[graylog2] I want to use kibana with graylog2

2016-05-12 Thread Rock Chakraborty 

Is it possible to use kibana with graylog2 ??


If yes then which version i need to choose for kibana and graylog2.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b682881d-00f6-4321-b65f-50d51ce132a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Unable to start graylog web interface

2016-05-12 Thread Vegesna Narasimha Raju 
 

root@raju-test-ES:~# netstat -ntlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address   Foreign Address State   
PID/Program name

tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN  
1048/sshd   

tcp0  0 127.0.0.1:250.0.0.0:*   LISTEN  
1180/master 

tcp0  0 127.0.0.1:27017 0.0.0.0:*   LISTEN  
11565/mongod

tcp6   0  0 :::22   :::*LISTEN  
1048/sshd   

tcp6   0  0 ::1:25  :::*LISTEN  
1180/master 

tcp6   0  0 127.0.0.1:12900 :::*LISTEN  
12656/java  

tcp6   0  0 127.0.0.1:9350  :::*LISTEN  
12656/java  

tcp6   0  0 ::1:9350:::*LISTEN  
12656/java  

tcp6   0  0 127.0.0.1:9000  :::*LISTEN  
12656/java  

tcp6   0  0 :::9200 :::*LISTEN  
11486/java  

tcp6   0  0 :::9300 :::*LISTEN  
11486/java   







On Friday, May 13, 2016 at 10:11:13 AM UTC+5:30, Vegesna Narasimha Raju 
wrote:
>
> Java HotSpot(TM) 64-Bit Server VM warning: ignoring option 
> MaxPermSize=256m; support was removed in 8.0
>
> Play server process ID is 23707
>
> [debug] application - Loading timeout value into cache from configuration 
> for key DEFAULT: Not configured, falling back to default.
>
> [debug] application - Loading timeout value into cache from configuration 
> for key node_refresh: Not configured, falling back to default.
>
> [info] play - Application started (Prod)
>
> Oops, cannot start the server.
>
> org.jboss.netty.channel.ChannelException: Failed to bind to: /0.0.0.0:9000
>
> at org.jboss.netty.bootstrap.ServerBootstrap.bind(ServerBootstrap.java:272)
>
> at play.core.server.NettyServer$$anonfun$10.apply(NettyServer.scala:134)
>
> at play.core.server.NettyServer$$anonfun$10.apply(NettyServer.scala:131)
>
> at scala.Option.map(Option.scala:145)
>
> at play.core.server.NettyServer.(NettyServer.scala:131)
>
> at play.core.server.NettyServer$.createServer(NettyServer.scala:242)
>
> at 
> play.core.server.NettyServer$$anonfun$main$3.apply(NettyServer.scala:279)
>
> at 
> play.core.server.NettyServer$$anonfun$main$3.apply(NettyServer.scala:274)
>
> at scala.Option.map(Option.scala:145)
>
> at play.core.server.NettyServer$.main(NettyServer.scala:274)
>
> at play.core.server.NettyServer.main(NettyServer.scala)
>
> Caused by: java.net.BindException: Address already in use
>
> at sun.nio.ch.Net.bind0(Native Method)
>
> at sun.nio.ch.Net.bind(Net.java:433)
>
> at sun.nio.ch.Net.bind(Net.java:425)
>
> at 
> sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
>
> at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
>
> at 
> org.jboss.netty.channel.socket.nio.NioServerBoss$RegisterTask.run(NioServerBoss.java:193)
>
> at 
> org.jboss.netty.channel.socket.nio.AbstractNioSelector.processTaskQueue(AbstractNioSelector.java:366)
>
> at 
> org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:290)
>
> at 
> org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42)
>
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/56534dc0-c3f1-4219-8b6d-be048f01ff97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Unable to start graylog web interface

2016-05-12 Thread Vegesna Narasimha Raju 
 

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option 
MaxPermSize=256m; support was removed in 8.0

Play server process ID is 23707

[debug] application - Loading timeout value into cache from configuration 
for key DEFAULT: Not configured, falling back to default.

[debug] application - Loading timeout value into cache from configuration 
for key node_refresh: Not configured, falling back to default.

