[graylog2] Re: how to keep the log message in one field?

[graylogtesting]

Hello

Thanks for info but my case is different (I think!) 
If I'm not wrong your configuration for NXLOG is to fetch live eventlogs, 

in my case I have a huge archive (5TB) of windows logs that have been 
already exported as text file, so I'm not accessing the live eventlogs on a 
windows system.


Best regards
Mark



On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com wrote:
>
> Hello
>
> I'm having a problem with graylog and nxlog feed 
>
> I have a huge archive of windows event logs, I have been trying to import 
> these logs into graylog using nxlog and gelf
>
> It all works well, nxlog pickup the logs and imports them but the messages 
> are being split in several records rather tha a single one, 
>
>
> Example if the event log contains the follow
>
>
> *{"1331892664000, 4624, "Success", "Security", 
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged 
> on.*
>
> *Subject:*
> * Security ID: S-1-0-0*
> * Account Name: -*
> * Account Domain: -*
> * Logon ID: 0x0*
>
> *Logon Type: 3*
>
>
> *This event is generated when a logon session is created. It is generated 
> on the computer that was accessed.*
>
> *Key length indicates the length of the generated session key. This will 
> be 0 if no session key was requested." "}  *
>
>
> It gets loaded into graylog as:
>
> Record 1: *{"1331892664000, 4624, "Success", "Security", 
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged 
> on.*
> Record 2: *Subject*
> Record 3*: **Security ID: S-1-0-0*
>
> etc.
> etc
>
>
> I just would like to have all the message stored in one record
>
> Do you have any idea how this could be achieved?
>
> Thanks!
> Mark
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: how to keep the log message in one field?

[Marco Belmonte]

Can you explain or show what the difference is for 2008/2012 or did I 
misunderstand you and the config you describe below applies also to 
2008/2012?


Thanks,

- Marco

On 06/01/2015 12:41 PM, Arie wrote:
That is one way to do it, this works up to server 2003, server 2008 
and so on is a little different,

this way there is better handling of the logs.

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


Module   xm_gelf



   Moduleim_mseventlog
   Sources   Application,System



Module  om_udp
Host10.64.91.18
Port8000
OutputType  GELF



Pathin => out



Op maandag 1 juni 2015 09:04:28 UTC+2 schreef graylog...@gmail.com:

Hello

Found the issue, it was the configuration of NXLOG, I had to tell
NXLOG that the input was multiline and the headline/endline were
{}, I changed the nxlog.conf as below:


Module  xm_gelf



Module  xm_multiline
HeaderLine  /^{/
EndLine /^}/




Module  im_file
File"/media/winlogs/*"
SavePos  TRUE
Recursive TRUE
InputType   multiline



Module  om_udp
Host127.0.0.1
Port12201
OutputType  GELF


#
#Module om_file
#File   "/tmp/output"
#




On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com
wrote:

Hello

I'm having a problem with graylog and nxlog feed

I have a huge archive of windows event logs, I have been
trying to import these logs into graylog using nxlog and gelf

It all works well, nxlog pickup the logs and imports them but
the messages are being split in several records rather tha a
single one,


Example if the event log contains the follow


/{"1331892664000, 4624, "Success", "Security",
"Microsoft-Windows-Security-Auditing", "An account was
successfully logged on./
/
/
/Subject:/
/Security ID:S-1-0-0/
/Account Name:-/
/Account Domain:-/
/Logon ID:0x0/
/
/
/Logon Type:3/
/
/
/
/
/This event is generated when a logon session is created. It
is generated on the computer that was accessed./
/
/
/Key length indicates the length of the generated session key.
This will be 0 if no session key was requested." "} /
/
/

It gets loaded into graylog as:

Record 1: /{"1331892664000, 4624, "Success", "Security",
"Microsoft-Windows-Security-Auditing", "An account was
successfully logged on./
Record 2: /Subject/
Record 3/: //Security ID:S-1-0-0/
/
/
etc.
etc
/
/
/
/
I just would like to have all the message stored in one record

Do you have any idea how this could be achieved?

Thanks!
Mark



/
/
/
/

--
You received this message because you are subscribed to the Google 
Groups "graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to graylog2+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: how to keep the log message in one field?

[Arie]

That is one way to do it, this works up to server 2003, server 2008 and so 
on is a little different,
this way there is better handling of the logs.

