What version are you running? I believe the was a bug with the gzip compression
used in the rest API output which has since been resolved in the current
version.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group
Can you verify the time is synced on any gralog nodes (via NTP)? Does changing
the time range work (e.g. all messages). Is it a relative or absolute time
range that is empty?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe
>
> with kind regards
> Jan
>
> 2016-11-14 16:11 GMT+01:00 Drew Miranda <gee...@gmail.com >:
>
>> Hi All,
>> Is it possible to do date comparisons in the pipeline rules "then"
>> section? I see we can do comparisons in the "WHEN" section.
Hi All,
Is it possible to do date comparisons in the pipeline rules "then" section?
I see we can do comparisons in the "WHEN" section. I can't seem to find a
way to do date diffing though. Also, arithmetic doesn't seem to work
either. Any ideas?
The reason I'm interested in doing this is
Is you mongodb on a different host? You may need to edit the mongodb config. By
default it only binds to 127.0.0.1 and isn't reachable from external hosts.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and
Something I've done as a neat work around is run the query to get a normal
histogram, and then show the hidden field timestamp which exists on all
message. I then generate a chart using that field and change type from mean so
sum. It will then give you a chart matching the histogram above. You
They added the web interface as part of the graylog server. It can be
enabled/disabled via config file.
See http://docs.graylog.org/en/2.0/pages/configuring_webif.html
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this
Check out the virtual machine image and the documentation
http://docs.graylog.org/en/2.0/pages/installation/virtual_machine_appliances.html
You'll need to install something on the windows box to "ship" logs to graylog.
Google nxlog Windows event logs and you'll get some examples.
Summary
1.
It looks like v2 is now fully released. Any idea on how I can get this
working? Is it a bug?
On Friday, April 15, 2016 at 7:43:32 AM UTC-5, Drew Miranda wrote:
>
> I tested removing the extra characters before BEGIN
>
> This STILL did not help. I'm at a loss.
>
--
You receiv
I tested removing the extra characters before BEGIN
This STILL did not help. I'm at a loss.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
You are going to want to have a good bit more ram for large amount of log
processing. Ideally you will want to setup multiple vms to each handle a role
as well (e.g. VM or 2 for elasticsearch, Vm or two for graylog nodes)
I have 2 elasticsearch search nodes with 12gb ran each and I still like
I don't believe there is any relation between hard disk space and available cpu
for graylog.
To understand what your requirement are for hardware we need to answer two
questions:
1. How many messages per second do you want to process. Depending on the
message size and complexity of steam and
What version of elastic search and how many data nodes? Do you have replicas
enabled/ how many?
The error says "not allowed, reason: [NO(shard cannot be allocated on same node
[mB5gKQroSu6XQNzNkeHzxQ] it already exists on)]"
Are there any errors in the elastic search logs?
I found this which
Check out the collector documentation page here
http://docs.graylog.org/en/1.3/pages/collector.html
You can define what log files to ship to graylog in the collector configuration
file.
Configuring steam rules is done via the gray log web interface. Hope that helps.
--
You received this
I just want to say, thank you for making such an incredible and valuable
product.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
Okay, quick update, I did some quick searching and found this,
https://community.oracle.com/thread/1534464?start=0 which sounds exactly like
the issue. My cert chain file does have extra characters in it. I'll test this
tomorrow.
--
You received this message because you are subscribed to the
Thanks for that command. So I'm able to extract my private key from the
original Java keysyore (because this is where the original private key was
created) and convert it to p12 and then pkcs8. I can verify the key is ASCII
readable and is encoded and passes checked when viewing via openssl.
Any quick tips on the command to use with openssl to output the correct format?
I found enough documentation to interchange formats but an unclear on the exact
switches.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from
Hi all, has anyone had any success converting their TLS ceritificates for
graylog web from versions 1 (e.g. 1.3.x) to version 2 of graylog?
Maybe I'm just not getting it, but I'm having trouble figuring out EXACTLY
what file format the certificate needs to be in.
Previously with v1.x web
Are there an errors in the graylog server and web interface logs?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To
NEVERMIND! I had to use -H 'Accept:application/json' instead
On Thursday, December 10, 2015 at 10:41:04 AM UTC-6, Drew Miranda wrote:
>
> I should note, accessing directly from rest API page does work correctly,
> but curl does not.
>
> On Thursday, December 10, 2015 at 10:40:22
I'm using /search/universal/keyword to check if the last 10 minutes contain
any indexed messages for aboslute time ranges. Before upgrading to 1.3.0
(on 1.2.2) this returned the JSON object which does not require specifying
return fields.
However, after upgrading to 1.3.0 it ONLY returns the
I should note, accessing directly from rest API page does work correctly,
but curl does not.
On Thursday, December 10, 2015 at 10:40:22 AM UTC-6, Drew Miranda wrote:
>
> I'm using /search/universal/keyword to check if the last 10 minutes
> contain any indexed messages for aboslute ti
I don't think graylog does any reverse DNS. How are you sending logs to gray
log?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
I did something similar as a proof of concept but it was far from elegant.
In short:
1. Use nxlog to listen to a file and configure a rule that uses the date of the
log message and not the current date (which it would do if we don't create this
rule)
2. Use something that reads your log
I believe something like this should be possible with drools rules
http://docs.graylog.org/en/1.2/pages/drools.html
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
This is actually something I'm somewhat wondering myself. My instinct says to
use something like logrotate but I haven't tested. So far what I did that is
working is to put the log on a different volume so it can't fill up the volume
with the graylog message journal.