[info] play - Application started (Prod)

Oops, cannot start the server.

org.jboss.netty.channel.ChannelException: Failed to bind to: /0.0.0.0:9000

at org.jboss.netty.bootstrap.ServerBootstrap.bind(ServerBootstrap.java:272)

at play.core.server.NettyServer$$anonfun$10.apply(NettyServer.scala:134)

at play.core.server.NettyServer$$anonfun$10.apply(NettyServer.scala:131)

at scala.Option.map(Option.scala:145)

at play.core.server.NettyServer.(NettyServer.scala:131)

at play.core.server.NettyServer$.createServer(NettyServer.scala:242)

at play.core.server.NettyServer$$anonfun$main$3.apply(NettyServer.scala:279)

at play.core.server.NettyServer$$anonfun$main$3.apply(NettyServer.scala:274)

at scala.Option.map(Option.scala:145)

at play.core.server.NettyServer$.main(NettyServer.scala:274)

at play.core.server.NettyServer.main(NettyServer.scala)

Caused by: java.net.BindException: Address already in use

at sun.nio.ch.Net.bind0(Native Method)

at sun.nio.ch.Net.bind(Net.java:433)

at sun.nio.ch.Net.bind(Net.java:425)

at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)

at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)

at 
org.jboss.netty.channel.socket.nio.NioServerBoss$RegisterTask.run(NioServerBoss.java:193)

at 
org.jboss.netty.channel.socket.nio.AbstractNioSelector.processTaskQueue(AbstractNioSelector.java:366)

at 
org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:290)

at 
org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42)

at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e568acca-ab7d-4888-a486-d8d16eb32dc2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog nodes unable to communicate with each other

2016-05-12 Thread Mark Moorcroft 

I now have both servers using the same mongo, and as far as I can tell 
everything works. But I'm back to the same problem with an admin logged 
into the slave having the ability to accidentally or intentionally delete 
indices.  The reader account is pretty much useless. I realize it's 
possible to create dashboards and streams to return some functionality. Up 
to now I had no reason or desire to do so. I have no reason to limit anyone 
from what they can search, and I want them to see the sources and stats. I 
would much prefer an account that looks almost identical to admin, but 
prevents one from changing various inputs/settings or deleting indices. I 
think we need a third superuser account type. I have seen similar feedback 
from others here.

What to do?


On Thursday, May 12, 2016 at 3:50:28 PM UTC-7, Mark Moorcroft wrote:
>
>
> I'm having a similar issue. I have things to a point where neither 
> instance sees more than one "node". Both are seeing the elasticsearch 
> indicies (one local, one not). The master node seems mostly operational. I 
> set up a "slave" node for only one reason. The Graylog user levels made it 
> necessary to add another instance so users have full search capability but 
> no way to delete an index by mistake. It appears things have changed and 
> that strategy won't work anymore. The only step you mention that I haven't 
> done is clone the mongo. Right now my slave instance sees the indices, but 
> none of the searches ever load, and I see errors that no master is 
> selected, along with can't retrieve retention or rotation config. I presume 
> I'm reaching elasticsearch, but not the master graylog? I see no connection 
> errors in either mongo log.
>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/75475c80-4734-4a44-bb49-64946014901f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog nodes unable to communicate with each other

2016-05-12 Thread Mark Moorcroft 

I'm having a similar issue. I have things to a point where neither instance 
sees more than one "node". Both are seeing the elasticsearch indicies (one 
local, one not). The master node seems mostly operational. I set up a 
"slave" node for only one reason. The Graylog user levels made it necessary 
to add another instance so users have full search capability but no way to 
delete an index by mistake. It appears things have changed and that 
strategy won't work anymore. The only step you mention that I haven't done 
is clone the mongo. Right now my slave instance sees the indices, but none 
of the searches ever load, and I see errors that no master is selected, 
along with can't retrieve retention or rotation config. I presume I'm 
reaching elasticsearch, but not the master graylog? I see no connection 
errors in either mongo log.

