[graylog2] Graylog - Edit extractor - Slow

[Drew Miranda]

What version are you running? I believe the was a bug with the gzip compression 
used in the rest API output which has since been resolved in the current 
version.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5bbfd801-775b-46fe-90ec-4912770005cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Search in Graylog always returns 0 hit

[Drew Miranda]

Can you verify the time is synced on any gralog nodes (via NTP)? Does changing 
the time range work (e.g. all messages). Is it a relative or absolute time 
range that is empty?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/38a01794-d414-48a8-995d-f61c69ba4ffe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Pipeline arithmetic (in the then statement) OR datediff ?

[Drew Miranda]

Thanks!

On Tuesday, November 15, 2016 at 3:25:15 AM UTC-6, Jan Doberstein wrote:
>
> Hej Drew,
>
> we have this feature issue in the pipeline repository: 
> https://github.com/Graylog2/graylog-plugin-pipeline-processor/issues/91 
>
> the answer is - not yet but will be.
>
> with kind regards
> Jan
>
> 2016-11-14 16:11 GMT+01:00 Drew Miranda <gee...@gmail.com >:
>
>> Hi All,
>> Is it possible to do date comparisons in the pipeline rules "then" 
>> section? I see we can do comparisons in the "WHEN" section. I can't seem to 
>> find a way to do date diffing though. Also, arithmetic doesn't seem to work 
>> either. Any ideas?
>>
>> The reason I'm interested in doing this is writing rules to trigger 
>> alerts when two datetime values in the message are different by more than 5 
>> minutes. For example, the windows event log writes an event every time its 
>> system time changes, almost always because of Active Directory [server] 
>> time sync. It has a filed for old and new times. Differences of greater 
>> than 300 seconds are super important to catch due to issues they can cause. 
>> Currently i've had to export the messages in CSV and use excel to compute 
>> this.
>>
>> Thanks!
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to graylog2+u...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/f35a7b9d-509c-4742-b817-463703c7dc2e%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/graylog2/f35a7b9d-509c-4742-b817-463703c7dc2e%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> | Voice: +49 173 7100308 | Text: j...@jalogisch.de 
> | http:// <http://about.me/jandoberstein>jalogis.ch/bio
> |---
> | send from my extraordinary device
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b1c65221-804c-4fda-bb49-5420f0c9d40b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Pipeline arithmetic (in the then statement) OR datediff ?

[Drew Miranda]

Hi All,
Is it possible to do date comparisons in the pipeline rules "then" section? 
I see we can do comparisons in the "WHEN" section. I can't seem to find a 
way to do date diffing though. Also, arithmetic doesn't seem to work 
either. Any ideas?

The reason I'm interested in doing this is writing rules to trigger alerts 
when two datetime values in the message are different by more than 5 
minutes. For example, the windows event log writes an event every time its 
system time changes, almost always because of Active Directory [server] 
time sync. It has a filed for old and new times. Differences of greater 
than 300 seconds are super important to catch due to issues they can cause. 
Currently i've had to export the messages in CSV and use excel to compute 
this.

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f35a7b9d-509c-4742-b817-463703c7dc2e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] new cluster install failing

[Drew Miranda]

Is you mongodb on a different host? You may need to edit the mongodb config. By 
default it only binds to 127.0.0.1 and isn't reachable from external hosts.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/79efdbfd-216c-4215-ad34-aaece48e6dca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Is there a way to directly generate count chart based on non-numeric values?

[Drew Miranda]

Something I've done as a neat work around is run the query to get a normal 
histogram, and then show the hidden field timestamp which exists on all 
message. I then generate a chart using that field and change type from mean so 
sum. It will then give you a chart matching the histogram above. You can then 
repeat the process for other search terms and stack the charts.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0082c2a6-aacf-47e4-bfd4-02b4564c40b0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog Web - Unable to Add Nodes

[Drew Miranda]

They added the web interface as part of the graylog server. It can be 
enabled/disabled via config file. 

See http://docs.graylog.org/en/2.0/pages/configuring_webif.html

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2ad9c19c-1ae1-42ae-8210-dffa8f72de6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] How to Install Graylog 2.0 on CentOS 7 and Collect Windows Logs

[Drew Miranda]

Check out the virtual machine image and the documentation

http://docs.graylog.org/en/2.0/pages/installation/virtual_machine_appliances.html

You'll need to install something on the windows box to "ship" logs to graylog. 
Google nxlog Windows event logs and you'll get some examples.

