[graylog2] Re: Graylog is not processing Messages from one input anymore

Hey, here are the details of the system: I installes de dpkg files like in here on the Ubuntu 16.04 LTS http://docs.graylog.org/en/2.0/pages/installation/os/ubuntu.html Everything is running on one single VM Graylog and Elasticsearch. VMware 1 Virtual Socket 2 Cores Memory: 8GB RAM HDD 800

[graylog2] Re: Graylog is not processing Messages from one input anymore

Hey, here are the details of the system: I installes de dpkg files like in here on the Ubuntu 16.04 LTS http://docs.graylog.org/en/2.0/pages/installation/os/ubuntu.html VMware 1 Virtual Socket 2 Cores Memory: 8GB RAM HDD 800 GB root@ATLOG001:/home/ladmin# uname -a Linux ATLOG001 4.4.0-28-g

[graylog2] Graylog is not processing Messages from one input anymore

Hey my Graylog just stoped processing messages from one input. But the other Input is still working. Everything looks finde for me: I rebooted the Linux machine, Start Stop of the Input and so on. But without success. root@ATLOG001:/var/log/graylog-server# top top - 08:14:49 up 16 min, 1 user,

[graylog2] Re: Graylog search and sum fields

Or if you have multiple message like this: Actionnum 0 Content_Length 1436 Content_Type application/x-compress Destination_IP 104.96.91.41 facility local4 level 4 message 1467954342 1 10.244.130.157 104.96.91.41 application/x-compress 10.244.130.157 http://update.nai.com/Products/CommonUpdater/C

[graylog2] Graylog search and sum fields

Hey, if I have multiple logs like this: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.102|srcPort=54610|srcMAC=00:00:00:00:00:00|dstIP=104.96.151.235|dstPort=80|dstService=|dstIF=port7.910|rule=|info=Normal Operation|srcNAT=80.120.142.196|dstNAT=104.96.151.235|duration=0|count=1|receivedB

[graylog2] Re: help with Gork pattern

:c8srcport52064 Is is also possible to remove the first entry? I don't know why I get this: BASE10NUM52064 Am Donnerstag, 30. Juni 2016 07:18:30 UTC+2 schrieb Keamas M: > > Hey, > > I log my firewall logs into Graylog. > > The log File looks like this: > > > <

[graylog2] Re: help with Gork pattern

chrieb kaiser: >> >> Can you try: >> >> srcIP=%{IP:srcip} >> >> then >> >> scrPort=%{NUMBER:srcport} >> >> Is there any error on those patterns? >> >> If no errors are displayed can you try: >> %{GREEDYDATA:UNWANTED}srcIP=

[graylog2] Re: help with Gork pattern

P=%{IP:srcip}\|scrPort=%{NUMBER:srcport} > > > > Le vendredi 1 juillet 2016 09:19:53 UTC+2, Keamas M a écrit : >> >> I also tried it to escape it with the \ and / ans so on... but it does >> not work. >> I always geht this message when I press try: >> >>

[graylog2] Re: help with Gork pattern

UTC+2 schrieb kaiser: > > '|' stands for a logic OR so you have to escape it with '\|'. > > > srcIP=%{IP:srcip}\|scrPort=%{NUMBER:srcport}\|dstIP=%{IP: > dstip}\|dstPort=%{NUMBER:dstport} > > Le jeudi 30 juin 2016 07:18:30 UTC+2, Keamas M a écrit : >>

[graylog2] help with Gork pattern

Hey, I log my firewall logs into Graylog. The log File looks like this: <14>Jun 27 12:27:30 FW-02 2/C1/WN02/box_Firewall_Activity: Info C-WN02-FW Detect: type=FWD|proto=TCP|srcIF=port7.101|srcIP=10.244.130.143| srcPort=52365|srcMAC=00:00:00:00:00:00|dstIP=194.232.104.167|dstPort=80| dstServi

[graylog2] Syslog messages look different between Splunk and Graylog

Hello, I am new to graylog. I used Splunk before but I reached the space limit of splunk. Thats why I installed Graylog. I want to log firewall Logs and create reports and graphs out of this Logs. - how similar is the Search syntax between Splunk and Graylog? Is it complicated to migrate t