On Wednesday, May 11, 2016 at 12:32:27 AM UTC-7, Jochen Schalanda wrote:
>
> Hi Ross,
>
> make sure that elasticsearch_network_host (see 
> https://github.com/Graylog2/graylog2-server/blob/2.0.0/misc/graylog.conf#L187-L194
>  and 
> http://docs.graylog.org/en/2.0/pages/upgrade.html#default-network-host) 
> is set to an IP address (or host name) which the other Elasticsearch and 
> Graylog nodes can access.
>
> Additionally make sure that the two Graylog nodes are using the same 
> MongoDB database and the same password_secret (see 
> https://github.com/Graylog2/graylog2-server/blob/2.0.0/misc/graylog.conf#L9-L11
> ).
>
> Cheers,
> Jochen
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ba8884d7-041f-4021-9b7a-ecbbf28f76f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog Web - Unable to Add Nodes

2016-05-12 Thread bbrazell 
I just setup my first Graylog server.  After getting the config files right 
(or what I think is right) I'm able to log into the web interface.  The 
problem is that when I select System/Nodes -> Nodes, I get this error:

(You caused a org.graylog2.restclient.lib.APIException. API call failed GET 
http://@127.0.0.1:12900/system/radios returned 404 Not Found body: 
{"type":"ApiError","message":"HTTP 404 Not Found"})

I am starting the Graylog web interface on port 8443.  All other ports are 
default.  I verified that the Graylog REST API is responding by issuing 
this command:

curl -v -u admin:password http://localhost:12900/users

It knows how to find the /users directory.  It also finds the /system 
directory.  Get a 404 when it tries to load /system/radios every time.

Does anyone know what's wrong and how to get it working?  I've Googled the 
problem to death.

Thanks!

Bill

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9c448782-102f-46ed-81c6-24b7ba2fab01%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] 'did not find meta info for this node' error, but not timesync related?

2016-05-12 Thread Jeff McCombs 


Hi gang,


  I'm running into a strange problem where my graylog nodes are complaining 
about not being able to find their meta info:


2016-05-12T11:50:09.691-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:12.878-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:13.417-07:00 WARN  [ProxiedResource] Node 
<00ac0ad1-b96f-46c0-a2bc-bc9e7a90777f> not found while trying to call 
org.graylog2.shared.rest.resources.system.RemoteMetricsResource on it.

2016-05-12T11:50:15.808-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:19.175-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:24.767-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:28.020-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:37.849-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:40.978-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:41.904-07:00 WARN  [ProxiedResource] Node 
<00ac0ad1-b96f-46c0-a2bc-bc9e7a90777f> not found while trying to call 
org.graylog2.shared.rest.resources.system.RemoteMetricsResource on it.

2016-05-12T11:50:47.400-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.

2016-05-12T11:50:50.670-07:00 WARN  [NodePingThread] Did not find meta info 
of this node. Re-registering.


In addition to the log entries above, I see occasional timeouts and errors 
in the web UI about master nodes no longer being available, or the web-UI 
just disappears for a few seconds and comes back.. I've also seen nodes 
drop in/out of the webUI.. I'm assuming these are related.


Doing some basic google searches on this, the only thing I've seen on the 
log entries, is that the time for the nodes may be out of sync.. I've 
checked this and that's not the case here. All three nodes are running NTP 
and chiming off the local ntp server on the network:


[root@gray00 /data]# ntpdate -q ntp0

server 10.201.136.38, stratum 3, offset -0.000653, delay 0.02576

12 May 12:29:33 ntpdate[317]: adjust time server 10.201.136.38 offset 
-0.000653 sec

[root@gray00 /data]# date

Thu May 12 12:30:31 PDT 2016


[root@gray01 graylog]# ntpdate -q ntp0

server 10.201.136.38, stratum 3, offset -0.000568, delay 0.02576

12 May 12:29:22 ntpdate[31508]: adjust time server 10.201.136.38 offset 
-0.000568 sec

[root@gray01 graylog]# date

Thu May 12 12:30:31 PDT 2016


[root@gray02 /data]# ntpdate -q ntp0

server 10.201.136.38, stratum 3, offset -0.55, delay 0.02580

12 May 12:29:21 ntpdate[535]: adjust time server 10.201.136.38 offset 
-0.55 sec

[root@gray02 /data]# date

Thu May 12 12:30:32 PDT 2016


So what am I doing wrong here? Is there some additional troubleshooting I 
can perform to try and pinpoint the issue? Strangely, everything is fine if 
I restart the graylog instances for about 5-10 minutes, then these log 
entries start popping back up.


Here's some deets on how I have things configured:


3x nodes - RHEL6 x64 (gray00, gray01, gray02). Installation via the repo's 
for mongo, elasticsearch, and graylog.


all three nodes run:

   elasticsearch

   mongo

   graylog


In front is an F5 LTM, Virtual IP on the F5 is known as "graylog". Services 
ports 9000, and 12900. Sticky sessions enabled on both.