Summary
1. Download and install graylog VM image
2. Configure, create a gelf UDP input
3. Install and configure nxlog and point to your newly created only

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3ab9e05c-53b5-48b5-bda8-32769d5c0950%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Web Interface Certificate differences from v1 and v2

[Drew Miranda]

It looks like v2 is now fully released. Any idea on how I can get this 
working? Is it a bug?

On Friday, April 15, 2016 at 7:43:32 AM UTC-5, Drew Miranda wrote:
>
> I tested removing the extra characters before BEGIN
>
> This STILL did not help. I'm at a loss.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2c0a1a13-eb63-4835-9c3d-c318a67ebcda%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Web Interface Certificate differences from v1 and v2

[Drew Miranda]

I tested removing the extra characters before BEGIN

This STILL did not help. I'm at a loss.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/61387b09-dc0d-49ea-85b6-c3113db982e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Need help in scaling up my Graylog-elasticsearch-logstash setup

[Drew Miranda]

You are going to want to have a good bit more ram for large amount of log 
processing. Ideally you will want to setup multiple vms to each handle a role 
as well (e.g. VM or 2 for elasticsearch, Vm or two for graylog nodes)

I have 2 elasticsearch search nodes with 12gb ran each and I still like it 
isn't awkward memory wise. 

My two graylog nodes also have 4gb each with r CPUs. 

Generally you will want to throw as much RAM as you can at elasticsearch search 
because there is a steep performance hit with its disk operations. Unless you 
have all flash disks maybe.

As far as CPU, you will want to throw as much cpu as you can at the graylog 
server nodes. It eats up A LOT of cpu to process stream and extractor rules.

Disk space is only something to consider based on how many messages you want to 
store at any given time and for how long. The more disk space the better.

Hope that helps!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4d66e8a2-ec0e-4cfc-a7ac-3539ad5b62a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog System Sizing Problem?

[Drew Miranda]

I don't believe there is any relation between hard disk space and available cpu 
for graylog.

To understand what your requirement are for hardware we need to answer two 
questions:

1. How many messages per second do you want to process. Depending on the 
message size and complexity of steam and extractor rules, a few cpus (e.g. 4) 
can process a thousand or so messages a second. This does vary on CPU type sure 
but I'm basing this off of a virtual machine on a shared host.

2. How long do we want to reattain processed messages. This also somewhat 
depends on your message per second count. I don't think 20gb is much space 
considering how cheap storage is. I recommend a few hundred GB if you can spare 
it. I find it helpful to be able to search back easily through historical logs.

Hope that helps! If you have any specific questions I'll be happy to try and 
answer them.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/92542704-eaf1-4888-adfa-39e7de7f915f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog 1.3.4 elasticsearch cluster red / unassigned shards

[Drew Miranda]

What version of elastic search and how many data nodes? Do you have replicas 
enabled/ how many?

The error says "not allowed, reason: [NO(shard cannot be allocated on same node 
[mB5gKQroSu6XQNzNkeHzxQ] it already exists on)]"

Are there any errors in the elastic search logs?

I found this which may be relevant
https://groups.google.com/forum/m/#!msg/elasticsearch/sztApzHmTjY/Nbr0N3EtfhMJ

And maybe

http://stackoverflow.com/questions/34619265/elasticsearch-unassigned-shards-with-two-nodes-different-machines-1-master-bo

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c57275f8-9ffa-4696-8056-6ed350e9a1f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog collector

[Drew Miranda]

Check out the collector documentation page here

http://docs.graylog.org/en/1.3/pages/collector.html


You can define what log files to ship to graylog in the collector configuration 
file.