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


Module   xm_gelf



   Moduleim_mseventlog
   Sources   Application,System



Module  om_udp
Host10.64.91.18
Port8000
OutputType  GELF


 


Pathin => out


Op maandag 1 juni 2015 09:04:28 UTC+2 schreef graylog...@gmail.com:
>
> Hello
>
> Found the issue, it was the configuration of NXLOG, I had to tell NXLOG 
> that the input was multiline and the headline/endline were {}, I changed 
> the nxlog.conf as below:
>
> 
> Module  xm_gelf
> 
>
> 
> Module  xm_multiline
> HeaderLine  /^{/
> EndLine /^}/
> 
>
> 
>
> Module  im_file
> File"/media/winlogs/*"
> SavePos  TRUE
> Recursive TRUE
> InputType   multiline
> 
>
> 
> Module  om_udp
> Host127.0.0.1
> Port12201
> OutputType  GELF
> 
>
> #
> #Module om_file
> #File   "/tmp/output"
> #
>
>
>
>
> On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com wrote:
>>
>> Hello
>>
>> I'm having a problem with graylog and nxlog feed 
>>
>> I have a huge archive of windows event logs, I have been trying to import 
>> these logs into graylog using nxlog and gelf
>>
>> It all works well, nxlog pickup the logs and imports them but the 
>> messages are being split in several records rather tha a single one, 
>>
>>
>> Example if the event log contains the follow
>>
>>
>> *{"1331892664000, 4624, "Success", "Security", 
>> "Microsoft-Windows-Security-Auditing", "An account was successfully logged 
>> on.*
>>
>> *Subject:*
>> * Security ID: S-1-0-0*
>> * Account Name: -*
>> * Account Domain: -*
>> * Logon ID: 0x0*
>>
>> *Logon Type: 3*
>>
>>
>> *This event is generated when a logon session is created. It is generated 
>> on the computer that was accessed.*
>>
>> *Key length indicates the length of the generated session key. This will 
>> be 0 if no session key was requested." "}  *
>>
>>
>> It gets loaded into graylog as:
>>
>> Record 1: *{"1331892664000, 4624, "Success", "Security", 
>> "Microsoft-Windows-Security-Auditing", "An account was successfully logged 
>> on.*
>> Record 2: *Subject*
>> Record 3*: **Security ID: S-1-0-0*
>>
>> etc.
>> etc
>>
>>
>> I just would like to have all the message stored in one record
>>
>> Do you have any idea how this could be achieved?
>>
>> Thanks!
>> Mark
>>
>>
>>
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?

[Aidan Venn]

Thanks Henrik.

Lol - I remember a crazy party with lots of crazy zabbix guys and lots of 
champagne!

I never found the ring and I am now on my forth in five years!

regards







On Monday, June 1, 2015 at 7:25:21 AM UTC+1, Henrik Johansen wrote:
>
> Exactly :)
>
> Also keep in mind that messages can exist in multiple 
> streams since it’s just a form of tagging and filtering.
>
> If you really, really need to use the approach you 
> outlined there a 2 options - one would be to vote for 
> the implementation of issues #381 and #382 another 
> would be to use the excellent REST API in Graylog 
> to manipulate the streams any way you would like.
>
> Btw Aidan - did you ever find the ring you lost at the 
> Zabbix Conference a few years back?
>
> —
> HenrikJ
>
> On 31 May 2015, at 22:29, Brandon > 
> wrote:
>
>  I can see the benefit of having a stream template feature but to repeat 
> what Henrik asked, why does each source need its own separate stream? Not 
> asking to deter your question, I'm trying to understand the use case. A 
> stream rule can be setup to find ALL messages that hit on the "disconnect" 
> keyword and route to a single stream. The "disconnect" stream would contain 
> messages from ALL sources that send in that message (source 1.1.1.1, 
> 1.1.1.2, 1.1.1.3 etc.). From within the stream, you can then use the quick 
> filters feature to find a list of all unique sources and add that to a 
> dashboard gadget. This can be repeated for the 10 different keywords and 
> then one only has to manage 10 streams instead of 10,000.
>
> Regards,
> Brandon
>
> On 05/31/2015 11:00 AM, Aidan Venn wrote:
>  
> Hi,
>
> its like having a template applied to sources.
>
> change the template changes all the related sources.
>
> Like in Zabbix.
>
> Kind Regards
>
> Aidan
>
> On Thursday, May 28, 2015 at 9:40:20 AM UTC+1, Aidan Venn wrote: 
>>
>>  
>> 
>> Hi,
>>
>> Garylog Newbie
>>
>> Please see picture attached.
>>
>> I have three streams matching a single source IP and warning keywords 
>> from logs:
>>
>> source IP: 192.168.0.1
>>
>> stream 1-keyword:disconnect
>> steram 2-keyword:loss
>> stream 3-keyword:fail
>>
>> I want to "group" these streams and apply to multiple (1000 +) source IP 
>> addresses to benefit future scalability and large scale administration. 
>> Basically for each source IP they will be three or more streams but I only 
>> have to configure/edit the group once.
>>
>> I don`t want to have 1000 devices then have to copy each stream and then 
>> change the source IP address match. 10 keyword stream x 1000 devices would 
>> then equal 1 streams in total to configure and edit. This would be very 
>> time consuming. Especially if I had to make a change. 
>>
>> One change to the group would apply to all. A one to many relationship. 
>> How can I do this?
>>
>> Perhaps my approach/idaea is incorrect so any recommendations would be 
>> great.
>>
>> Kind Regards
>>
>> Aidan Venn
>>  
>  -- 
> You received this message because you are subscribed to the Google Groups 
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+u...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+u...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: grok extractors not working