Configuration data for graylog below. All nodes have the same core config 
except for "is_master=false" and IP address changes:

is_master = true

node_id_file = /etc/graylog/server/node-id

password_secret = 
WQBdx6xgWTTykN9LHJhEGxfiSJbeYdaZhHhKEwbvAKQEWkVrl8lgTLvDDkfUtwhe7jgdFDFCBqpmVvY4aea1GyrbQ791UOCv

root_password_sha2 = 
e3ed009797ada49a3fd38a04069b13d5a7f62001a153ed4d9a3da22fa7a75c7b

plugin_dir = /usr/share/graylog-server/plugin

rest_listen_uri = http://10.201.137.208:12900/

rest_transport_uri = http://graylog.somewhere.com:12900/

rest_enable_gzip = true

web_listen_uri = http://10.201.137.208:9000/

web_enable_gzip = true

rotation_strategy = count

elasticsearch_max_docs_per_index = 2000

elasticsearch_max_number_of_indices = 20

retention_strategy = delete

elasticsearch_shards = 4

elasticsearch_replicas = 1

elasticsearch_index_prefix = graylog

allow_leading_wildcard_searches = false

allow_highlighting = false

elasticsearch_cluster_name = graylog

elasticsearch_node_name_prefix = graylog-

elasticsearch_discovery_zen_ping_unicast_hosts = gray00.somewhere.com:9300, 
gray01.somewhere.com:9300, gray02.somewhere.com:9300, 
gray00.somewhere.com:9350, gray01.somewhere.com:9350, 
gray02.somewhere.com:9350

elasticsearch_transport_tcp_port = 9350

elasticsearch_discovery_zen_ping_multicast_enabled = false

elasticsearch_network_host = gray00.somewhere.com

elasticsearch_network_bind_host =

[graylog2] graylog_alert timestamp mismatch and alert failure

2016-05-12 Thread chromesysnc 

*2016-05-12 14:19:48.000* 
May 12 15:19:48 localhost sshd[25142]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.4.10 user=root
*2016-05-12 14:03:12.000* 
May 12 15:03:12 localhost sshd[24470]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.4.10 user=root
*2016-05-12 14:03:03.000* 
May 12 15:03:03 localhost sshd[24468]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.4.10 user=root
*2016-05-12 13:55:46.000* 
May 12 14:55:46 localhost sshd[1737]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.4.10 user=root


here are my current configuration timings 

Time configuration 

Dealing with timezones can be confusing. Here you can see the timezone 
applied to different components of your system. You can check timezone 
settings of specific graylog-server nodes on their respective detail page. 
User *admin*: 2016-05-12 15:30:22.375 +00:00Your web browser:2016-05-12 
15:30:22.830 +00:00Web interface default JDK/JRE: 2016-05-12 15:30:22.375 
+00:00Web interface configuration: 2016-05-12 15:30:22.375 +00:00Graylog 
master server: 2016-05-12 15:30:22.375 +00:00 


Time difference is about 2 hours i don't know what is happening here.


The alert condition that i am running on is Field content value condition 
Alert is triggered when messages matching  are 
received.Grace period: 0 minutes. Including last message in alert 
notification.


if the alert condition is set to 
Message count condition 
Alert is triggered when there is more than 1 message in the last 120 
minutes. Grace period: 0 minutes. Including last message in alert 
notification.

it will work but i get 10-12 emails of the same alert. 


Can anyone help me on this ?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/22eed039-5c7f-44b3-ba7b-e8cea7a8bf97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [Graylog2.0] experiencing

2016-05-12 Thread kaiser 
Hello,

I have installed graylog 2.0 on centos6

I have acces to the web interface.

Nevertheless I have the folowing issue:

1=> When makjing a search , I have got a prompt telling "...service 
unvailable, we are experiencing problem connecting to http://10.X.X.X:12900


 curl -XGET 'http://10.X.X.X:12900/'
returns me : {"type":"ApiError","message":"HTTP 404 Not Found"}


Thank you for your help!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/70435a63-11ec-4c00-aa52-38627b7db71f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] [Graylog 2.0] Web interface

2016-05-12 Thread kaiser 
Hi Jochen,

I managed to access graylog web interface.

Nevertheless I obtain graylog interface with empty inputs, empty streams, 
empty dashboard.