Configuring steam rules is done via the gray log web interface. Hope that helps.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6cb218be-26ad-4354-ae22-c1400aa5261b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [ANNOUNCE] Graylog v2.0.0-beta.3 has been released

[Drew Miranda]

I just want to say, thank you for making such an incredible and valuable 
product. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0c2a827b-9b94-4964-9100-936df9276ae3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Web Interface Certificate differences from v1 and v2

[Drew Miranda]

Okay, quick update, I did some quick searching and found this, 
https://community.oracle.com/thread/1534464?start=0 which sounds exactly like 
the issue. My cert chain file does have extra characters in it. I'll test this 
tomorrow.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6ac83424-cea8-43b9-a0d9-5ed507cbb10f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Web Interface Certificate differences from v1 and v2

[Drew Miranda]

Thanks for that command. So I'm able to extract my private key from the 
original Java keysyore (because this is where the original private key was 
created) and convert it to p12 and then pkcs8. I can verify the key is ASCII 
readable and is encoded and passes checked when viewing via openssl.

However, I'm still confused about the public cert. I think the documentation is 
saying I need a x.509 pkcs8 cert but there seems to be a contradiction. 
Anything that I can find and all commands that generate a valid pkcs8 cert only 
seem to contain the private key.

If I just out an ASCII readable pem of the base 64 certificate chain, to me, 
that appears to be the closest I can get. 

So anyways, this is all to say I have what I think are the correct cert and key 
yet I'm still getting that same error. I've probably spent about 4 hours 
testing and reading up on x.509. Any help?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/379f4269-8050-4064-b83c-8e73eadaa939%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Web Interface Certificate differences from v1 and v2

[Drew Miranda]

Any quick tips on the command to use with openssl to output the correct format? 
I found enough documentation to interchange formats but an unclear on the exact 
switches.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/55289179-a870-4ee6-b5dd-cf0fc1851ec0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Web Interface Certificate differences from v1 and v2

[Drew Miranda]

Hi all, has anyone had any success converting their TLS ceritificates for 
graylog web from versions 1 (e.g. 1.3.x) to version 2 of graylog?

Maybe I'm just not getting it, but I'm having trouble figuring out EXACTLY 
what file format the certificate needs to be in.

Previously with v1.x web interface it used a javakeystore. HOWEVER, this is 
no longer in use and the upgrade path is not clear.

I found some documentation that talks about exporting keys from the 
keystore but the terminilogy is very inconsistent depending on the 
webpage/documentation.

I got as far as exporting the "private key" 
(no clue if this is the correct format)
keytool -importkeystore -srckeystore graylog2.keystore -destkeystore 
new-store.p12 -deststoretype PKCS12
openssl pkcs12 -info -in new-store.p12
openssl pkcs12 -in new-store.p12 -nocerts -out gl2web_privateKey.pem

to produce supposedly what the documentation for graylog claims it needs,

I do something similar for the public key
keytool -export -keystore graylog2.keystore -alias graylog2key -file 
Example.cer
openssl x509 -in Example.cer -inform der -text -noout
openssl x509 -inform der -in Example.cer -out gl2web_publickey.pem

I get this error

I end up with this error which is vague, but I think tells me my 
certificate configuration is useless.

2016-04-12 10:06:27,503 ERROR: 
com.google.common.util.concurrent.ServiceManager - Service 
WebInterfaceService [FAILED] has failed in the STARTING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 
48)
at 
sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253) 
~[?:1.8.0_77]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281) 
~[?:1.8.0_77]
at 
com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) 
~[sunjce_provider.jar:1.8.0_77]
at 
java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) 
~[?:1.8.0_77]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) 
~[?:1.8.0_77]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) 
~[?:1.8.0_77]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) 
~[?:1.8.0_77]
at 
javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) 
~[?:1.8.0_77]
at 
org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
 
~[graylog.jar:?]
at 
org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96) 
~[graylog.jar:?]
at 
org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185)
 
~[graylog.jar:?]
at 
org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156)
 
~[graylog.jar:?]
at 
org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
 
[graylog.jar:?]
at 
com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77]

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/13160a96-aeb6-4c5e-82f0-a387d802d983%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] graylog 1.3 and ldap (again ?)

