Ahh, if you want to go HA, you can use their tool to get estimates:
https://www.graylog.org/tools/sizing-estimator
On Friday, November 18, 2016 at 5:50:17 AM UTC+13, Joshua Waclawski wrote:
>
> As the title states, I'm pretty new to Graylog and Elasticsearch. I've
> read the documentation
Hi Joshua,
Hardware requirements:
It is obviously very difficult to give you exact numbers. The requirements
for 300 syslog messages vs 300 multi-line logs where one extracts 50 key
value pairs per entry will have different requirements. That said, 300
messages is trivial and you can get away
There's obviously a few options, easiest at this stage will probably be
MetricBeat
On Tuesday, November 22, 2016 at 7:07:11 AM UTC+13, Mohit Mehral wrote:
>
> Please suggest how to push linux machine system level(lowdisk, high cpu,
> ram util, iostat) alerts to graylog2
>
> I don't want to use
Not 100% on what you mean with REM statement? I presume you mean you add a
hash/pound at the beginning of the line?
Also look in the nxlog log file for some tips on what the issue could be.
Maybe paste your non-starting config as well, but, as was mentioned, this
is not really the forum for
Hi,
We are running 3 Graylog nodes behind a round-robin load balancer that
balancer all comms to Graylog over the three nodes.
I was curious how the metrics output plugin manages this. The output
plugin is set to send data every 60 seconds. Graphite storage schema is set
to 1 minute as well.
t;
> Make sure to use the latest version of the plugin. If the problem still
> occurs, please open a new issue at https://github.com/
> Graylog2/graylog-plugin-metrics/issues/.
>
> Cheers,
> Jochen
>
> On Friday, 18 November 2016 03:47:25 UTC+1, Werner van der Merwe wrote:
Hi,
I am using MetricBeat to ship metrics from Windows boxes to Graylog, then
the Metrics plugin to get those in Graphite.
Unfortunately, Metricbeat ship the cpu percentages as the decimal value,
thus 10% is represented as 0.1
I assume the metrics plugin converts them to integer as all my
What stumps me more, is I have just added another host, in the Eventlog it
has a Destination Address IP, this is being updated and a _geolocation
field added.
Any idea why it would work on *some* fields and not others?
On Friday, November 4, 2016 at 8:55:03 AM UTC+13, Werner van der Merwe
Slightly stumped, followed the doco and some threads online of others
struggling.
Here's what I've done so far:
Download the MaxMind binary
from https://dev.maxmind.com/geoip/geoip2/geolite2/
In the "Message Processors Configuration", ensure GeoIP resolver is the
last step.
Under Plugins,
I am fairly sure I am missing something obvious here..
I've upgraded another site's Graylog instance, but having some issues with
mongodb:
grep mongo /etc/graylog/server/server.conf
mongo_uri = mongodb://127.0.0.1/graylog2
Yet none of my inputs / saved searches and dashboards appear:
Hi Kunal,
Kindly paste your configs, from what I can make out in the screenshot, your
newline identifier is not set correctly. The %{host} is more than likely
from incorrectly parsing the logs.
If you're willing to try NXLog, they have snipets for the config in their
doco:
Due to some legacy software still in process of being migrated, we have a
few Windows Server 2003 (i386) boxes about.
Installing sidecar goes without problem, but I am unable to start sidecar:
C:\Program Files\graylog\collector-sidecar>graylog-collector-sidecar.exe
-service
install
panic:
n centos/redhat
> machines.
>
> Out of curiosity, how many sidecars are you running in parallel?
>
> Cheers,
> Marius
>
> On 7 September 2016 at 06:08, Werner van der Merwe <
> wernervdme...@gmail.com
> <javascript:_e(%7B%7D,'cvml','wernervdme...@gmail.com');&
NXlog's User and Group is set to root as well
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on
Hi,
We've rolled sidecar out on most of our CentOS farm with huge success.
We're facing some uphill with a legacy app using Postgres 9.1 running on
Ubuntu 12.05.
==> /var/log/graylog/collector-sidecar/nxlog_stderr.log <==
2016-09-07 15:44:12 ERROR failed to open
Possible duplicate
of https://github.com/Graylog2/graylog2-server/issues/2742 ?
On Monday, August 29, 2016 at 11:30:28 AM UTC+12, Werner van der Merwe
wrote:
>
> Hi,
>
> It seems that if I create an extractor, I have to create an extractor for
> each field I want to store,
Hi,
It seems that if I create an extractor, I have to create an extractor for
each field I want to store, is this correct?
If so, what would be helpful (for me), and what I am using NXLog for at the
moment, is to have to option to extract and store multiple regex groups in
one extracter.
For
Currently in our setup we use a lot of Execs inside an input block.
Is the only way to have execs currently to rather create snippets?
Would it be able be to have a custom text block in the input section to add
some custom code per input to add any custom snippets inside a specific
input?
--
Hi, this confuses me a bit.
I understand a host can have multiple tags to combine multiple
configurations, for example an apache server can have tags linux and apache.
As I understand it, for this, two configurations will be created, one with
a tag called linux and one with a tag called
I am trying to add another graylog-server node in order to expand our
install from a single graylog server and a single ES server.
Looking at the ES logs both nodes join with their own hostnames.
Looking at the Graylog interface under System -> Nodes, the first node is
duplicated. Even the JVM
You are correct, it is not a huge setup, which acts in your favour.
If you want HA just for the data rather than the service, you can look at
having a single Graylog-server instance and rather have 2 or 3
Elasticsearch hosts.
The Graylog-server does not retain data, it routes all to the data
We are reaching resource capacity on the single graylog-server we have.
