[graylog2] can not start service

[ชีระวิทย์ ภูริเดชชัยพัฒน์]

Hi

I can not start service graylog collection sidecar
[image: Inline image 1]

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAHrRHzSUSiV7RPon257d9NVL5NSaxWSBUJmMHH7_DWx_tkgbig%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Has any one successfully set up SSL on Graylog 2.0?

[BKeep]

I have just started the process of deploying Graylog 2.0.3 and cannot say 
anything about the process for settting up ssl within Graylog. if there 
really is an issue with using the built in capabilities, you can always try 
Apache as a proxy for Graylog. 
https://www.lisenet.com/2015/install-graylog2-server-on-centos-6/ and then 
look for the section configure Apache with https.

Once I actually get to the point where I am setting up my own cert, I will 
be able to comment more on this.

On Wednesday, July 6, 2016 at 2:42:47 PM UTC-5, dave...@gmail.com wrote:
>
> All, 
>
> I have been working on setting up a test instance of Graylog 2.0 for 
> several weeks now and I can't seem to make any progress with implementing 
> SSL. I have seen a few other posts asking about converting java wallets to 
> the new set up of cert and key pair but that doesn't apply I have a new 
> cert from a CA. I am pretty sure I have the cert in the correct encoding 
> "X.509 certificate with PEM encoding" that the documentation 
> asks for. 
> I can use the command "openssl x509 -in cert.pem -text -noout" to see the 
> contents of the cert without issue. I can get Graylog 2.0 running with no 
> SSL and with self generated certs but when I use the certs from the CA 
> I keep getting the errors below in /var/log/graylog-server/server.log when 
> I try to start Graylog 2.0, I can send more of the log if needed. This is 
> installed on Oracle Linux Server release 6.7 with Graylog 2.0, 
> Elasticsearch, and MongoDB installed from their respective yum repos. Any 
> advice would be greatly appreciated, I'm just spinning my wheels at this 
> point. 
>
>
> 2016-07-06T14:02:42.862-05:00 ERROR [ServiceManager] Service 
> WebInterfaceService [FAILED] has failed in the STARTING state.
> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 
> 48)
> at 
> sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253) 
> ~[?:1.8.0_73]
> at 
> sun.security.util.DerInputStream.getOID(DerInputStream.java:281) 
> ~[?:1.8.0_73]
> at 
> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) 
> ~[sunjce_provider.jar:1.8.0_71]
> at 
> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) 
> ~[?:1.8.0_73]
> at 
> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) 
> ~[?:1.8.0_73]
> at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) 
> ~[?:1.8.0_73]
> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) 
> ~[?:1.8.0_73]
> at 
> javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) 
> ~[?:1.8.0_71]
> at 
> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
>  
> ~[graylog.jar:?]
> at 
> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
>  
> ~[graylog.jar:?]
> at 
> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
>  
> ~[graylog.jar:?]
> at 
> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
>  
> ~[graylog.jar:?]
> at 
> org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46)
>  
> ~[graylog.jar:?]
> at 
> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>  
> [graylog.jar:?]
> at 
> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
> [graylog.jar:?]
> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
> 2016-07-06T14:02:42.896-05:00 ERROR [InputSetupService] Not starting any 
> inputs because lifecycle is: Uninitialized [LB:DEAD]
>
> 2016-07-06T14:02:42.941-05:00 ERROR [ServiceManager] Service 
> IndexerSetupService [FAILED] has failed in the STOPPING state.
> java.lang.IllegalStateException: Can't move to started state when closed
> at 
> org.elasticsearch.common.component.Lifecycle.moveToStarted(Lifecycle.java:130)
>  
> ~[graylog.jar:?]
> at 
> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69)
>  
> ~[graylog.jar:?]
> at 
> org.elasticsearch.transport.TransportService.doStart(TransportService.java:182)
>  
> ~[graylog.jar:?]
> at 
> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68)
>  
> ~[graylog.jar:?]
> at org.elasticsearch.node.Node.start(Node.java:278) 
> ~[graylog.jar:?]
> at 
> org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
>  
> ~[graylog.jar:?]
> at 
> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>  
> [graylog.jar:?]
> at 
> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
> [graylog.jar:?]
>

[graylog2] Where to configure the elasticsearch cluster, server.conf or elasticsearch.yml?