[Drew Miranda]

Are there an errors in the graylog server and web interface logs?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/afc31e58-13a5-42dd-ad7b-0f5e922c5b6a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog-server REST API returning incorrect results for /search/universal/keyword

[Drew Miranda]

NEVERMIND! I had to use -H 'Accept:application/json' instead

On Thursday, December 10, 2015 at 10:41:04 AM UTC-6, Drew Miranda wrote:
>
> I should note, accessing directly from rest API page does work correctly, 
> but curl does not.
>
> On Thursday, December 10, 2015 at 10:40:22 AM UTC-6, Drew Miranda wrote:
>>
>> I'm using /search/universal/keyword to check if the last 10 minutes 
>> contain any indexed messages for aboslute time ranges. Before upgrading to 
>> 1.3.0 (on 1.2.2) this returned the JSON object which does not require 
>> specifying return fields.
>>
>> However, after upgrading to 1.3.0 it ONLY returns the CSV output and will 
>> not return the json output. I even specified the header in curl -H 
>> 'Content-Type: application/json'
>>
>> Is there any way to return the COUNT of message for a query now? Let me 
>> know if I should submit a bug report!
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3e9a4415-5047-4af6-838e-4b3e8370a230%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog-server REST API returning incorrect results for /search/universal/keyword

[Drew Miranda]

I'm using /search/universal/keyword to check if the last 10 minutes contain 
any indexed messages for aboslute time ranges. Before upgrading to 1.3.0 
(on 1.2.2) this returned the JSON object which does not require specifying 
return fields.

However, after upgrading to 1.3.0 it ONLY returns the CSV output and will 
not return the json output. I even specified the header in curl -H 
'Content-Type: application/json'

Is there any way to return the COUNT of message for a query now? Let me 
know if I should submit a bug report!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/064f7239-5a78-470e-ac93-eca9aa10d7b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog-server REST API returning incorrect results for /search/universal/keyword

[Drew Miranda]

I should note, accessing directly from rest API page does work correctly, 
but curl does not.

On Thursday, December 10, 2015 at 10:40:22 AM UTC-6, Drew Miranda wrote:
>
> I'm using /search/universal/keyword to check if the last 10 minutes 
> contain any indexed messages for aboslute time ranges. Before upgrading to 
> 1.3.0 (on 1.2.2) this returned the JSON object which does not require 
> specifying return fields.
>
> However, after upgrading to 1.3.0 it ONLY returns the CSV output and will 
> not return the json output. I even specified the header in curl -H 
> 'Content-Type: application/json'
>
> Is there any way to return the COUNT of message for a query now? Let me 
> know if I should submit a bug report!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/51ef4330-f8c0-4bb0-b165-ff5617db2ce1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Hostnames not working

[Drew Miranda]

I don't think graylog does any reverse DNS. How are you sending logs to gray 
log? 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c2475d8c-e61a-4ca9-be13-b4971ef3db8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] importing old logs from syslog server

[Drew Miranda]

I did something similar as a proof of concept but it was far from elegant.

In short:

1. Use nxlog to listen to a file and configure a rule that uses the date of the 
log message and not the current date (which it would do if we don't create this 
rule)
2. Use something that reads your log file(s) one line at a time and appends 
each line to the file being monitored by nxlog

*in some cases the date time format is not directly parseable by nxlog and a 
script is required to parse on the correct format.

https://nxlog.org/node/295#idp9098336

Sorry this is so convoluted. This is a feature that has been requested so it is 
possible we may see a native way to do this in the future.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e956ec6d-3f94-40be-a3c8-147ea7502ed2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Rewrite log with extractor

[Drew Miranda]

I believe something like this should be possible with drools rules

http://docs.graylog.org/en/1.2/pages/drools.html

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/84003687-af21-4277-8a4b-15dd4e6cb316%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Disk at 100% (linux newbie)

[Drew Miranda]

This is actually something I'm somewhat wondering myself. My instinct says to 
use something like logrotate but I haven't tested. So far what I did that is 
working is to put the log on a different volume so it can't fill up the volume 
with the graylog message journal.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f0ce6885-d4d1-4e38-b9f6-092917c10a8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Elasticsearch cluster is red.

[Drew Miranda]

Are you able to do a cat on your elastic search via the api?
https://www.elastic.co/guide/en/elasticsearch/reference/current/cat.html

Do you just have one ES node? Does the logs for elaaticsearch have any errors?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/93fe71a4-879a-4dc8-9816-2458599a9473%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Search Issue ...

[Drew Miranda]

Are you using the prebuilt filter via this method? Also are you using a 
relative or absolute time range search?

