Re: [graylog2] Doesn't work: Importing old logs using GELF.

2014-05-07 Thread Mark Nickolai 
Hi lennart, 
the timestamp says for example13th of April 2014 (past), and is correct 
calculated to unix timestamp in micro seconds, as the gelf specs says. 
There are just no messages available. As I said before, the diagram shows 
some graphs for the timeframe.

Am Mittwoch, 7. Mai 2014 21:22:04 UTC+2 schrieb lennart:
>
> There is nothing logged to MongoDB in v0.20.1. Did you try searching 
> for "All messages" instead of selecting an actual timeframe? Also, can 
> you confirm that the message dates are not in the future respective to 
> your local timezone? 
>
> On Wed, May 7, 2014 at 4:31 PM, Mark Nickolai 
> > 
> wrote: 
> > Hi folks! 
> > 
> > I wrote a small parser script, which parses old logfiles to GELF format. 
> I 
> > tried to send the parsed data to the graylog2 server input GELF UDP by 
> using 
> > netcat. This works pretty so far except of a "lil" issue: 
> > 
> > The input statistic says it got a total amount of 140 MiB incoming 
> Network 
> > IO data. If I try to look which messages these are (Messages from this 
> > input), the system tells me that "Nothing found". 
> > The curious thing about that is the fact, that the source statistic for 
> the 
> > affected source / timestamp shows up message activity (and no, if I try 
> to 
> > choose the seen period of time, it still says "Nothing found"). 
> > 
> > So I believe the Messages are logged in Mongo but for some weird reason 
> not 
> > in elasticsearch. 
> > 
> > Any Ideas? 
> > 
> > I'm running graylog2 0.20.1 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "graylog2" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to graylog2+u...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog radio and global inputs

2014-05-07 Thread André Coelho 
Hello

I would like to know if it is possible to the graylog radio server to use 
the global inputs from the graylog server?

I have a graylog radio server running:

Radio nodes
Producing *0* messages per second
 217fb817 / 
srv-graylogrd-tst-01.xxx.yyy.br
*0 messages* in master cache. The JVM is using *17 of 30 MB* heap space and 
will not attempt to use more than *479 MB*.

I have a global input on the main graylog server and it is active on they 
graylog radio server (srv-graylogrd-tst-01):

 Running global inputs
 Global TCP (Syslog TCP) 2 running
Network IO:  0B  0B (total:  11,1kiB  0B )  Show details
217fb817 / srv-graylogrd-tst-01.xxx.xxx.br:  0B  0B (total:  11.1kiB  0B )
f728fbee / srv-graylog-tst-01.xxx.xxx.br:  0B  0B (total:  0B  0B )
Total connections: 10 (2 active)  Show details
217fb817 / srv-graylogrd-tst-01.xxx.xxx.br: Total 10 (2 active)
f728fbee / srv-graylog-tst-01.xxx.xxx.br: Total 0 (0 active)

   - allow_override_date: true
   - port: 10515
   - bind_address: 0.0.0.0


Every time that I generate any event in some host that is configured to 
send logs to the *radio server* I can see that the total kiB changes in the 
Running global inputs for the radio server showing that the graylog server 
is receiving data from the radio server.
But this data is not registered in graylog.

If I send logs directly to the graylog server they get registered normally.

Using "graylog radio inputs" on the graylog server I was able to receive 
messages from the radio server but if the radio server restarts then it 
stops sending these messages and other strange problems occurs with the 
zookeeper server.


Is there something that I can do to make radio servers work with global 
inputs?


Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog not registering radio server logs

2014-05-07 Thread André Coelho 
Hello

I would like to know if it is possible the graylog radio server use the 
global inputs from the graylog server?

I have a graylog radio server running:

Radio nodes
Producing *0* messages per second. 
Action  
 217fb817 / 
srv-graylogrd-tst-01.xxx.yyy.br
*0 messages* in master cache. The JVM is using *17 of 30 MB* heap space and 
will not attempt to use more than *479 MB*.

I have a global input on the main graylog server and it is active on they 
graylog radio server (srv-graylogrd-tst-01):

 Running global inputs
Started by  
Administrator
   Terminate 
Action  
 Global TCP (Syslog TCP) 2 running
Network IO:  0B  0B (total:  11,1kiB  0B )  Show 
details
217fb817 / srv-graylogrd-tst-01.uffs.edu.br:  0B  0B (total:  11.1kiB  0B )
f728fbee / srv-graylog-tst-01.uffs.edu.br:  0B  0B (total:  0B  0B )
Total connections: 10 (2 active)  Show 
details
217fb817 / srv-graylogrd-tst-01.uffs.edu.br: Total 10 (2 active)
f728fbee / srv-graylog-tst-01.uffs.edu.br: Total 0 (0 active)

   - allow_override_date: true
   - port: 10515
   - bind_address: 0.0.0.0


Every time that I generate any event in some host that is configured to 
send logs to the radio server I can see that the total kiB changes in the 
Running global inputs for the radio server showing that the graylog server 
is receiving data from the radio server.
But this data is not registered in graylog.

If I send logs directly to the graylog server its get registered normally.

