[graylog2] Re: Processing of stream failed to return within 2000ms.

2016-09-28 Thread julioqc47
So I moved to SSD and raised the journal to 10GB so the journal failures stopped when logs inputs are spiking. Great! However I'm still getting the paused stream issue during those spikes. I don't get why that stream can process those messages fine but falls behind during spikes. Any way to

[graylog2] Re: "Did not find meta info of this node. Re-registering." on single server setup

2016-09-28 Thread julioqc47
Really, no help on this one? :( On Monday, September 26, 2016 at 10:50:05 AM UTC-4, juli...@gmail.com wrote: > > Hello, > > My logs are filled with those since upgrading from 2.0.3 to 2.1.1 OVA > setup. > > > 2016-09-26 10:08:52,636 WARN : org.graylog2.periodical.NodePingThread - > Did not

[graylog2] Re: Processing of stream failed to return within 2000ms.

2016-09-27 Thread julioqc47
As you can see in the screenshot from this morning, Process and Output are full and Journal keeps growing accordingly. So process is when be when message is

[graylog2] Re: Processing of stream failed to return within 2000ms.

2016-09-27 Thread julioqc47
Thanks for the links but ins't the problem with the Kafka journal more then ES indexing really? And isn't lowering processors an issue considering the bottleneck? On Tuesday, 27 September 2016 10:20:47 UTC-4, Jochen Schalanda wrote: > > Hi, > > see >

[graylog2] Re: Processing of stream failed to return within 2000ms.

2016-09-27 Thread julioqc47
Hello Jochen, Ok I see what you are saying and I guess even if the stream processing is rather faster, having an average spike of 1000msg/sec is a huge load and will cause backlog. Inbound: 15 minute avg:1,003.21 events/secondOubound:15 minute avg:687.23 events/secondProcessTime:Mean:8,585μs

[graylog2] "Did not find meta info of this node. Re-registering." on single server setup

2016-09-26 Thread julioqc47
Hello, My logs are filled with those since upgrading from 2.0.3 to 2.1.1 OVA setup. 2016-09-26 10:08:52,636 WARN : org.graylog2.periodical.NodePingThread - Did not find meta info of this node. Re-registering. 2016-09-26 10:10:45,387 WARN : org.graylog2.periodical.NodePingThread - Did not find

[graylog2] Processing of stream failed to return within 2000ms.

2016-09-26 Thread julioqc47
Hello, So recently I've been getting those errors followed obviously by a disabling of the stream in question. I wouldn't however expect this to happen since the rules are rather simple (for WinEvents collected by sidecar): - *EventID* must match exactly *4656* - *SubjectUserName*

[graylog2] Re: Graylog not writing to elasticsearch after out of disk space, ES green but...

2016-08-26 Thread julioqc47
This is what I figured out to have it back on track: graylog-ctl stop rm -r /var/opt/graylog/data/journal/* graylog-ctl start Then cycle deflector (very important) and you should have it back on track. Unfortunately, you will lose all the journal messages. I tried deleting only parts of the

[graylog2] Re: CSV to field converter using whitespace delimiter

2016-08-24 Thread julioqc47
Oh I agree and have switched to Grok since I posted the original message. Yes those are IIS :) However, Grok patterns takes much more time to configure where CSV literally takes 20 sec to setup. I'm just getting lazy I suppose haha Anyhow, CSV seems problematic for certain delimiters and

[graylog2] Re: No backlog for windows events logs?

2016-08-23 Thread julioqc47
Forgot to set in the trigger setting the number of backlog to include... my bad! On Wednesday, August 17, 2016 at 9:38:20 AM UTC-4, juli...@gmail.com wrote: > > Hi, > > So I have this stream to alert on specific event ID received. I do receive > the emails but it always shows instead of the

[graylog2] Re: Speed up the Web Interface

2016-08-17 Thread julioqc47
I had this issue at first and by adding RAM to the setup, the web interface started to react much faster. On Wednesday, August 17, 2016 at 8:55:46 AM UTC-4, Philipp J. wrote: > > Hello, > > is there a possibility to speed up the Web Interface? It react very slowly > but everything else

[graylog2] No backlog for windows events logs?

2016-08-17 Thread julioqc47
Hi, So I have this stream to alert on specific event ID received. I do receive the emails but it always shows instead of the last events. Example received email: ## > > Alert Description: Stream had 517 messages in the last 120 minutes with > trigger condition more than 3 messages.

[graylog2] Re: ERROR: org.glassfish.jersey.server.ServerRuntime$Responder - An I/O error has occurred while writing a response message entity to the container output stream.