--
You received this
Are you able to do a cat on your elastic search via the api?
https://www.elastic.co/guide/en/elasticsearch/reference/current/cat.html
Do you just have one ES node? Does the logs for elaaticsearch have any errors?
--
You received this message because you are subscribed to the Google Groups
Are you using the prebuilt filter via this method? Also are you using a
relative or absolute time range search?
1. Find message that contains the field you want to filter by
2. Expand message by clicking (to show all fields with the Magnifying logo)
3. Click on the Magnifying logo for the field
Are there any errors or related log messages in the graylog server log?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
Not sure if this helps but...
Search Base DN should be the OU parent where you want any valid users to be
found for login
OU=User Accounts,DC=ochsner,DC=org
User Search Pattern should match the username users will input to login
(&(objectClass=user)(sAMAccountName={0}))
Group Search Base DN
I believe a static field can be configured per input. I don't have the web
interface in front of me to verify. A static field configured on an input will
be set for every message and can't be filtered with extractor rules.
A more flexible alternative may be to use drools rules to add static
Thanks as well! Took a bit of fiddling before I checked here.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view
I just upgraded to 1.2 rc2 so I'll check my configuration tomorrow and see if
it is helpful to you. For what it's worth the upgrade worked and ldap login and
group mappings worked.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To
very much
>
> On Wednesday, September 2, 2015 at 1:31:19 PM UTC+12, Drew Miranda wrote:
>>
>> Does running "Recalculate Index Ranges" (System -> Indices ->
>> Maintenance) help?
>>
>> On Sunday, August 30, 2015 at 6:43:00 PM UTC-5, Werner van der Me
raylog. this was the only issue i faced. Moreover i have
> time based retention of indices
>
>
>
> On Wednesday, September 2, 2015 at 6:58:14 AM UTC+5:30, Drew Miranda wrote:
>>
>> Do you have your indicies rollover due to retention policies where older
>> indice
Hi Niklas,
You can configure the session timeout per user (e.g. never timeout) via
System -> Users -> Timeout if that is of use to you.
Otherwise I think you would have to write a piece of code or script that
could send the username/password as post data, but I'm not certain and
havn't tested
Do you have your indicies rollover due to retention policies where older
indices are deleted? Also does running "Recalculate Index Ranges" (System
-> Indices -> Maintenance) help?
On Tuesday, September 1, 2015 at 8:32:43 AM UTC-5, Sriranga Kulkarni wrote:
>
> Need help graylog dashboard not
Looks like this is an idea submitted here:
https://graylog.ideas.aha.io/ideas/GL2E-I-436
On Thursday, August 13, 2015 at 12:16:27 PM UTC-5, Jesse Skrivseth wrote:
>
> Perhaps I'll need drools rules for this, but I want to run a key=value
> tokenizer extractor on messages from a source matching
What are the errors in the graylog server application log? The log is pretty
good about indicating why it won't start out why it starts and stops. Reasons
why it won't start range greatly (e.g. elaaticsearch connectivity, binding to
ports, mongodb connectivity, configuration error).
--
You
The graylog server nodes are all accessed via its rest api (e.g.
server:12900/api-browser). Graylog web interface is configured to point to
exactly this same port and server name. The example graylog web interface
configuration file should have an example.
A basic overview of the compliments
What does your collector configuration look like (ports etc) and what does your
input configuration look like on your graylog node?
--
You received this message because you are subscribed to the Google Groups
Graylog Users group.
To unsubscribe from this group and stop receiving emails from
/pages/load_balancers.html for some hints
how to configure a highly available Graylog setup.
Cheers,
Jochen
On Wednesday, 26 August 2015 05:28:17 UTC+2, Drew Miranda wrote:
I'm working with our network guys to setup a load balancer configuration.
It does work, but it does not alternate
I'm working with our network guys to setup a load balancer configuration. It
does work, but it does not alternate which graylog node it sends messages too.
An example of what I'd like to happen: each graylog node currently only
effectively process up to 1000 messages per second. Server A may
Apache is a web server so you wouldn't install graylog on it. You can set it up
on a server that apache is running on, although I don't recommend it.
What you may want is log collection. It is a piece of software to read the
apache logs in real time and forward to graylog. Check out the
There is a lot more to graylog than altering, although that is a very helpful
feature. Graylog allows you to view and search log messages, view trends in
data, and look at groupings in the data (e.g. what the http return codes were
and the counts for each all in one place.
--
You received
Not natively. You will need to use a log collection agent. I believe nxlog can
listen to MySQL. If the transaction log is text, you can also collect it and
send to gray log. Generally this only works for new messages and not existing
or historical data.
I believe an upcoming version of the
Currently extractor rules are bound to a single field, meaning that both the
condition of extraction and the extraction itself must be on the same field.
Also extractors can be created using plain regex if you only want something
specific extracted. Multiple extractors can be used to create
I meant to reply here earlier. For some reason drools didn't like the
syntax of the REGEX string I was using. I spun up a test environment so I
could rapidly stop/start graylog and test the rules.
--
You received this message because you are subscribed to the Google Groups
Graylog Users
I'm attempting to DROP or filter out specific messages using a drools rule.
I followed the example
here http://docs.graylog.org/en/latest/pages/drools.html but I get errors
saying the rule is invalid. Any ideas?
Rules file
import org.graylog2.plugin.Message
import java.util.regex.Matcher
For what it's worth, I updated my web interface tonight and verified it is
pointing to the new jar, but still shows 1.0.0 . I'm guessing the displayed
version just want changed.
--
You received this message because you are subscribed to the Google Groups
graylog2 group.
To unsubscribe from
51 matches
Mail list logo