1. Find message that contains the field you want to filter by
2. Expand message by clicking (to show all fields with the Magnifying logo)
3. Click on the Magnifying logo for the field you want to filter, it will add 
that criteria to the search box

Does this filter differ from what you had already typed?

Also is you click on the "arrow pointing downward" next to that same field and 
select "show terms of..." does it show the words contained in the filename path?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/711b7de6-9491-4972-9c4d-8b5689a48639%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Filter or Drop messages from a specific source

[Drew Miranda]

Are there any errors or related log messages in the graylog server log? 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3323b2f1-ec1a-4a0b-8b08-eb989a877b83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: upgrading graylog-server from 1.16 to 1.2rc4 totally broke all LDAP access

[Drew Miranda]

Not sure if this helps but...

Search Base DN should be the OU parent where you want any valid users to be 
found for login
OU=User Accounts,DC=ochsner,DC=org

User Search Pattern should match the username users will input to login
(&(objectClass=user)(sAMAccountName={0}))

Group Search Base DN can be similar to your user search base DN. The OU where 
your groups live.
OU=Groups Live Here,DC=ochsner,DC=org

Group Object Class should just be:
group

Group Name Attribute should just be:
cn

The example text in red is usually helpful. If you've already got those fields 
set appropriately disregard!

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/914efb85-a462-48b0-9c0f-e74657d6e18a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Extractors: Add field with static content

[Drew Miranda]

I believe a static field can be configured per input. I don't have the web 
interface in front of me to verify. A static field configured on an input will 
be set for every message and can't be filtered with extractor rules.

A more flexible alternative may be to use drools rules to add static fields by 
using filters. Check the documentation on configuring your drl file.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c1d7de7b-ade6-4f3d-b3b0-e367ba45d8a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY when using HTTPS for web interface

[Drew Miranda]

Thanks as well! Took a bit of fiddling before I checked here.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a1b7b221-f8a8-434b-9992-6c1ca58df14c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: upgrading graylog-server from 1.16 to 1.2rc4 totally broke all LDAP access

[Drew Miranda]

I just upgraded to 1.2 rc2 so I'll check my configuration tomorrow and see if 
it is helpful to you. For what it's worth the upgrade worked and ldap login and 
group mappings worked.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a279bcf6-8a28-474b-b14c-0752d04b0d13%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Selecting range via histogram returns zero results (More Timezone woes?)

[Drew Miranda]

I've been suffering from this myself. There have been numerous issues 
opened on the issue tracker and they have addressed this the 1.2 release (i 
still haven't tested it yet).

On Tuesday, September 1, 2015 at 9:01:57 PM UTC-5, Werner van der Merwe 
wrote:
>
> It did indeed!
> Thanks very much
>
> On Wednesday, September 2, 2015 at 1:31:19 PM UTC+12, Drew Miranda wrote:
>>
>> Does running "Recalculate Index Ranges" (System -> Indices -> 
>> Maintenance) help?
>>
>> On Sunday, August 30, 2015 at 6:43:00 PM UTC-5, Werner van der Merwe 
>> wrote:
>>>
>>> Further Updates:
>>> A relative search works 100%
>>> Doing the same absolute search via Kibana, 2015-08-31 00:00:00 to 
>>> 2015-08-31 10:00:00, gets 2.4M hits
>>>
>>> Doing an absolute search from 2015-08-29 21:05:54.000 +12:00 to 
>>> 2015-08-31 11:07:00.000 +12:00 returns values with timestamps between 
>>> 2015-08-29 21:05:57.000 and 2015-08-31 11:07:00.000, as expected.
>>> Changing that down to 2015-08-30 21:05:54.000 +12:00 to 2015-08-31 
>>> 11:07:00.000 +12:00 returns zero values.  (?!?!?)
>>>
>>>
>>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b6c2b2c0-de9f-4a42-a4d8-0e556eef538d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog dashboard showing no messages for last 5 mins

[Drew Miranda]

Can you elaborate on your configuration?


   1. Is the dashboard using a query from a stream or global search?
   2. If you use the "play" button icon to replace the search are any 
   results present?
   3. When you do use the search and if the relative time frame is empty, 
   does an absolute search for the same range show any results?