2016-08-17 Thread julioqc47
Alright, if you say so! Thanks On Wednesday, August 17, 2016 at 6:29:43 AM UTC-4, Jochen Schalanda wrote: > > Hi Julio, > > some HTTP client cut off the connection to the Graylog REST API before the > complete response could be sent. Nothing to worry about. > > Cheers, > Jochen > > On Tuesday,

[graylog2] ERROR: org.glassfish.jersey.server.ServerRuntime$Responder - An I/O error has occurred while writing a response message entity to the container output stream.

2016-08-16 Thread julioqc47
So what is this and what caused this?? My guess is something to do with gunzip 2016-08-16 16:18:38,605 ERROR: org.glassfish.jersey.server.ServerRuntime$Responder - An I/O error has occurred while writing a response message entity to the container output stream.

[graylog2] CSV to field converter using whitespace delimiter

2016-08-16 Thread julioqc47
Hi, So it seems the CSV to field converter doesn't work with whitespace delimiters? Sample log: 2016-08-16 15:14:20 192.168.20.100 POST /Clients - 80 DOMAIN\user 192.168.30.171 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.116+Safari/537.36

[graylog2] Re: /var/log/graylog/graylog.log

2016-08-10 Thread julioqc47
Alright that's pretty clear :) The doc could use some clarification about all of this structure but overall it was fairy simple to configure once you know what configures what! Thank you all for the assistance On Wednesday, August 10, 2016 at 2:56:58 PM UTC-4, Jochen Schalanda wrote: > > Hi

[graylog2] Re: /var/log/graylog/graylog.log

2016-08-10 Thread julioqc47
Ok yes I found the logging.yml and the config matches with the output. I'm getting confused now... So what is the point of the log4j2.xml file then if logs are configured with svlogd (on the OVA image at least)? What log does it create? >From what I read here

[graylog2] Re: /var/log/graylog/graylog.log

2016-08-10 Thread julioqc47
Ok ty! I guess log4j2.xml is for that log file settings and svlogd.conf is for other internal logs. On Wednesday, August 10, 2016 at 6:25:40 AM UTC-4, Jochen Schalanda wrote: > > Hi Julio, > > the file you've mentioned is being generated by Elasticsearch and can be > configured in its logging

[graylog2] /var/log/graylog/graylog.log

2016-08-09 Thread julioqc47
Hello, Can someone tell me how to configure this internal log file? (/var/log/graylog/elasticsearch/graylog.log) All the "current" logs (/var/log/graylog/*/current) I configure with svlogd settings. That graylog.log can get inflated real bad in case of problems so I want to tweak it better. So

[graylog2] Re: Graylog not writing to elasticsearch after out of disk space, ES green but...

2016-08-04 Thread julioqc47
Ok so what are those commands?? Can you provide a link or something? Googling what you mention isn't very explicit and results aren't helpful. Thx On Tuesday, 5 April 2016 04:02:08 UTC-4, Jochen Schalanda wrote: > > Hi, > > it looks like your journal is corrupted. You can either try to recover

[graylog2] Re: IF ELSE replace for Extractors

2016-07-21 Thread julioqc47
Ok thank you for the info! Made multiple replace with regex extractors for now. Works well but kinda tedious to do. Will likely make a content pack to save others the trouble ;) On Thursday, 21 July 2016 18:12:40 UTC-4, Jochen Schalanda wrote: > > Hi Julio, > > you'll have to create multiple

[graylog2] Re: IF ELSE replace for Extractors

2016-07-21 Thread julioqc47
Did come out with this: rule "Add ID Meaning" > when > has_field("ID") && contains(to_string($message.ID), "11") > then > set_field("ID_Description", "A lease was renewed by a client."); > end Can I have multiple when/then clauses in the same rule? -- You received this message because

[graylog2] Re: IF ELSE replace for Extractors

2016-07-21 Thread julioqc47
That sound interesting but for the moment, can I read and write from and to a message field? On Thursday, 21 July 2016 11:43:30 UTC-4, Jochen Schalanda wrote: > > Hi Julio, > > currently that's not easily possible but we plan to introduce functions > for lookups in dictionaries or external

[graylog2] IF ELSE replace for Extractors

2016-07-21 Thread julioqc47
I'm trying to parse a field for my DHCP logs and I'm wondering if I can make an extractor which will do some sort of if else statement to fill a new field with a value depending on the content of another field. 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused

[graylog2] Dashboard widget cannot be dragged

2016-06-29 Thread julioqc47
Hello, I can't seem to be able to drag widgets on any dashboard I made (in edit/unlock mode). I can edit or delete them fine but no option or cursor to drag them. Am I missing something? Or is it still in development? Replicated using latest Chrome and IE on both a lab and production Graylog