Currently I have one machine running mongodb and graylog-server and another
server running ES. This has been working like a charm, but I am now hitting
CPU starvation on the graylog-servers two or three times a day during
To my knowledge no, as the stream identifier would still be enforced in the
search bar.
IMHO, If one changes that behaviour, one will run into issues with people
having more than one saved search related to a selected stream, or, what if
you have the same criteria that you want to select over
If I understand correctly, you have one Graylog server receiving
everything, but you want specific data to go to another Graylog server?
If that is the case, you can look at setting up a stream rule for those
logs and have the stream output to a GELP output pointing to the other
Graylog server.
Do make sure it is not a timestamp parsing issue, are you able to look at
messages from the beginning of time that has that source and maybe input
type to narrow it down?
I fell victim to a funny timezone issue, which caused my logs to all be 13h
behind and on a previous occasion importing with
I faced a similar issue once and the only way I could 'fix' it was by
deleting the journal from disk and restart Graylog-server.
That will destroy your backlog though..
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this
I was wondering if there was a way to use the plugin to send counters per
metric to graphite.
Seems that I have to create a stream and an output per code, eg
200,500,401,402 etc?
The other option would be to create a dashboard widget and query the widget
via the API, but using a stream would
be honest, my question is a little contrived
> and our actual use-case data is considerably more complex. I am right in
> saying that this type of pivot is just not possible in graylog-web at the
> moment?
>
> P.
>
> On 16 November 2015 at 10:28, Werner van der Mer
Think I've answered part of my question m1_rate is not representing the
count of logs over the last minute, but the mean rate of logs over the last
minute.
So if we get 10 log/sec, the m1_rate will be still be 10, regardless of the
fact that we received 600 logs.
In this case using 10*60
Marius, you've been a great help so far - hopefully you would permit me one
more question.
I am a little stumped on how to get total messages in a stream for the
period.
For example, using a 1 minute search (2015-11-02 19:59:00 +13:00 to
2015-11-02 20:00:00 +13:00) in Graylog, returns 1757
Mmmm... that is weird... If you restart graylog-server, any detail in the
logs that could point to the issue?
Also, is Graylog operational apart from not being able to see the
notification?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To
>
> Interesting - that ratio seems a little out of balance. 15M for ES for 13
> servers sounds quite light.
>
You can maybe get some more info on what is using space in Mongo doing the
> following:
>
On the server hosting mongodb:
mongo (This will enter the
This is working perfectly!
Thanks a ton - been mailing all our chief IT folk blasting the trumpet of
Graylog's support. (We are predominantly a Microsoft house using Splunk, so
I am hard at work proving Graylog is better!)
If I may be as bold/opportunistic for one more question...
It seems I
Apologies, should have mentioned I only have one numeric field which I am
using in the histogram and seems I can't re-use the field for another
function.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop
, 2015 at 9:11 PM, Dennis Brouwer <den...@tamtam.nl> wrote:
> No, it just keeps loading :(
>
> *--*
> *Tam Tam*
> Dennis Brouwer
> 06 21 86 90 88
>
> On Wed, Nov 4, 2015 at 10:04 PM, Werner van der Merwe <
> wernervdme...@gmail.com> wrote:
>
Thanks to the great help from this forum, I have now submitted our
production dashboard to upper management.
I do have one question - during a peak period, messages may be buffered and
processed when the server has resources.
How would streams and the graphite plugin send those messages?
In
The ova is certainly the easiest way to get started.
We had a requirement of having to run RedHat, so I went with the puppet
manifests, which is also fairly easy with some reading required.
Using the manifests will effectively install the product via apt-get.
Partitioning is up to you, if you
I am not 100% sure what you mean, but there are two ways to generate detail
graphs:
Both:
Filter the logs until you only see the logs you are interested in using
search.
Option 1:
On the left, select the blue triangle to expand the ID field, then select
Quick Values. That will give you a pie
Hi,
I have two streams:
LDAP Results and LDAP Searches.
Each goes to a separate Graphite Output.
The first stream, indicating results, works correct and is configured as
such:
- prefix:
org.graylog.ldap.prod.results
- url:
graphite://XX:2003
- fields:
>
>
> First option will be to ensure processing is not paused in System/Nodes =>
Nodes, click on the Node name. Make sure the top right is not saying that
it is not processing any messages - click resume processing if this is the
case. If this was paused, give it some time to recover.
If you click System/Overview and select Overview, can you then see the
notification?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
It did indeed!
Thanks very much
On Wednesday, September 2, 2015 at 1:31:19 PM UTC+12, Drew Miranda wrote:
>
> Does running "Recalculate Index Ranges" (System -> Indices -> Maintenance)
> help?
>
> On Sunday, August 30, 2015 at 6:43:00 PM UTC-5, Werner van der Mer
Another update - doing the same absolute search via Kibana, 2015-08-31
00:00:00 to 2015-08-31 10:00:00, gets 2.4M hits, so I am thinking it is a
timezone interpretation of graylog-web maybe?
--
You received this message because you are subscribed to the Google Groups
Graylog Users group.
Hopefully someone can shed some light on this.
Messages are displayed in the histogram and the Messages section in the
correct datetime.
Use case:
The histogram reports 800k messages in an hourly bucket of 31-Aug 00:00:00.
Using the drag and select feature in the histogram to select 31-Aug
Seems like this is quite a hot topic, but unfortunately I am still a little
lost.
I am sending logs to Graylog via nxlog, all dates seems correct apart from
the Timestamp and thus Histogram.
In Timezone configuration, all zones are set to local time (GMT +12)
The timestamp variable is set
45 matches
Mail list logo