On Wednesday, September 2, 2015 at 5:59:59 AM UTC-5, Sriranga Kulkarni 
wrote:
>
> I tried Recalculate index but still the same .
>
> I had disk space issue so stopped the graylog and increased my disk and 
> restarted the graylog. this was the only issue i faced. Moreover i have 
> time based retention of indices
>
>
>
> On Wednesday, September 2, 2015 at 6:58:14 AM UTC+5:30, Drew Miranda wrote:
>>
>> Do you have your indicies rollover due to retention policies where older 
>> indices are deleted? Also does running "Recalculate Index Ranges" (System 
>> -> Indices -> Maintenance) help?
>>
>>
>> On Tuesday, September 1, 2015 at 8:32:43 AM UTC-5, Sriranga Kulkarni 
>> wrote:
>>>
>>> Need help graylog dashboard not showing any messages for last 5 mins 
>>> where as i am able to see messages for last 15 mins. I used to get messages 
>>> for 5 mins before but donno what happened. 
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c77f6ad7-5dfd-491b-8af0-d33ebaa8ac51%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Autologin for Graylog Dashboard?

[Drew Miranda]

Hi Niklas,
You can configure the session timeout per user (e.g. never timeout) via 
System -> Users -> Timeout if that is of use to you.

Otherwise I think you would have to write a piece of code or script that 
could send the username/password as post data, but I'm not certain and 
havn't tested this.

If you think functionality should be added to address you can submit and 
idea on the idea portal here: https://www.graylog.org/product-ideas/

Hope that helps.

--Drew

On Tuesday, September 1, 2015 at 8:53:28 AM UTC-5, Niklas'ThYpHoOn' Grebe 
wrote:
>
> Hi,
>
> I was wondering if it would be possible to get rid of re-entering the 
> username/password credentials on our Graylog Dashboard after the session 
> got invalidated. Is there a way to put the username/password in the url to 
> automate this process? I don’t want to install a hole password manager just 
> for this.
>
>
>
> Greetings
>
> --
>
> *Niklas Grebe*
> *Backend Developer*
>
> *InnoGames GmbH*
>
> Friesenstraße 13 - 20097 Hamburg - Germany
> Tel +49 40 7889335-0
> Fax +49 40 7889335-200
>
> Managing Directors: Hendrik Klindworth, Eike Klindworth, Michael Zillmer
> VAT-ID: DE264068907 Amtsgericht Hamburg, HRB 108973
>
> *http://www.innogames.com *
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c5703885-4eec-4709-b091-ec15ca579946%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog dashboard showing no messages for last 5 mins

[Drew Miranda]

Do you have your indicies rollover due to retention policies where older 
indices are deleted? Also does running "Recalculate Index Ranges" (System 
-> Indices -> Maintenance) help?


On Tuesday, September 1, 2015 at 8:32:43 AM UTC-5, Sriranga Kulkarni wrote:
>
> Need help graylog dashboard not showing any messages for last 5 mins where 
> as i am able to see messages for last 15 mins. I used to get messages for 5 
> mins before but donno what happened. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/64a1926d-dbc4-405b-b2d8-65611abba370%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Define full_message extractor only when source=X

[Drew Miranda]

Looks like this is an idea submitted here:
https://graylog.ideas.aha.io/ideas/GL2E-I-436


On Thursday, August 13, 2015 at 12:16:27 PM UTC-5, Jesse Skrivseth wrote:
>
> Perhaps I'll need drools rules for this, but I want to run a key=value 
> tokenizer extractor on messages from a source matching a regex. Is this 
> possible? It seems in the UI the only option is extracting when the field 
> you are extracting from matches something. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a9d9354a-d7ac-4c7a-b97b-e6a7e186e1ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Service graylog2-server shuts down after start of CentOS

[Drew Miranda]

What are the errors in the graylog server application log? The log is pretty 
good about indicating why it won't start out why it starts and stops. Reasons 
why it won't start range greatly (e.g. elaaticsearch connectivity, binding to 
ports, mongodb connectivity, configuration error).

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5c05ff6b-6473-4514-9d6e-5571680dab24%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog On Apache

[Drew Miranda]

The graylog server nodes are all accessed via its rest api (e.g. 
server:12900/api-browser). Graylog web interface is configured to point to 
exactly this same port and server name. The example graylog web interface 
configuration file should have an example.