[tommcf64]

I have a 3 node Graylog cluster, two nodes have both the Graylog server and 
elasticsearch installed, the other has only elasticsearch installed,  and I 
am having difficultly understanding where to place the elasticsearch 
configuration information. Should it be placed in the server.conf file or 
in the elasticsearch.yml?

 

If the elasticsearch configuration  should be placed in the server.conf 
file what information needs to be placed in the elastcisearch.yml file?

 

The only way that I can get Graylog to operate is to have the cluster name, 
the node name, the network hostname  and the zen discovery hosts in both 
files, but I end up with 5 elasticsearch clusters instead of three.  2 of 
the elasticsearch clusters are advertised by the server.conf file 
configuration and three by the elastcisearch.yml configuration.  In this 
configuration Graylog show the elastcisearch cluster as being green, but 
elastcisearch show it being yellow

 

See below.   

curl 'server1:9200/_cat/nodes?v'

hostip  heap.percent   
 ram.percent load node.role  master name   


10.85.7.18710.85.7.187   6276 0.75 c   
   -   graylog-cc56d951(exposed by 
server.conf)

10.42.2.31  10.42.2.31 3  98 0.04 - 
  -   server3 (exposed by 
elasticsearch.yml)

10.42.2.21  10.42.2.2151 70 3.02 c 
 -   graylog-efba9df3(exposed by 
server.conf)

10.42.2.21  10.42.2.21 9  70 3.02 d 
 m server1 (exposed by 
elasticsearch.yml)   

10.85.7.18710.85.7.187   1176 0.75 d   
*  server2 (exposed by 
elasticsearch.yml)

 

Thank you,

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0160d312-1ab5-4335-9c35-d59ef7af4cb1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Where to configure the elasticsearch cluster, server.conf or elasticsearch.yml?

[tommcf64]

I have a 3 node Graylog cluster, two nodes have both Graylog server and 
elastcisearch installed, the other has only elastcisearch installed,  and I 
am having difficultly understanding where to place the elasticsearch 
configuration information. Should it be placed in the server.conf file or 
in the elasticsearch.yml?

 

If the elasticsearch configuration  should be placed in the server.conf 
file what information needs to be placed in the elastcisearch.yml file?

 
The only way that I can get Graylog to operate is to have the cluster name, 
the node name, the network hostname  and the zen discovery hosts in both 
files, but I end up with 5 elasticsearch clusters instead of three.  2 of 
the elasticsearch clusters are advertised by the server.conf file 
configuration and three by the elastcisearch.yml configuration.
See results below:
curl 'server1:9200/_cat/nodes?v'
hostip  heap.percent ram.percent load node.role master name 
  
10.85.7.187 10.85.7.187   62  76 0.75 c - 
 graylog-cc56d951(exposed by server.conf)
10.42.2.31  10.42.2.31 3  98 0.04 - - 
 server3 (exposed by elasticsearch.yml)
10.42.2.21  10.42.2.2151  70 3.02 c - 
 graylog-efba9df3(exposed by server.conf)
10.42.2.21  10.42.2.21 9  70 3.02 d m 
 server1 (exposed by elasticsearch.yml)   
10.85.7.187 10.85.7.187   11  76 0.75 d * 
 server2 (exposed by elasticsearch.yml)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7f0856ab-2fc4-468d-8ed6-cb87b97d1766%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog Error ( invalid distance too far back)

[Yiannis]

Hi all,
my graylog server every now and then throws the following error

2016-07-06T18:16:31.634Z ERROR [DecodingProcessor] Error processing message 
RawMessage{id=c3e09906-43a5-11e6-8d92-14feb5dac0e1, journalOffset=8155803, 
codec=gelf, payloadSize=2473, timestamp=2016-07-06T18:16:31.632Z}
java.util.zip.ZipException: invalid distance too far back
at 
java.util.zip.InflaterInputStream.read(InflaterInputStream.java:164) 
~[?:1.8.0_91]
at java.util.zip.GZIPInputStream.read(GZIPInputStream.java:117) 
~[?:1.8.0_91]
at java.io.FilterInputStream.read(FilterInputStream.java:107) 
~[?:1.8.0_91]
at com.google.common.io.ByteStreams.copy(ByteStreams.java:110) 
~[graylog.jar:?]
at 
com.google.common.io.ByteStreams.toByteArray(ByteStreams.java:168) 
~[graylog.jar:?]
at org.graylog2.plugin.Tools.decompressGzip(Tools.java:202) 
~[graylog.jar:?]
at 
org.graylog2.inputs.codecs.gelf.GELFMessage.getJSON(GELFMessage.java:57) 
~[graylog.jar:?]
at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:110) 
~[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
 