I have followed the instructions on elasticsearch website and the graylog 
documentation ...

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/81f57125-eee9-46d1-a786-06a330715269%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Trying to upgrade Graylog from 1.3 to 2.0 facing issues

2016-05-12 Thread Utkarsh Sharma 
Hi team,

I am trying to upgrade graylog from 1.3 to 2.0 version 
but facing some issues Please help me in this

*ERROR*

[2016-05-12T01:16:48-07:00] FATAL: Can not reach master server, make sure 
127.0.0.1 is reachable and 'etcd' service is running properly.


  


  Recipe Compile Error in 
/opt/graylog/embedded/cookbooks/graylog/recipes/default.rb

  



  SystemExit

  --

  exit


  Cookbook Trace:

  ---

/opt/graylog/embedded/cookbooks/graylog/libraries/graylog.rb:165:in 
`rescue in generate_settings'

/opt/graylog/embedded/cookbooks/graylog/libraries/graylog.rb:160:in 
`generate_settings'

/opt/graylog/embedded/cookbooks/graylog/libraries/graylog.rb:224:in 
`generate_config'

/opt/graylog/embedded/cookbooks/graylog/recipes/default.rb:13:in 
`from_file'


  Relevant File Content:

  --

  /opt/graylog/embedded/cookbooks/graylog/libraries/graylog.rb:


  158:if Graylog['current_address'] != Graylog['last_address']

  159:  Chef::Log.warn("IP change detected!")

  160:  begin

  161:client = Etcd.client(host: Graylog['master_node'], port: 
4001)

  162:client.delete("/servers/#{Graylog['last_address']}") if 
client.exists?("/servers/#{Graylog['last_address']}")

  163:
client.delete("/elasticsearch/#{Graylog['last_address']}") if 
client.exists?("/elasticsearch/#{Graylog['last_address']}")

  164:  rescue Exception => e

  165>> Chef::Application.fatal!("Can not reach master server, make 
sure #{Graylog['master_node']} is reachable and 'etcd' service is running 
properly.")

  166:end

  167:  Graylog['last_address'] = Graylog['current_address']

  168:end

  169:

  170:if File.directory?("/etc/graylog")

  171:  File.open("/etc/graylog/graylog-settings.json", "w") do |f|

  172:f.puts(

  173:  Chef::JSONCompat.to_json_pretty({

  174:'timezone' => Graylog['timezone'],



  Running handlers:

[2016-05-12T01:16:48-07:00] ERROR: Running exception handlers

  Running handlers complete

[2016-05-12T01:16:48-07:00] ERROR: Exception handlers complete

  Chef Client failed. 0 resources updated in 00 seconds

[2016-05-12T01:16:48-07:00] FATAL: Stacktrace dumped to 
/opt/graylog/embedded/cookbooks/cache/chef-stacktrace.out

[2016-05-12T01:16:48-07:00] FATAL: Please provide the contents of the 
stacktrace.out file if you file a bug report

[2016-05-12T01:16:48-07:00] ERROR: exit

[2016-05-12T01:16:48-07:00] FATAL: Chef::Exceptions::ChildConvergeError: 
Chef run process exited unsuccessfully (exit code 1)






Thanks in advance



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5e24ccb6-0c09-4ea0-b366-06aa4b64ca48%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Unable to Upgrade Graylog from 1.3 to 2.0 Lauched from Readymade AMI

2016-05-12 Thread Utkarsh Sharma 
 

Hi Jochen,


I hv gone through doc but getting this error

[2016-05-12T01:16:48-07:00] FATAL: Can not reach master server, make sure 
127.0.0.1 is reachable and 'etcd' service is running properly.


  


  Recipe Compile Error in 
/opt/graylog/embedded/cookbooks/graylog/recipes/default.rb

  



  SystemExit

  --

  exit


  Cookbook Trace:

  ---

/opt/graylog/embedded/cookbooks/graylog/libraries/graylog.rb:165:in 
`rescue in generate_settings'

/opt/graylog/embedded/cookbooks/graylog/libraries/graylog.rb:160:in 
`generate_settings'

/opt/graylog/embedded/cookbooks/graylog/libraries/graylog.rb:224:in 
`generate_config'

/opt/graylog/embedded/cookbooks/graylog/recipes/default.rb:13:in 
`from_file'


  Relevant File Content:

  --

  /opt/graylog/embedded/cookbooks/graylog/libraries/graylog.rb:


  158:if Graylog['current_address'] != Graylog['last_address']

  159:  Chef::Log.warn("IP change detected!")