A basic overview of the compliments is here
http://docs.graylog.org/en/1.1/pages/architecture.html

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2fcb11c3-7d83-4f18-ad59-57d03e5f5b67%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog Collector Not working

[Drew Miranda]

What does your collector configuration look like (ports etc) and what does your 
input configuration look like on your graylog node?

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/841458d5-c074-4463-b031-b519f04497f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Anyone successfully using a load balancer to round robin each message sent to graylog?

[Drew Miranda]

It is possibly a configuration issue on our side, but we have a content 
switch load balancer setup to round robin between two graylog nodes. What 
i'm seeing is that the load balance is only distributing the number of 
endpoinds sending logs to each graylog node and not truly round robining 
the messages. this makes the graylog cluster unable to handle excessive 
load.

The load balancer also does not properly detect dead/alive nodes and 
continues to send message to offline graylog nodes (this is likely a load 
balancer configuration).

I'm curious what graylog recommends as far as making this work as intended.

On Wednesday, August 26, 2015 at 3:40:27 AM UTC-5, Jochen Schalanda wrote:

 Hi Drew,

 I know of several installations of Graylog which use load balancers in 
 front of a Graylog cluster. Are there any specific problems you've 
 encountered in regard to Graylog's part in this setup?

 Just one remark: Load balancing GELF messages sent via UDP (Graylog's GELF 
 UDP input) might cause some problems due to the chunking feature which 
 requires all chunks of a GELF message being sent to the same Graylog server 
 node. Also take a look at 
 http://docs.graylog.org/en/1.1/pages/load_balancers.html for some hints 
 how to configure a highly available Graylog setup.


 Cheers,
 Jochen

 On Wednesday, 26 August 2015 05:28:17 UTC+2, Drew Miranda wrote:

 I'm working with our network guys to setup a load balancer configuration. 
 It does work, but it does not alternate which graylog node it sends 
 messages too.

 An example of what I'd like to happen: each graylog node currently only 
 effectively process up to 1000 messages per second. Server A may send a 
 surge of 10,000 messages in one second and fill up a single graylog node 
 until the journal is fully processed. If messages are alternated via the 
 load balancer, multiple graylog nodes can share the load and process 
 messages more quickly.



-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/188b41c3-3898-4c48-886b-b7bfc473a7c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Anyone successfully using a load balancer to round robin each message sent to graylog?

[Drew Miranda]

I'm working with our network guys to setup a load balancer configuration. It 
does work, but it does not alternate which graylog node it sends messages too.

An example of what I'd like to happen: each graylog node currently only 
effectively process up to 1000 messages per second. Server A may send a surge 
of 10,000 messages in one second and fill up a single graylog node until the 
journal is fully processed. If messages are alternated via the load balancer, 
multiple graylog nodes can share the load and process messages more quickly.

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/00b3f13f-b73d-4249-9fde-6b59c84e8d69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog On Apache

[Drew Miranda]

Apache is a web server so you wouldn't install graylog on it. You can set it up 
on a server that apache is running on, although I don't recommend it.

What you may want is log collection. It is a piece of software to read the 
apache logs in real time and forward to graylog. Check out the documentation 
pages in the graylog collector section.

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/39fc91b7-df5f-4c7d-9ecd-bb91380c693a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] graylog newbie questions

[Drew Miranda]

There is a lot more to graylog than altering, although that is a very helpful 
feature. Graylog allows you to view and search log messages, view trends in 
data, and look at groupings in the data (e.g. what the http return codes were 
and the counts for each all in one place. 

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ae340f4f-0e5c-4095-976a-dbb4b5342f0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog Mysql

[Drew Miranda]

Not natively. You will need to use a log collection agent. I believe nxlog can 
listen to MySQL. If the transaction log is text, you can also collect it and 
send to gray log. Generally this only works for new messages and not existing 
or historical data.

I believe an upcoming version of the official graylog collector will support 
importing existing logs. Hope this helps.

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6478ec16-8e28-4e57-bdad-b7809b788020%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Porting Grok patterns to Graylog

[Drew Miranda]

Currently extractor rules are bound to a single field, meaning that both the 
condition of extraction and the extraction itself must be on the same field.