[Jesse Skrivseth]

Thanks to everyone for continuing to pursue this odd issue. 

Arie - We are using nxlog-ce version 2.9.1347

Kay - I can't seem to recreate the problem (yet) in a test environment, 
whether 1.0.2 or 1.1.0. There are some (possibly irrelevant) differences 
between test and production, but I'll mention them anyway. Production is 
built on Amazon Web Services using the provided 1.0.2 AMIs. Test is running 
locally from the 1.0.2 OVA images in ESXi. Test and production have 
different volumes of data coming in and different devices are sending logs. 
The only place I seem to be having trouble is in production with messages 
coming from the one network appliance I am focused on at the moment. I 
haven't had a need to add/update extractors for other devices yet, so I'm 
not sure if the problem is limited to that one device or is universal for 
this production instance. I will test more generally, with more devices, 
and see if I can find a pattern.


On Monday, June 1, 2015 at 4:33:08 AM UTC-6, Kay Roepke wrote:
>
> Jesse,
>
> We've just tried to reproduce this issue on 1.1.0-RC.1 but it works as 
> expected.
> Could you give that a try in a test environment, please?
>
> Thanks,
> Kay
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: grok extractors not working

[Kay Roepke]

Jesse,

We've just tried to reproduce this issue on 1.1.0-RC.1 but it works as 
expected.
Could you give that a try in a test environment, please?

Thanks,
Kay

On Saturday, 30 May 2015 13:42:52 UTC+2, Bernd Ahlers wrote:
>
> Jesse, 
>
> thank you for the update. I created an issue in GitHub for this with a 
> link to this mailing list thread. 
>
> https://github.com/Graylog2/graylog2-server/issues/1192 
>
> I also started to test with the detailed data you submitted but did not 
> see any problems. I was testing on 1.1.0-rc.1 though. 
>
> Next step is to test all of this with 1.0.2 (which you are running). 
>
> I will let you know once I have any updates. 
>
> Thank you! 
>
> Bernd 
>
> Jesse Skrivseth [Fri, May 29, 2015 at 11:41:52AM -0700] wrote: 
> >I'm not sure why, but suddenly the extractors are working today without 
> any 
> >further action on my part. There seems to be a very long delay between 
> when 
> >an extractor is configured and when it is in effect, at least in this 
> >environment. 
> > 
> >Another thing to note is that the data on this input is TLS encrypted 
> GELF 
> >via TCP, and the data is coming in from NXLog using GELF_TCP. 
> > 
> >On Thursday, May 28, 2015 at 3:25:05 PM UTC-6, Kay Röpke wrote: 
> >> 
> >> I'm not an expert on the OVAs so I would recommend simply setting up a 
> >> test instance to check this. Or you can wait until I get to it in the 
> (my) 
> >> morning ;) 
> >> 
> >>> 
> >>> 
> > 
> >-- 
> >You received this message because you are subscribed to the Google Groups 
> "graylog2" group. 
> >To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com. 
> >For more options, visit https://groups.google.com/d/optout. 
>
>
> -- 
> Developer 
>
> Tel.: +49 (0)40 609 452 077 
> Fax.: +49 (0)40 609 452 078 
>
> TORCH GmbH - A Graylog company 
> Steckelhörn 11 
> 20457 Hamburg 
> Germany 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
> Geschäftsführer: Lennart Koopmann (CEO) 
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How Can you SELECT Multiple Streams at Once?

[Jochen Schalanda]

Hi Aidan,

bulk operations on streams are currently not possible in Graylog.