  160:  begin

  161:client = Etcd.client(host: Graylog['master_node'], port: 
4001)

  162:client.delete("/servers/#{Graylog['last_address']}") if 
client.exists?("/servers/#{Graylog['last_address']}")

  163:
client.delete("/elasticsearch/#{Graylog['last_address']}") if 
client.exists?("/elasticsearch/#{Graylog['last_address']}")

  164:  rescue Exception => e

  165>> Chef::Application.fatal!("Can not reach master server, make 
sure #{Graylog['master_node']} is reachable and 'etcd' service is running 
properly.")

  166:end

  167:  Graylog['last_address'] = Graylog['current_address']

  168:end

  169:

  170:if File.directory?("/etc/graylog")

  171:  File.open("/etc/graylog/graylog-settings.json", "w") do |f|

  172:f.puts(

  173:  Chef::JSONCompat.to_json_pretty({

  174:'timezone' => Graylog['timezone'],



  Running handlers:

[2016-05-12T01:16:48-07:00] ERROR: Running exception handlers

  Running handlers complete

[2016-05-12T01:16:48-07:00] ERROR: Exception handlers complete

  Chef Client failed. 0 resources updated in 00 seconds

[2016-05-12T01:16:48-07:00] FATAL: Stacktrace dumped to 
/opt/graylog/embedded/cookbooks/cache/chef-stacktrace.out

[2016-05-12T01:16:48-07:00] FATAL: Please provide the contents of the 
stacktrace.out file if you file a bug report

[2016-05-12T01:16:48-07:00] ERROR: exit

[2016-05-12T01:16:48-07:00] FATAL: Chef::Exceptions::ChildConvergeError: 
Chef run process exited unsuccessfully (exit code 1)

On Tuesday, May 10, 2016 at 4:55:16 PM UTC+5:30, Utkarsh Sharma wrote:
>
> Hi Team,
>
> We have setup Graylog 1.3 using readymade AWS EC2-AMI, Now we are planning 
> to upgrade that to 2.0.
> but unfortunately we are unable to upgrade that Please help us getting it 
> resolved.
>
> I have used below commands to upgrade graylog.
>
> *wget 
> https://packages.graylog2.org/releases/graylog-omnibus/ubuntu/graylog_latest.deb
>  
> 
> sudo graylog-ctl stop
> sudo dpkg -G -i graylog_latest.deb
> sudo graylog-ctl reconfigure*
>
>
> *Output :*
>
> *Reading database ... 91745 files and directories currently installed.)
> Preparing to unpack graylog_latest.deb ...
> This is not a drop-in replacement. Please consult the updating guide!
> dpkg: error processing archive graylog_latest.deb (--install):
>  subprocess new pre-installation script returned error exit status 1
> Graylog has been uninstalled!
> By installing this package, you accept the terms of the Oracle Binary Code 
> License Agreement for the Java SE Platform Products and JavaFX, which can be 
> found at 
> http://www.oracle.com/technetwork/java/javase/terms/license/index.html 
> 
>
> Thank you for installing Graylog!
> The next step in the install process is to run:
>
> sudo graylog-ctl reconfigure
> Errors were encountered while processing:*
>
>
>
> *Thanks in advance,*
>
>
> *Regards,*
> *Utkarsh Sharma*
> *DevOps Engineer*
> *CloudCover Consultancy Pvt. Ltd.*
> *Phone: +91 91-68615342  | Skype: utkarshsharma021 | *
> *Email : utka...@cloudcover.in  | www.cloudcover.in 
>  *
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9e92d4ee-66ed-43b7-928f-458ac5e3d93c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Amazon AWS CloudTrail plugin - error