Also extractors can be created using plain regex if you only want something 
specific extracted. Multiple extractors can be used to create each new 
extracted field.

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a2f55510-2026-4063-9a2f-4c754f09f9be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Drools rule example in graylog documentation does not work

[Drew Miranda]

I meant to reply here earlier. For some reason drools didn't like the 
syntax of the REGEX string I was using. I spun up a test environment so I 
could rapidly stop/start graylog and test the rules.

-- 
You received this message because you are subscribed to the Google Groups 
Graylog Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/59a2eb44-71e8-4229-8330-1aaf233c0c6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Drools rule example in graylog documentation does not work

[Drew Miranda]

I'm attempting to DROP or filter out specific messages using a drools rule.

I followed the example 
here http://docs.graylog.org/en/latest/pages/drools.html but I get errors 
saying the rule is invalid. Any ideas?


Rules file
import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern

rule Drop Netscaler SESSION_UPDATE
when
m : Message( getField(full_message) matches 
^\s?\d+\/\d+\/\d+:\d+:\d+:\d+\s+[\w\-]+\s.*?:\s+\w+\s+SESSION_UPDATE )
then
m.setFilterOut(true);
System.out.println([Drop Netscaler SESSION_UPDATE] :  + 
m.toString() );
end






2015-07-21 13:17:19,411 ERROR: 
org.drools.compiler.kie.builder.impl.AbstractKieModule - Unable to build 
KieBaseModel:defaultKieBase
[11,63]: [ERR 101] Line 11:63 no viable alternative at input ''
[16,0]: [ERR 102] Line 16:0 mismatched input ''
[11,63]: [ERR 101] Line 11:63 no viable alternative at input '/' in rule 
Drop Netscaler SESSION_UPDATE
[0,0]: Parser returned a null Package

2015-07-21 13:17:19,412 WARN : org.graylog2.rules.DroolsEngine - Unable to 
add rules due to compilation errors.
org.graylog2.rules.RulesCompilationException: Message [id=1, level=ERROR, 
path=r1.drl, line=11, column=0
   text=[ERR 101] Line 11:63 no viable alternative at input '']
Message [id=2, level=ERROR, path=r1.drl, line=16, column=0
   text=[ERR 102] Line 16:0 mismatched input '']
Message [id=3, level=ERROR, path=r1.drl, line=11, column=0
   text=[ERR 101] Line 11:63 no viable alternative at input '/' in rule 
Drop Netscaler SESSION_UPDATE]
Message [id=4, level=ERROR, path=r1.drl, line=0, column=0
   text=Parser returned a null Package]

at org.graylog2.rules.DroolsEngine.createKJar(DroolsEngine.java:221)
at 
org.graylog2.rules.DroolsEngine.createAndDeployJar(DroolsEngine.java:190)
at 
org.graylog2.rules.DroolsEngine.deployRules(DroolsEngine.java:165)
at 
org.graylog2.rules.DroolsEngine.commitRules(DroolsEngine.java:143)
at org.graylog2.rules.DroolsEngine.addRule(DroolsEngine.java:85)
at 
org.graylog2.rules.DroolsEngine.addRulesFromFile(DroolsEngine.java:98)
at 
org.graylog2.bindings.providers.RulesEngineProvider.init(RulesEngineProvider.java:43)
at 
org.graylog2.bindings.providers.RulesEngineProvider$$FastClassByGuice$$3947f391.newInstance(generated)
at 
com.google.inject.internal.cglib.reflect.$FastConstructor.newInstance(FastConstructor.java:40)
at 
com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61)
at 
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:105)
at 
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
at 
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at 
com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
at 
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at 
com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at 
com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
at 
com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
at 
com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61)
at 
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
at 
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
at 
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
at 
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
at 
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
at 
com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at 
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at 
com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at 
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375)
at 
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258)
at 
com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
at 
com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
at 
com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61)
at 

[graylog2] Upgrading Graylog Web Interface

[Drew Miranda]

For what it's worth, I updated my web interface tonight and verified it is 
pointing to the new jar, but still shows 1.0.0 . I'm guessing the displayed 
version just want changed.

-- 
You received this message because you are subscribed to the Google Groups 
graylog2 group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.