~[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
 
[graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
[graylog.jar:?]
at 
com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]

2016-07-06T20:22:57.544Z ERROR [DecodingProcessor] Error processing message 
RawMessage{id=6d6dfe20-43b7-11e6-9c4f-14feb5dade21, journalOffset=13128278, 
codec=gelf, payloadSize=1659, timestamp=2016-07-06T20:22:57.538Z}
java.util.zip.ZipException: invalid distance too far back
at 
java.util.zip.InflaterInputStream.read(InflaterInputStream.java:164) 
~[?:1.8.0_91]
at java.util.zip.GZIPInputStream.read(GZIPInputStream.java:117) 
~[?:1.8.0_91]
at java.io.FilterInputStream.read(FilterInputStream.java:107) 
~[?:1.8.0_91]
at com.google.common.io.ByteStreams.copy(ByteStreams.java:110) 
~[graylog.jar:?]
at 
com.google.common.io.ByteStreams.toByteArray(ByteStreams.java:168) 
~[graylog.jar:?]
at org.graylog2.plugin.Tools.decompressGzip(Tools.java:202) 
~[graylog.jar:?]
at 
org.graylog2.inputs.codecs.gelf.GELFMessage.getJSON(GELFMessage.java:57) 
~[graylog.jar:?]
at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:110) 
~[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:136)
 
~[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:82)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
 
[graylog.jar:?]
at 
org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
 
[graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
[graylog.jar:?]
at 
com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]

Could someone explain what is going wrong.

Regards
Yiannis

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/84fbfa9e-e54b-446d-bcef-c18be85ee6e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Has any one successfully set up SSL on Graylog 2.0?

[davelcan]

All, 

I have been working on setting up a test instance of Graylog 2.0 for 
several weeks now and I can't seem to make any progress with implementing 
SSL. I have seen a few other posts asking about converting java wallets to 
the new set up of cert and key pair but that doesn't apply I have a new 
cert from a CA. I am pretty sure I have the cert in the correct encoding 
"X.509 certificate with PEM encoding" that the documentation 
asks for. I 
can use the command "openssl x509 -in cert.pem -text -noout" to see the 
contents of the cert without issue. I can get Graylog 2.0 running with no 
SSL and with self generated certs but when I use the certs from the CA 
I keep getting the errors below in /var/log/graylog-server/server.log when 
I try to start Graylog 2.0, I can send more of the log if needed. This is 
installed on Oracle Linux Server release 6.7 with Graylog 2.0, 
Elasticsearch, and MongoDB installed from their respective yum repos. Any 
advice would be greatly appreciated, I'm just spinning my wheels at this 
point. 


2016-07-06T14:02:42.862-05:00 ERROR [ServiceManager] Service 
WebInterfaceService [FAILED] has failed in the STARTING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 
48)
at 
sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253) 
~[?:1.8.0_73]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281) 
~[?:1.8.0_73]
at 
com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) 
~[sunjce_provider.jar:1.8.0_71]
at 
java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) 
~[?:1.8.0_73]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) 
~[?:1.8.0_73]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) 
~[?:1.8.0_73]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) 
~[?:1.8.0_73]
at 
javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) 
~[?:1.8.0_71]
at 
org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
 
~[graylog.jar:?]
at 
org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96) 
~[graylog.jar:?]
at 
org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
 
~[graylog.jar:?]
at 
org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
 
~[graylog.jar:?]
at 
org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
 
[graylog.jar:?]
at 
com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
2016-07-06T14:02:42.896-05:00 ERROR [InputSetupService] Not starting any 
inputs because lifecycle is: Uninitialized [LB:DEAD]

2016-07-06T14:02:42.941-05:00 ERROR [ServiceManager] Service 
IndexerSetupService [FAILED] has failed in the STOPPING state.
java.lang.IllegalStateException: Can't move to started state when closed
at 
org.elasticsearch.common.component.Lifecycle.moveToStarted(Lifecycle.java:130) 
~[graylog.jar:?]
at 
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69)
 
