[graylog2] Incoming Gelf UDP messages not showing up

Hi, New Graylog user here. Bit of a dilemma, been trying to figure this out for hours now without success, and about to give up. I'm using their appliance which I just downloaded yesterday. I'm sending Syslog packets in Gelf format (I successfully validated the Json), and no matter what I do,

[graylog2] Re: Graylog is ignoring some UDP packets sent by a particular host

I'm having similar issues with GELF packets. They show up if I create a raw udp input, but they don't show up with a gelf input. It used to work, but suddenly stopped working. I also have no idea on how to debug this, there doesn't seem to be a place for parser errors. Increasing the debug

[graylog2] collect logs from remote machine

The graylog homepage state *"No more logging into multiple devices to parse plain text log files."* but I am yet unable to figure out how it does this. The docs located at http://docs.graylog.org/en/2.1/pages/sending_data.html# go thru many steps but none in which the graylog server/process will

[graylog2] Re: Forward from One graylog to another

Is there any good doc on setting up the tls on the stream output and then the receiving side at the new graylog instance? Been combing through doc and posts for a couple hours and only have fragments of an idea on how to do this Self signed certs will be fine for this All insight is

[graylog2] Re: Forward from One graylog to another

Is there any good doc on setting up the tls on the stream output and then the receiving side at the new graylog instance? Been combing through doc and posts for a couple hours and only have fragments of an idea on how to do this Self signed certs will be fine for this All insight is

[graylog2] Re: Forward from One graylog to another

Hi Tom, On Wednesday, 8 February 2017 23:31:46 UTC+1, Tom Powers wrote: > > We are only tracking windows events here, so If I read this right, could i > set the stream output in Gelf format and send it to the Parent office > Graylog server (over TLS of course)? > Yes, that's pretty much it.

[graylog2] Forward from One graylog to another

I have 2 sites. One office is the main office, the other is a branch office I am wondering if this is possible. If I put a graylog server at each site in regular setup, I can collect the logs of that site. Simple enough so far. Now...the Streams I have setup on those 2 servers, which is

[graylog2] Re: Overwriting Timestamp field using Pipeline rules

I've noticed another error. The timestamp field is being replaced correctly, but the "gl2_processing_error" field is showing the following error (on all messages): For rule 'WO-CS-RAS': In call to function 'parse_date' at 8:15 an exception was thrown: Invalid format: "2017-02-08 15:05:59,170"

[graylog2] Re: Overwriting Timestamp field using Pipeline rules

Figured it out--parse_date needed the timestamp . New rule looks like this: rule "WO-CS-RAS" when contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_") then set_field("WO_Log_Source","RAS-CS"); let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value:

[graylog2] Graylog is ignoring some UDP packets sent by a particular host

Hello, I've recently set up a working Graylog server. It's collecting logs from many network switches and routers. One particular router (ironically, the most important one) doesn't appear in the Sources list though. Graylog keeps ignoring all packets coming from that host. Here's an example

Re: [graylog2] Re: Extractor and processing messages

Got it Thanks > On Feb 8, 2017, at 9:03 AM, Jochen Schalanda wrote: > > Hi Rayees, > > On Wednesday, 8 February 2017 18:00:05 UTC+1, Rayees Namathponnan wrote: > I am looking extractor configuration, there i am not seeing any way to define > the input, without this all

Re: [graylog2] Re: Extractor and processing messages

Hi Rayees, On Wednesday, 8 February 2017 18:00:05 UTC+1, Rayees Namathponnan wrote: > > I am looking extractor configuration, there i am not seeing any way to > define the input, without this all the messages comes to system will go > trough the extractor right ? I am missing something ? >

Re: [graylog2] Re: Extractor and processing messages

Regarding your second point I am looking extractor configuration, there i am not seeing any way to define the input, without this all the messages comes to system will go trough the extractor right ? I am missing something ? > On Feb 8, 2017, at 8:46 AM, Jochen Schalanda

[graylog2] Re: Extractor and processing messages

Hi Rayees, On Wednesday, 8 February 2017 17:38:56 UTC+1, Rayees Namathponnan wrote: > > Suppose i have defined 10 extractors and if any messages comes to graylog > this go trough all the 10 extractors ? > This depends on your configuration and if the preconditions for these extractors have

[graylog2] Extractor and processing messages

Hi All, Suppose i have defined 10 extractors and if any messages comes to graylog this go trough all the 10 extractors ? I am performing some test in graylog and see how graylog behave if i add more extractor, and want to check alert performance wrt to number of extractor Regards, Rayees

[graylog2] Re: Overwriting Timestamp field using Pipeline rules

That's what I get for typing it out...thank you for catching that! Unfortunately, even after correcting for the incorrect milliseconds value, it's still not replacing timestamp value. I sent the parsed date to a new field (in this case, "log_timestamp") to verify that the output data was in

[graylog2] Re: Overwriting Timestamp field using Pipeline rules

Hi Al, On Wednesday, 8 February 2017 15:11:34 UTC+1, Al Reynolds wrote: > > I was under the impression that using the "parse_date" function would > create a Date object? > It does, see http://docs.graylog.org/en/2.1/pages/pipelines/functions.html#parse-date for reference. But your date

[graylog2] Re: Overwriting Timestamp field using Pipeline rules

Jochen, Thanks for the reply! I'm guessing my problem is that the source field (in this case WO_Timestamp) is not a date object, as I'm not having any luck with your example either. I was under the impression that using the "parse_date" function would create a Date object? As for

[graylog2] Re: Graylog 2.2.0-rc.1 lags while editing inputs

Hmm ok i installed 2.2 rc1 from the scratch and the problem seems to be gone. So i guess it has something to do with the upgrade from 2.1.3 to 2.2 rc1. Am Mittwoch, 8. Februar 2017 13:22:37 UTC+1 schrieb Ha NN: > > JVM: > > GRAYLOG_SERVER_JAVA_OPTS="-Xms4g -Xmx4g -XX:NewRatio=1 -server >

[graylog2] Re: sidecar and nxlog collectors - query

*Hi,* Why don't you create inputs and outputs per channel? For me this is logical as you can only select one channel per input. One for Security, one for Application, one for System and so on... We even have a different one for Network Policy Servers. In the collector configuration you can have

[graylog2] Re: Graylog 2.2.0-rc.1 lags while editing inputs

Hi, this is the start command for Elasticsearch, not Graylog. Please post the configuration of Graylog and the JVM settings for Graylog (see http://docs.graylog.org/en/2.1/pages/configuration/file_location.html for where to find them). Cheers, Jochen On Wednesday, 8 February 2017 12:14:41

[graylog2] Re: Graylog 2.2.0-rc.1 lags while editing inputs

It has 8 cores, 32GB ram JVM: /usr/bin/java -Xms18g -Xmx18g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true

[graylog2] Re: Graylog 2.2.0-rc.1 lags while editing inputs

Hi, there are quite long GC pauses mentioned in your logs. What are the hardware specs of the machine(s) running Graylog and how did you configure Graylog (also how are the JVM settings)? Cheers, Jochen On Wednesday, 8 February 2017 11:43:27 UTC+1, Ha NN wrote: > > Hi, > > i am testing

[graylog2] Graylog 2.2.0-rc.1 lags while editing inputs

Hi, i am testing Graylog 2.2.0-rc.1 with a gelf udp input plugin. I send logs with rsyslog into it. I created some grok pattern extractors mostly those ones ID=%{DATA:id} Once created and you want to edit them it takes a very long time to load the edit page and it seems graylog stops to