2016-05-12 Thread Anant Sawant 
Hi Everyone!!,

The plugin is still not reading the 

On Friday, 6 May 2016 16:32:38 UTC+5:30, Anant Sawant wrote:
>
> Hi Everyone!!,
>
> I went through the documentation for setting up the Cloudtrail plugin for 
> US-WEST-1, but I am getting the following error.
> I have done all the AWS settings/configuration as described at "
> https://marketplace.graylog.org/addons/3f132fab-50f0-4c88-b63d-9ac99aa6c20e;, 
> the only diffrence is I have set the Queue name to fluidcm-notifiaction 
> insted of cloudtrail-notification.
>
>
> 2016-04-16 21:11:25,899 ERROR: 
> com.graylog2.input.cloudtrail.CloudTrailSubscriber - Could not read 
> messages from SNS. This is most likely a misconfiguration of the plugin. 
> Going into sleep loop and retrying.
> java.lang.RuntimeException: Could not parse SNS notification: hi
> at 
> com.graylog2.input.cloudtrail.notifications.CloudtrailSNSNotificationParser.parse(CloudtrailSNSNotificationParser.java:36)
> at 
> com.graylog2.input.cloudtrail.notifications.CloudtrailSQSClient.getNotifications(CloudtrailSQSClient.java:48)
> at 
> com.graylog2.input.cloudtrail.CloudTrailSubscriber.run(CloudTrailSubscriber.java:80)
> Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized 
> token 'hi': was expecting ('true', 'false' or 'null')
>  at [Source: hi; line: 1, column: 5]
> at 
> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1487)
> at 
> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:518)
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._reportInvalidToken(ReaderBasedJsonParser.java:2299)
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1458)
> at 
> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:683)
> at 
> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3602)
> at 
> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3547)
> at 
> com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2578)
> at 
> com.graylog2.input.cloudtrail.notifications.CloudtrailSNSNotificationParser.parse(CloudtrailSNSNotificationParser.java:24)
> ... 2 more
>
> I'm not that knowledgeable about AWS, but I can't see how it's not 
> working. It's dumping to the S3 bucket correctly within the AWS console. I 
> have given full access to the user.
> Can anyone please tell me what wrong I have done?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/aa952e0b-28d0-49a6-979e-84eca137c40f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Amazon AWS CloudTrail plugin - error

2016-05-12 Thread Anant Sawant 
Hi Jochen!!,

The AWS plugin is not reading any logs, though it is reaching to the AWS 
cloudtrail successfully. I am sharing the payload sample and the 
configuration I have done in both Graylog and AWS. Please tell me if any 
thing wrong I have done doing it.

this is one of the value that mesage.body() from 
"CloudtrailSNSNotificationParser" is returing :- 
{"s3Bucket":"fluidcmlogs","s3ObjectKey":["fluidcm/AWSLogs/924399563845/CloudTrail/us-west-1/2016/05/11/924399563845_CloudTrail_us-west-1_20160511T0715Z_FCFmYjMFmTZFthnu.json.gz"]}
 
this exists at the AWS.

Following is the content which I got after manually extracting the above 
mentioned 
924399563845_CloudTrail_us-west-1_20160511T0715Z_FCFmYjMFmTZFthnu.json.gz 
:- 

{"Records":[{"eventVersion":"1.03","userIdentity":{"type":"IAMUser","principalId":"AIDAIZDWJD4XSD7OPQYUW",
"arn":"arn:aws:iam::924399563845:user/nileshk","accountId":"924399563845","userName":"nileshk",
"sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2016-05-11T07:11:24Z"}},
"invokedBy":"signin.amazonaws.com"},"eventTime":"2016-05-11T07:12:45Z","eventSource":"s3.amazonaws.com",
"eventName":"GetBucketVersioning","awsRegion":"us-west-1","sourceIPAddress":"14.140.226.238",
"userAgent":"signin.amazonaws.com","requestParameters":{"bucketName":"fluidcmlogs"},
"responseElements":null,"requestID":"66745CC932793217","eventID":"08f194cd-52c8-41eb-9619-beee1af30074",
"eventType":"AwsApiCall","recipientAccountId":"924399563845"},{"eventVersion":"1.03",
"userIdentity":{"type":"IAMUser","principalId":"AIDAIZDWJD4XSD7OPQYUW","arn":"arn:aws:iam::924399563845:user/nileshk",
"accountId":"924399563845","userName":"nileshk","sessionContext":{"attributes":{"mfaAuthenticated":"false",
"creationDate":"2016-05-11T07:11:24Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2016-05-11T07:12:46Z",
"eventSource":"s3.amazonaws.com","eventName":"GetBucketVersioning","awsRegion":"us-west-1","sourceIPAddress":"14.140.226.238",
"userAgent":"signin.amazonaws.com","requestParameters":{"bucketName":"fluidcmlogs"},"responseElements":null,"requestID":"E1360FC36112F5A8",
"eventID":"cab707ed-f20b-40ea-ac3f-6e208fc6eb4a","eventType":"AwsApiCall","recipientAccountId":"924399563845"}]}

Setting/configuration at the AWS account(for doing this followed the following 
"https://marketplace.graylog.org/addons/3f132fab-50f0-4c88-b63d-9ac99aa6c20e;).