~[graylog.jar:?]
at 
org.elasticsearch.transport.TransportService.doStart(TransportService.java:182) 
~[graylog.jar:?]
at 
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68)
 
~[graylog.jar:?]
at org.elasticsearch.node.Node.start(Node.java:278) ~[graylog.jar:?]
at 
org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
 
[graylog.jar:?]
at 
com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]


2016-07-06T14:02:43.202-05:00 ERROR [ServiceManager] Service RestApiService 
[FAILED] has failed in the STOPPING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 
48)
at 
sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253) 
~[?:1.8.0_73]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281) 
~[?:1.8.0_73]
at 
com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) 
~[sunjce_provider.jar:1.8.0_71]
at 
java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) 
~[?:1.8.0_73]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) 
~[?:1.8.0_73]
at sun.security.x509.AlgorithmId.

[graylog2] Graylog IO Exception Error

[Ariel Godinez]

Hello,

I've been using graylog for a couple weeks now and started to notice some 
unusual behavior today. I am currently running a single node setup.

The Issue:

Every once in awhile I start to notice that that graylog is dragging quite 
a bit (the loading spinner is persisting much longer than usual) so I go 
check the logs and find the following error message. 

ERROR [ServerRuntime$Responder] An I/O error has occurred while writing a 
response message entity to the container output stream.
org.glassfish.jersey.server.internal.process.MappableException: 
java.io.IOException: Connection closed
at 
org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:92)
 
~[graylog.jar:?]
at 
org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:162)
 
~[graylog.jar:?]
at 
org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1130)
 
~[graylog.jar:?]
at 
org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:711)
 
[graylog.jar:?]
at 
org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:444)
 
[graylog.jar:?]
at 
org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:434)
 
[graylog.jar:?]
at 
org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:329) 
[graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) 
[graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) 
[graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) 
[graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) 
[graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) 
[graylog.jar:?]
at 
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)
 
[graylog.jar:?]
at 
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) 
[graylog.jar:?]
at 
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)
 
[graylog.jar:?]
at 
org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384)
 
[graylog.jar:?]
at 
org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) 
[graylog.jar:?]
at 
com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
 
[graylog.jar:?]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
[?:1.8.0_91]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
[?:1.8.0_91]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]
Caused by: java.io.IOException: Connection closed
at 
org.glassfish.grizzly.asyncqueue.TaskQueue.onClose(TaskQueue.java:317) 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.AbstractNIOAsyncQueueWriter.onClose(AbstractNIOAsyncQueueWriter.java:501)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOTransport.closeConnection(TCPNIOTransport.java:412)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.NIOConnection.doClose(NIOConnection.java:604) 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.NIOConnection$5.run(NIOConnection.java:570) 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.DefaultSelectorHandler.execute(DefaultSelectorHandler.java:235)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.NIOConnection.terminate0(NIOConnection.java:564) 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOConnection.terminate0(TCPNIOConnection.java:291)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOAsyncQueueWriter.writeCompositeRecord(TCPNIOAsyncQueueWriter.java:197)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOAsyncQueueWriter.write0(TCPNIOAsyncQueueWriter.java:92)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.AbstractNIOAsyncQueueWriter.processAsync(AbstractNIOAsyncQueueWriter.java:344)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:107)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) 
~[graylog.jar:?]
at 
org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:536)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.strategies.SameThreadIOStrategy.executeIoEvent(SameThreadIOStrategy.java:103)
 
~[graylog.jar:?]
at 
org.glassfish.grizzly.strategies.AbstractIOStrategy.executeIoEvent(AbstractIOStrategy.java:89)
 
~[g

[graylog2] Re: Graylog alerts - X-Forwarded-For showing as 'null'

[George Nussbaum]

Hi Jochen,

I actually think it's normal behavior now.  I see proper logs and then the 
null ones but think it's a process that is running on those sites that's 
being logged.

On Friday, July 1, 2016 at 4:14:46 AM UTC-4, Jochen Schalanda wrote:
>
> Hi George,
>
> what kind of alarm callback are you using? If it's supporting templates, 
> which ones are you using?
>
> Cheers,
> Jochen
>
> On Thursday, 30 June 2016 18:40:57 UTC+2, George Nussbaum wrote:
>>
>> Hello,
>>
>> I have set up alerting on one of my streams.  The alerts come through 
>> fine.  However, the detailed info within the alert is showing my 
>> X-Forwarded-For as a null value.  The values show up in a search, so I'm 
>> confused as to why it's doing this.
>>
>> Any ideas?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/21f36c37-bf37-473b-ac67-87ad03033f98%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog goes enterprise, but not for elastic/shield?