Cheers,
Jochen

On Sunday, 31 May 2015 21:32:02 UTC+2, Aidan Venn wrote:
>
> Hi,
>
> Lets say I want to select 12 streams to pause at once.
>
> How can this be done through the webUI?
>
> I`ve tried the usual of holding down shit or ctrl - no luck
>
> No tick boxes available to select multiple streams?
>
> Kind Regards
>
> Aidan
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Not able to Add client to graylog server

[Jochen Schalanda]

Hi Ankur,

did you create a Syslog UDP or a Syslog TCP input in Graylog and made sure 
that those are accessible from outside the virtual machine?

For the configuration of rsyslog for sending messages to Graylog, please 
refer to our documentation at 
http://docs.graylog.org/en/1.0/pages/sending_data.html#rsyslog.

Cheers,
Jochen

On Monday, 1 June 2015 10:06:36 UTC+2, ANKUR GOYAL wrote:
>
> Hello,
>
> I have imported 3 OVA virtual appliances (latest version i.e 1.0.2) in 
> VMware esx 5.5 . On 1st machine I configured it as server with command 
> (graylog-ctl reconfigure-as-server)  On 2nd machine I configured as 
> datanode (graylog-ctl-reconfigure-as-datanode) on 3rd machine I configured  
> the web interface. Now I am not able to send the data of  a ubuntu  machine 
> with rsyslog. I tried too much. Please help me out .
>
>
>
> Regards,
>
> Ankur Goyal.
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Not able to Add client to graylog server

[ANKUR GOYAL]

Hello,

I have imported 3 OVA virtual appliances (latest version i.e 1.0.2) in 
VMware esx 5.5 . On 1st machine I configured it as server with command 
(graylog-ctl reconfigure-as-server)  On 2nd machine I configured as 
datanode (graylog-ctl-reconfigure-as-datanode) on 3rd machine I configured  
the web interface. Now I am not able to send the data of  a ubuntu  machine 
with rsyslog. I tried too much. Please help me out .



Regards,

Ankur Goyal.

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?

[Aidan Venn]

 

Hi Brandon, 

I see now what you and Henrik mean. That’s a far more suitable solution and 
one I will start to have a look at.

My original approach / mind-set wasn`t correct. 

Thanks for yours and Henriks help.

I`ve been playing with graylog for about 10 days on and off now and loving 
it!

Kind Regards

Aidan Venn

On Thursday, May 28, 2015 at 9:40:20 AM UTC+1, Aidan Venn wrote:
>
>
> 
> Hi,
>
> Garylog Newbie
>
> Please see picture attached.
>
> I have three streams matching a single source IP and warning keywords from 
> logs:
>
> source IP: 192.168.0.1
>
> stream 1-keyword:disconnect
> steram 2-keyword:loss
> stream 3-keyword:fail
>
> I want to "group" these streams and apply to multiple (1000 +) source IP 
> addresses to benefit future scalability and large scale administration. 
> Basically for each source IP they will be three or more streams but I only 
> have to configure/edit the group once.
>
> I don`t want to have 1000 devices then have to copy each stream and then 
> change the source IP address match. 10 keyword stream x 1000 devices would 
> then equal 1 streams in total to configure and edit. This would be very 
> time consuming. Especially if I had to make a change. 
>
> One change to the group would apply to all. A one to many relationship. 
> How can I do this?
>
> Perhaps my approach/idaea is incorrect so any recommendations would be 
> great.
>
> Kind Regards
>
> Aidan Venn
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: exporting data from searches not working properly

[graylogtesting]

Hello

Found the issue as well, only the message is by default exported so I had 
to create an extractor to override the default "message" with the full 
message

I used the split and index, using {" as  splitting characters

Thanks!
Mark
  

On Sunday, May 31, 2015 at 1:49:07 AM UTC+10, graylog...@gmail.com wrote:
>
> Hello 
>
> I'm using the "production" OVA (not the beta) of Graylog
>
> I noticed that when I try to export the results of a search, the message 
> field is trunked, see example below:
>
> The full message is full_message
>
>
>
>
>
> *{"1331892651000, 4776, "Success", "Security", 
> "Microsoft-Windows-Security-Auditing", "The computer attempted to validate 
> the credentials for an account.Authentication Package: 
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon Account: mr636cSource 
> Workstation: INHYIMR636CError Code: 0x0" "}* 
> 
> In the exported CSV log I have only this:
>
> *{"1331892651000, 4634, "Success", "Security", "Microsoft-Windows*
>
> Is there anyway to fix this?
>
> Thanks a lot
> Mark
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog 1.1.0-beta.2 collector issue in webinterface

[Arie]

Bernd,

looks like it is solved in 1.10.4-rc1. Thank you.



