[graylog2] Graylog 2.1 version issue

Tue, 20 Sep 2016 12:54:39 -0700 

Hello 
I have set up 2.1 latest version on my prod environment 
details is as follow

ELK version 2.4
mongod version v3.2.9
Graylog 2.1 latest

i have configured graylog primary for mysql slow log query  i have setup 
using logstash and filebeat details as follow


at remote production server i have installed File beat to transfer slow 
query log into logstash
Configuration details as follow
paths:
        - /mysql_data/slowlogs/slow-query.log

output:
  logstash:
    hosts: ["ip of graylog server:5044"]


in graylog server itself i have setup logstash for filtering multi-line log 
file with help of grok pattern 
Following is the logstash cnfiguration fike
input {
  beats {
    port => 5044
      codec => multiline{
         pattern => "^# Time:"
         negate => true
         what => previous
      }
  }
}

filter {
        grok {
            match => [ "message", "^# User@Host: 
%{USER:query_user}(?:\[[^\]]+\])?\s+@\s+%{HOSTNAME:query_host}?\s+\[%{IP:query_ip}?\]"
 
]
        }
        grok {
            match => [ "message", "^# Thread_id: 
%{NUMBER:thread_id:int}\s+Schema: %{USER:schema}\s+Last_errno: 
%{NUMBER:last_errno:int}\s+Killed: %{NUMBER:killed:int}"]
        }
        grok {
            match => [ "message", "^# Query_time: 
%{NUMBER:query_time:float}\s+Lock_time: %{NUMBER:lock_time}\s+ Rows_sent: 
%{NUMBER:rows_sent:int} \s+Rows_examined: 
%{NUMBER:rows_examined:int}\s+Rows_affected: 
%{NUMBER:rows_affected:int}\s+Rows_read: %{NUMBER:rows_read:int}"]
        }
        grok {  match => [ "message", "^# Bytes_sent: 
%{NUMBER:bytes_sent:float}"]   }
        grok {  match => [ "message", "^SET timestamp=%{NUMBER:timestamp}" 
]      }
        grok {  match => [ "message", "^SET 
timestamp=%{NUMBER};\s+%{GREEDYDATA:query}" ]   }
        date {  match => [ "timestamp", "UNIX" ]  }
        mutate {
            remove_field => "timestamp"
        }
        }

output {
 gelf {
  host => "127.0.0.1"
  port => 12201
 }
}

some messages incorrectly parsed and graylog failed to resolve hostname and 
i m getting 2 source input from single server <refer attached screen shot>

please guide me if i did wrong somewhr

and i want to monitor mysql slow query from multiple host 
How can i achieved that 
above configuration is correct then help for debug  and if it is not 
suggest me fast and reliable alternate 


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/65d2e1cf-c1ce-4da4-a9d8-1525dc9fe312%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to