[Jochen Schalanda]

Hi Rennie,

Graylog currently hosts an embedded Elasticsearch instance which joins the 
Elasticsearch cluster as a client node (i. e. no data is stored and it's 
not master-eligible). Due to some kind of "sanity check" (the JarHell 
check), the embedded Elasticsearch node fails to load any plugins in this 
mode.

There's currently no workaround for this and will need some extensive 
changes in Graylog to make it work, so don't hold your breath.

Cheers,
Jochen

On Wednesday, 6 July 2016 09:58:09 UTC+2, Ano nym wrote:
>
> Am Mittwoch, 6. Juli 2016 09:54:25 UTC+2 schrieb Jan Doberstein:
>>
>> this will not be solved in the next weeks. Just because of some 
>> technical reasons. 
>>
>
> Hi Jan,
>
> did you´ve some details to the "technical reasons"? We may be able to 
> support you?
>
> Kind regards,
>
> Rennie
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a9db73c6-ee13-4699-87ba-e80c92d164e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: debugging pipelines is... difficult

[Jochen Schalanda]

Hi Jason,

there's something coming up in Graylog 2.1.0 which will vastly simplify 
testing pipeline rules.

Feel free to give the alpha and beta releases a try!

Cheers,
Jochen

On Wednesday, 6 July 2016 05:42:43 UTC+2, Jason Haar wrote:
>
> Hi there
>
> First I want to say how wonderful the "extractor" webpage is: it's so easy 
> to create AND TEST extractors...
>
> ...unfortunately the new pipelines (which I want to use as they are the 
> official future) don't have the same testing capacity. Can someone tell me 
> what's wrong with this rule: it should extract pairs of ipv4 addresses out 
> of any message. The pipeline shows all messages flowing through it, but 
> none "hit" this rule. Conversely, my existing extractor rule that does the 
> same thing (but with different fieldnames) is triggering just fine - so 
> this rule must be broken - but I lack the background in whatever 
> Java-nightmare this is to debug it ;-)
>
>  rule "function ExtractIPv4Pairs"
> when
> 
> regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message)).matches
> then
> let pair = 
>  
> regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message),["src","dst"]);
> set_field("pipeSrcIPv4",to_ip(pair.src));
> set_field("pipeDstIPv4",to_ip(pair.dst));
> end
>
> Thanks
>
> PS: it would REALLY help if there were a bunch of sample rules that 
> demonstrated the fundamentals. The one example really doesn't demonstrate 
> enough
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/21bcd348-3d5f-4a67-a962-7d371062dcb4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Server currently unavailable (different from issue below)

[Dennis Oelkers]

Hey Chauncey,

> On 05.07.2016, at 20:35, Chauncey Neyman  wrote:
> 
> Hey Dennis,
> 
> First off, thanks for the reply! I'm sorry it took me so long to get back to 
> this, I had a long holiday weekend. 

no worries. I hope you enjoyed it! :)

> 
> As for my issue - all signs point to the server running on localhost:12900. 
> The docker-compose.yml file indicates the rest transport uri as follows: 
> GRAYLOG_REST_TRANSPORT_URI: http://127.0.0.1:12900
> 
> 
> 
> Additionally, loading localhost:12900 in my browser results in the following 
> message: "{"type":"ApiError","message":"HTTP 404 Not Found"}"). Forgive my 
> inexperience, but this message suggests to me that the server is running on 
> this port (as the address can be reached). Am I incorrect in that assumption? 

Your assumption is correct, that should actually do it. Can you see anything in 
your browser’s javascript console?

Kr,
D.

