shon@gmail.com ) 
> wrote: 
> > Decided to run nxlog solo with the correct information and still get the 
> > same problem: 
> > 
> > 
> > 2016-06-23T12:58:18.248-04:00 ERROR [GelfCodec] Could not parse JSON, 
> first 
> > 400 characters: `�)�V���C� 
> > 
> > �a?�n 
> > �n�r��埯o}ۍvdY>_"~g��rgИ:� 
> > com.fasterxml.jackson.core.JsonParseException: Unexpected character ('`' 
> > (code 96)): expected a valid value (number, String, array, object, 
> 'true', 
> > 'false' or 'null') 
> > at [Source: `�)�V���C� 
> > �a?�n 
> > �n�r��埯o}ۍvdY>_"~g��rgИ:�; line: 1, column: 2] 
> > at 
> > 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272) 
>
> > ~[graylog.jar:?] 
> > at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115) 
> > [graylog.jar:?] 
> > at 
> > 
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
>  
>
> > [graylog.jar:?] 
> > at 
> > 
> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
>  
>
> > [graylog.jar:?] 
> > at 
> > 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
>  
>
> > [graylog.jar:?] 
> > at 
> > 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>  
>
> > [graylog.jar:?] 
> > at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
> > [graylog.jar:?] 
> > at 
> > 
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>  
>
> > [graylog.jar:?] 
> > at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73] 
> > 2016-06-23T12:58:18.253-04:00 ERROR [DecodingProcessor] Unable to decode 
> > raw message af0450e2-3963-11e6-ae65-005056937893 (journal offset 
> 84466333) 
> > encoded as gelf received from /10.100.150.89:34338. 
> > 
> > 
> > 
> > Then took HAProxy out of the picture and pushed to one of the servers 
> > directly and STILL get the same problem: 
> > 
> > 
> > 2016-06-23T13:01:41.359-04:00 ERROR [GelfCodec] Could not parse JSON, 
> first 
> > 400 characters: �p]3 
> > b�Q��F!��0�и 
> > i�D�� 
> > com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' 
> > (code 65533 / 0xfffd)): expected a valid value (number, String, array, 
> > object, 'true', 'false' or 'null') 
> > at [Source: �p]3 
> > b�Q��F!��0�и 
> > i�D��; line: 1, column: 2] 
> > at 
> > 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1581) 
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:533)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:462)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1624)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:689)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3771)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3716)
>  
>
> > ~[graylog.jar:?] 
> > at 
> > 
> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2272) 
>
> > ~[graylog.jar:?] 
> > at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:115) 
> > [graylog.jar:?] 
> > at 
> > 
> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
>  
>
> > [graylog.jar:?] 
> > at 
> > 

[graylog2] Having some difficulties with 3 node graylog cluster

[Yiannis]

Hi all,
I 've installed and configured a 3 node graylog (2.0.3) "cluster". On 3 
R610 (16 cores total) servers with 72GB of RAM (Every nodes has installed 
mongo, elastic and graylog)
Using nginx as a udp load balancer and haproxy as a tcp balance for web 
interface in front of them (2 more hosts)

I'm running the web interface in just one of them to avoid extra complexity 
but I have to admit that the web interface is slower than 1.3.4

My 2 biggest problem are:

1) Most of the times when i press the search button (and only the search 
button displayed in the image)


 









seems to me that my browser goes again from the login screen (to send again 
the user credential) before rendering the results


2) Every now and then, i get a strange error (when mostly when using 
firefox) from webs interface api server like the following 
(no errors on shown in the graylog server logs)








p.s. I do not have any CPU - RAM Utilization problems  
p.s. The problem is not on the haproxy setup ( same problems apply when 
reaching the server directly) 


Any suggestions are more than welcome
Regards
Yiannis

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/19d2ce57-8048-4039-a085-c98889764fcc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Additional DateTime column sourced as epoch time

[Jan Doberstein]

On 23. Juni 2016 at 19:48:30, craig.hanc...@uptake.com
(craig.hanc...@uptake.com) wrote:
> I am trying to get graylog to interrupt a field I am sending over a field
> that I would like to interpret as a timestamp however the issue that I am
> having is that it is coming across as UNIX epoch
>
> 1) Is there an operation I can do on the graylog to convert this as a
> datetimestamp
> 2) Once converted is there a way to have this data searchable as a
> datetimestamp just like the current timestamp variable


I just copy over the Conversation we had in IRC about this:

[19:40:18]  hello all
[19:41:24]  I am trying to get graylog to interrupt a field I
am sending over a field that I would like to interpret as a timestamp
however the issue that I am having is that it is coming across as UNIX
epoch
[19:41:49]  1) Is there an operation I can do on the graylog
to convert this as a datetimestamp
[19:42:18]  2) Once converted is there a way to have this
data searchable as a datetimestamp just like the current timestamp
variable
[19:52:08]  ghanima: yes and yes
[19:52:49]  jalogisch: I am all ears on how to approach this
but I am not sure where to start
[19:53:14]  How can I convert the epoch to a datetime within graylog
[19:53:40]  how does a log that contains this look like?
[19:54:30]  jalogisch: the entries are being pulled from a file
[19:54:34]  sample entry looks like this
[19:54:35]  16/06/20 22:30:56 WARN InfluxDBQuarantineHandler:
Message quarantined! Reason: Invalid - reading time ahead of current
clock time, Msg:
47314fd5-5468-4d9e-b051-30015a474916.fb55df42de304c6a57421da3218a7c54-CAT.03f72667-15dd-4587-a180-c248a06bde4e.02ed558e-73ab-4807-876c-d0b69b255645
1466490475000 171984.0
[19:54:43]  first option, extract via grok
http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#using-grok-patterns-to-extract-data
and create a new field that gets converted into a timestamp
[19:55:22]  in the format you like to have
[19:55:40]  I have configured on the graylog side a grok
filter %{DATESTAMP:insertdate} %{WORD:logstatus} %{WORD:influx}:
(?[a-zA-Z]*\s[a-zA-Z]*)! (?.*), Msg:
(?\w*-\w*-\w*-\w*-\w*).(?\w*-CAT).(?\w*-\w*-\w*-\w*-\w*).(?\w*-\w*-\w*-\w*-\w*)
%{NUMBER:metrictimestamp} (?.*)
[19:56:26]  I want this field 1466490475000 which is the 3rd
to last be converted to MM/DD/YY hh:mm:ss Z
[19:58:09]  jalogisch: does that make sense
[19:58:50]  second option is to use the
http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#the-standard-date-converter
date converter after extraction
[20:00:01]  looks  valid
[20:03:02]  replace %{NUMBER:..} with
%{NUMBER:metrictimestamp:timestamp;date;dd/MMM/:HH:mm:ss Z}
[20:03:31]  that should do the trick - as written a few
lines above 
http://docs.graylog.org/en/2.0/pages/extractors.html?highlight=grok#using-the-json-extractor
[20:03:53]  means you need to scroll up a few lines to have
this information
[20:04:55]  jalogisch: what about all the data that has been
index is there a way to re-process that data
[20:05:21]  not within graylog
[20:05:50]  you would need to modify direct in
elasticsearch or export the data and send it again to graylog
[20:07:26]  jalogisch: in my grok pattern %{DATESTAMP:insertdate}
[20:07:52]  can I trust that this will store this data as a
date timestamp and its searchable as such or is there another
conversion that needs to be done
[20:09:14]  read the docs - it is explained. for date you
can grep, store in a new field and convert with one grok
[20:09:33]  but you need to specific the format you like to
have as a result
[20:15:37]  jalogisch: so unless I misread you posted this is
what happens
[20:15:41]  when I apply this grok
%{NUMBER:metrictimestamp;date;/dd/:HH:mm:ss Z}
[20:15:46]  I get this error
[20:16:05]  java.text.ParseException: Unparseable date: "146621064"
[20:17:01]  jalogisch: I tried both NUMBER and DATA
[20:22:25]  i see - and checked the configuration
[20:22:45]  SimpleDateFormat is the range for this conversion
[20:23:01]  and that does not see epoch as a valid date format
[20:23:37]  can you please fill an issue
https://github.com/Graylog2/graylog2-server/issues that this get
corrected
[20:26:11]  and to solve your issue you will need to try
the Flexibly parse date extractor with a copy input extractor that
contains the data

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLYZ-BzNqRNDG5x%2B%3DKRCKrXvT2k3d6ak_Kc5YBLaDJfk%3Dg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: server not running even though graylog-ctl says it is

[123Dev]

Thanks
Done 

On Thursday, June 23, 2016 at 11:17:24 AM UTC-4, Marius Sturm wrote:
>
> Thanks for investigating in this, please open a new issue here: 
> https://github.com/Graylog2/omnibus-graylog2
> This is not a server issue per se.
>
> Thanks,
> Marius
>
> On 23 June 2016 at 16:06, 123Dev  
> wrote:
>
>> Found the offending code.
>>
>> /opt/graylog/service/graylog-server/run
>>
>> Hardcoded mongodb to be localhost, even though graylog.conf has it set to 
>> the primary mongodb.
>>
>> #!/bin/sh
>> exec 2>&1
>>
>> umask 077
>>
>> if [ -f "/opt/graylog/embedded/share/graylog/installation-source.sh" ]; 
>> then
>> . "/opt/graylog/embedded/share/graylog/installation-source.sh"
>> fi
>>
>> export JAVA_HOME=/opt/graylog/embedded/jre
>> export GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1500m -XX:NewRatio=1 -server 
>> -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled 
>> -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC 
>> -XX:-OmitStackTraceInFastThrow"
>>
>> # check if mongodb is up
>> timeout 600 bash -c "until curl -s http://*127.0.0.1*:27017; do sleep 1; 
>> done"
>> exec chpst -P -U graylog -u graylog /opt/graylog/embedded/bin/authbind 
>> $JAVA_HOME/bin/java $GRAYLOG_SERVER_JAVA_OPTS -jar -Dlog4j.
>> configurationFile=file:///opt/graylog/conf/log4j2.xml 
>> -Djava.library.path=/opt/graylog/server/lib/sigar/ 
>> -Dgraylog2.installation_source=${GRAYLOG_INSTALLATION_SOURCE:=unknown} 
>> /opt/graylog/server/graylog.jar server -f /opt/graylog/conf/graylog.conf
>>
>>
>>
>> I changed 127.0.0.1 to 10.20.1.229 (address of mongodb) and the server is 
>> running fine
>>
>> I would consider this an oversight and suggest to reopen
>> https://github.com/Graylog2/graylog2-server/issues/2370
>>
>> I'll update that ticket with this info.
>>
>> Thanks for helping to narrow it down.
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to graylog2+u...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/7a168454-fe7f-4412-8da6-335c385c66dc%40googlegroups.com
>>  
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Poolstraße 21
> 20335 Hamburg
> Germany
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/dd1fbff1-04fb-4462-bf49-7af721a7f5f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.