On Thursday, May 28, 2015 at 5:54:33 PM UTC+2, Bernd Ahlers wrote:
>
> Arie, 
>
> thanks for he report. There is an issue and a pull request to fix the 
> issue on GitHub. 
>
> https://github.com/Graylog2/graylog2-web-interface/issues/1334 
> https://github.com/Graylog2/graylog2-server/pull/1190 
>
> This will be fixed in the next beta or rc. 
>
> Regards, 
> Bernd 
>
> Arie [Thu, May 28, 2015 at 07:12:30AM -0700] wrote: 
> >Hi Bernd, 
> > 
> >Just installed and tried it, the error is still there. 
> > 
> >Tested it with a windows and linux collector, and in both cases, no 
> results. 
> > 
> >Arie. 
> > 
> >On Thursday, May 28, 2015 at 3:58:56 PM UTC+2, Bernd Ahlers wrote: 
> >> 
> >> Arie, 
> >> 
> >> thanks for the report. Do you still have that problem with beta.3? 
> >> 
> >> Bernd 
> >> 
> >> Arie [Thu, May 28, 2015 at 06:22:49AM -0700] wrote: 
> >> >Hi All, 
> >> > 
> >> >When we look @ System > Collectors and select "show messages", 
> >> >no messages are show in the UI. 
> >> > 
> >> >Messages are visible with a normal search. 
> >> > 
> >> > 
> >> >Running on centos-6.6 / elastic 1.5.2 / JRE 1.8 
> >> > 
> >> >hth,, 
> >> > 
> >> >Arie 
> >> > 
> >> >-- 
> >> >You received this message because you are subscribed to the Google 
> Groups 
> >> "graylog2" group. 
> >> >To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >> email to graylog2+u...@googlegroups.com . 
> >> >For more options, visit https://groups.google.com/d/optout. 
> >> 
> >> 
> >> -- 
> >> Developer 
> >> 
> >> Tel.: +49 (0)40 609 452 077 
> >> Fax.: +49 (0)40 609 452 078 
> >> 
> >> TORCH GmbH - A Graylog company 
> >> Steckelhörn 11 
> >> 20457 Hamburg 
> >> Germany 
> >> 
> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
> >> Geschäftsführer: Lennart Koopmann (CEO) 
> >> 
> > 
> >-- 
> >You received this message because you are subscribed to the Google Groups 
> "graylog2" group. 
> >To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+u...@googlegroups.com . 
> >For more options, visit https://groups.google.com/d/optout. 
>
>
> -- 
> Developer 
>
> Tel.: +49 (0)40 609 452 077 
> Fax.: +49 (0)40 609 452 078 
>
> TORCH GmbH - A Graylog company 
> Steckelhörn 11 
> 20457 Hamburg 
> Germany 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
> Geschäftsführer: Lennart Koopmann (CEO) 
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: how to keep the log message in one field?

[graylogtesting]

Hello

Found the issue, it was the configuration of NXLOG, I had to tell NXLOG 
that the input was multiline and the headline/endline were {}, I changed 
the nxlog.conf as below:


Module  xm_gelf



Module  xm_multiline
HeaderLine  /^{/
EndLine /^}/




Module  im_file
File"/media/winlogs/*"
SavePos  TRUE
Recursive TRUE
InputType   multiline



Module  om_udp
Host127.0.0.1
Port12201
OutputType  GELF


#
#Module om_file
#File   "/tmp/output"
#




On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com wrote:
>
> Hello
>
> I'm having a problem with graylog and nxlog feed 
>
> I have a huge archive of windows event logs, I have been trying to import 
> these logs into graylog using nxlog and gelf
>
> It all works well, nxlog pickup the logs and imports them but the messages 
> are being split in several records rather tha a single one, 
>
>
> Example if the event log contains the follow
>
>
> *{"1331892664000, 4624, "Success", "Security", 
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged 
> on.*
>
> *Subject:*
> * Security ID: S-1-0-0*
> * Account Name: -*
> * Account Domain: -*
> * Logon ID: 0x0*
>
> *Logon Type: 3*
>
>
> *This event is generated when a logon session is created. It is generated 
> on the computer that was accessed.*
>
> *Key length indicates the length of the generated session key. This will 
> be 0 if no session key was requested." "}  *
>
>
> It gets loaded into graylog as:
>
> Record 1: *{"1331892664000, 4624, "Success", "Security", 
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged 
> on.*
> Record 2: *Subject*
> Record 3*: **Security ID: S-1-0-0*
>
> etc.
> etc
>
>
> I just would like to have all the message stored in one record
>
> Do you have any idea how this could be achieved?
>
> Thanks!
> Mark
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.