> 
> 
> 
> Thanks again,
> 
> Chauncey
> 
> 
> On Friday, July 1, 2016 at 12:45:18 AM UTC-7, Dennis Oelkers wrote:
> Hey Chauncey, 
> 
> from your browser’s perspective, where is your server (providing the REST 
> API) running for the development environment? 
> 
> You can configure how your development environment is reaching the server by 
> editing the graylog2-web-interface/config.js file in your local checkout and  
> adapt the gl2ServerUrl parameter. I think this is actually missing in the 
> documentation, I’m gonna add that. 
> 
> Kind regards, 
> D. 
> 
> > On 30.06.2016, at 23:22, Chauncey Neyman  wrote: 
> > 
> > Hello! 
> > 
> > So I've looked through past forums and haven't found a working solution to 
> > my current issue. I'm trying to develop a Graylog plugin, so I began by 
> > installing Graylog following the steps for Docker 
> > (http://docs.graylog.org/en/2.0/pages/installation/docker.html, because 
> > VirtualBox wouldn't work for me) and then following the steps to set up a 
> > web development environment 
> > (http://docs.graylog.org/en/2.0/pages/plugins.html#how-to-start-development).
> >  The server running on localhost:9000 is working perfectly, so I'm fairly 
> > certain localhost:12900 is functional. However, when I try running the web 
> > development environment (at localhost:8080) I get the following error 
> > message before the login page: 
> >  Server currently unavailable 
> > 
> > We are experiencing problems connecting to the Graylog server running on 
> > http://localhost:12900/. Please verify that the server is healthy and 
> > working correctly. 
> > 
> > You will be automatically redirected to the previous page once we can 
> > connect to the server. 
> > 
> > Do you need a hand? We can help you. 
> > 
> > Less details 
> > This is the last response we received from the server: 
> > 
> > Error message 
> > Bad request 
> > Original Request 
> > GET http://localhost:12900/system/sessions 
> > Status code 
> > undefined 
> > Full error message 
> > Error: Request has been terminated Possible causes: the network is offline, 
> > Origin is not allowed by Access-Control-Allow-Origin, the page is being 
> > unloaded, etc. 
> > 
> > I'd greatly appreciate any help with this issue! 
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to graylog2+u...@googlegroups.com. 
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/graylog2/b8d053fe-e355-4c45-bc50-e441d930a9ab%40googlegroups.com.
> >  
> > For more options, visit https://groups.google.com/d/optout. 
> 
> -- 
> Tel.: +49 (0)40 609 452 077 
> Fax.: +49 (0)40 609 452 078 
> 
> TORCH GmbH - A Graylog company 
> Poolstrasse 21 
> 20355 Hamburg 
> Germany 
> 
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
> Geschäftsführer: Lennart Koopmann (CEO) 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/767a39ce-c25c-44c4-a38c-e268a6f10780%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog company
Poolstrasse 21
20355 Hamburg
Germany

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/43CCD9E8-2224-4ED5-8C1B-CFFA7BFA5B7E%40graylog.com.
For more options, visit https://

[graylog2] Re: Sizing of Graylog

[Jochen Schalanda]

Hi,

I'd say 1366x667 pixels.

Cheers,
Jochen

PS: On a more serious note, there's not much we can do for you without any 
information. Please also try using the sizing estimator on the Graylog 
website: https://www.graylog.org/tools/sizing-estimator


On Wednesday, 6 July 2016 09:48:20 UTC+2, ชีระวิทย์ ภูริเดชชัยพัฒน์ wrote:
>
> Hi
> Please suggest sizing for  us
> [image: Inline image 1]
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/59cff7e6-589a-47d2-a4bc-307512875cb6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog goes enterprise, but not for elastic/shield?

[Ano nym]

Am Mittwoch, 6. Juli 2016 09:54:25 UTC+2 schrieb Jan Doberstein:
>
> this will not be solved in the next weeks. Just because of some 
> technical reasons. 
>

Hi Jan,

did you´ve some details to the "technical reasons"? We may be able to 
support you?

Kind regards,

Rennie

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e216fc77-0cdb-469a-8d5d-4d780928cc6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog goes enterprise, but not for elastic/shield?

[Jan Doberstein]

Hej Rennie,


On 5. Juli 2016 at 18:40:20, Ano nym (tuz1...@gmail.com) wrote:
> is there a solution to use Graylog with an elasticsearch cluster protected
> by Shield?
> https://graylog.ideas.aha.io/ideas/GL2E-I-461

this will not be solved in the next weeks. Just because of some
technical reasons.

with kind regards
Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGm-bLbxso7A4Cnan5geWX6bzhA5Y%3Dg8odCBPp1JF2k-UJ-BJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.