Step 1: Enabling CloudTrail for an AWS region

Trail name:Fluidcm-CloudTrail
S3 bucket: fluidcmlogs 
Log file prefix: fluidcm
SNS notification for every log file delivery: Yes
SNS topic:cloudtrail-log-write

Step 2: Set up SQS for CloudTrail write notifications

Queue Name: fluidcm-notifications
Kept Default setting as it is..

Step 3: Created Aws Policy for s3 bucket and SQS for full access user.

The region where your new queue will be created:US West (N. California)

Seetin/configuration at Graylog.

Title :- Aws CloudTrail
AWS Region  :- US_WEST_1
AWS access key :- auto generated
SQS queue name :- fluidcm-notifications
AWS secret key :-  auto generated 

On Wednesday, 11 May 2016 11:32:07 UTC+5:30, Anant Sawant wrote:
>
> HI Jochen!!
>
> Thanks for the reply. The error has been resolved. The plugin is able to 
> connect to AWS and also get the message body as per the 
> "CloudtrailSNSNotificationParser" class from the plugin but no logs are 
> visible in Graylog. I inserted my own logs to see if the plugin is reading 
> events from AWS or not, and found that it receiving the message's body,  
> "message.getBody()" methid is returning the following
>
>
> {"s3Bucket":"fluidcmlogs","s3ObjectKey":["fluidcm/AWSLogs/924399563845/CloudTrail/us-west-1/2016/05/10/924399563845_CloudTrail_us-west-1_20160510T1220Z_Dd8u8fCREYcu0Bd8.json.gz"]}
>
> {"s3Bucket":"fluidcmlogs","s3ObjectKey":["fluidcm/AWSLogs/924399563845/CloudTrail/us-west-1/2016/05/10/924399563845_CloudTrail_us-west-1_20160510T1750Z_ePOdk3E0lg1KL5vt.json.gz"]}
>
> {"s3Bucket":"fluidcmlogs","s3ObjectKey":["fluidcm/AWSLogs/924399563845/CloudTrail/ap-northeast-1/2016/05/06/924399563845_CloudTrail_ap-northeast-1_20160506T1010Z_LE3fKktT1wVK1vA5.json.gz"]}
>
> {"s3Bucket":"fluidcmlogs","s3ObjectKey":["fluidcm/AWSLogs/924399563845/CloudTrail/us-west-1/2016/05/10/924399563845_CloudTrail_us-west-1_20160510T1315Z_aKJCNFF9np7FC0Gg.json.gz"]}
>
> {"s3Bucket":"fluidcmlogs","s3ObjectKey":["fluidcm/AWSLogs/924399563845/CloudTrail/us-west-1/2016/05/10/924399563845_CloudTrail_us-west-1_20160510T2250Z_a2TsampYHKq5baC8.json.gz"]}
>
> {"s3Bucket":"fluidcmlogs","s3ObjectKey":["fluidcm/AWSLogs/924399563845/CloudTrail/ap-northeast-2/2016/05/06/924399563845_CloudTrail_ap-northeast-2_20160506T0935Z_g7rcYdIFmA4ymndh.json.gz"]}
>
> {"s3Bucket":"fluidcmlogs","s3ObjectKey":["fluidcm/AWSLogs/924399563845/CloudTrail/us-west-1/2016/05/06/924399563845_CloudTrail_us-west-1_20160506T1010Z_IzqYaYzIcsBdcOBu.json.gz"]}
>
>

[graylog2] Re: [Graylog multi node]

2016-05-12 Thread kaiser 
Hi guys,

Could someone help me on this subject please?

regards.


Le lundi 9 mai 2016 15:16:05 UTC+2, kaiser a écrit :
>
> Hello,
>
> Is there some documents talking about how to install graylog multi nodes, 
> how to install load balancer, what to replicate, 
> which log to put in which node, ...
>
> I already red the official graylog document but it's very light on this 
> subject.
>
> Regards. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2a9bd68a-f8f1-4b98-ba18-ee981b23da8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.