Using "graylog radio inputs" on the graylog server I was able to receive 
messages from the radio server but if the radio server restarts then it 
stops sending these messages and other problems occurs.


Is there something that I'm missing???


Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Zookeeper client timeout

2014-05-07 Thread Lennart Koopmann 
Looks like your systems are just overloaded and you need faster
hardware or a scale out on more machines.

On Tue, May 6, 2014 at 4:13 PM, Yossi Nachum  wrote:
> Hi,
>
> I am trying to run the following graylog2 system:
>
> server1: graylog2-server-v0.21 + graylog2-radio-v0.20 + kafka + graylog2-web
>
> server2: elasticsearch
>
> when I am sending a lot of log messages (~20K per second) the lag in the
> kafka server start to increase and then I get the following messages in
> zookeeper log:
>
> [2014-05-05 17:27:13,144] INFO Accepted socket connection from
> /127.0.0.1:38581(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,144] INFO Accepted socket connection from
> /127.0.0.1:38582(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,144] INFO Client attempting to renew session
> 0x145ccf8c9a00174 at
> /127.0.0.1:38582(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,145] INFO Invalid session 0x145ccf8c9a00174 for client
> /127.0.0.1:38582, probably expired
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,145] INFO Closed socket connection for client
> /127.0.0.1:38582 which had sessionid 0x145ccf8c9a00174
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,148] INFO Client attempting to renew session
> 0x145ccf8c9a00175 at
> /127.0.0.1:38581(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,148] INFO Invalid session 0x145ccf8c9a00175 for client
> /127.0.0.1:38581, probably expired
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,148] INFO Closed socket connection for client
> /127.0.0.1:38581 which had sessionid 0x145ccf8c9a00175
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,161] INFO Accepted socket connection from
> /127.0.0.1:38586(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,172] INFO Client attempting to establish new session at
> /127.0.0.1:38586(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,173] INFO Accepted socket connection from
> /127.0.0.1:38588(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,174] INFO Client attempting to establish new session at
> /127.0.0.1:38588(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,183] INFO Established session 0x145ccf8c9a00176 with
> negotiated timeout 6000 for client /127.0.0.1:38586
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:13,184] INFO Established session 0x145ccf8c9a00177 with
> negotiated timeout 6000 for client /127.0.0.1:38588
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:21,000] INFO Expiring session 0x145ccf8c9a00176, timeout
> of 6000ms exceeded (org.apache.zookeeper.server.ZooKeeperServer)
>
> [2014-05-05 17:27:21,000] INFO Expiring session 0x145ccf8c9a00177, timeout
> of 6000ms exceeded (org.apache.zookeeper.server.ZooKeeperServer)
>
> [2014-05-05 17:27:21,001] INFO Processed session termination for sessionid:
> 0x145ccf8c9a00176 (org.apache.zookeeper.server.PrepRequestProcessor)
>
> [2014-05-05 17:27:21,001] INFO Processed session termination for sessionid:
> 0x145ccf8c9a00177 (org.apache.zookeeper.server.PrepRequestProcessor)
>
> [2014-05-05 17:27:21,002] INFO Closed socket connection for client
> /127.0.0.1:38586 which had sessionid 0x145ccf8c9a00176
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:21,004] INFO Closed socket connection for client
> /127.0.0.1:38588 which had sessionid 0x145ccf8c9a00177
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,146] INFO Accepted socket connection from
> /127.0.0.1:38760(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,146] INFO Accepted socket connection from
> /127.0.0.1:38761(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,146] INFO Client attempting to renew session
> 0x145ccf8c9a00176 at
> /127.0.0.1:38760(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,147] INFO Invalid session 0x145ccf8c9a00176 for client
> /127.0.0.1:38760, probably expired
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,147] INFO Client attempting to renew session
> 0x145ccf8c9a00177 at
> /127.0.0.1:38761(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,147] INFO Invalid session 0x145ccf8c9a00177 for client
> /127.0.0.1:38761, probably expired
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,148] INFO Closed socket connection for client
> /127.0.0.1:38760 which had sessionid 0x145ccf8c9a00176
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,148] INFO Closed socket connection for client
> /127.0.0.1:38761 which had sessionid 0x145ccf8c9a00177
> (org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,151] INFO Accepted socket connection from
> /127.0.0.1:38762(org.apache.zookeeper.server.NIOServerCnxn)
>
> [2014-05-05 17:27:56,173] INFO Client attemp

Re: [graylog2] MasterCache filling up

2014-05-07 Thread Lennart Koopmann 
Thanks for the update Tyler!

On Wed, May 7, 2014 at 12:04 AM, Tyler Bell  wrote:
> I think I just found the issue. I thought we had a box big enough to run the
> Graylog2 server, plus Web Interface, but we had a bunch of Steams enabled
> recently. We disabled them to see what would happen and we came back to full
> processing capacity (~1750 msg/s). I'm suggesting that we get a separate box
> for the web interface now.
>
>
> On Tuesday, May 6, 2014 12:53:44 PM UTC-6, Tyler Bell wrote:
>>
>> There are no ES errors. Cluster Health is Green. I see data being added to
>> my /data partition. Is there a way to see what else ES could be doing that
>> would force Graylog to only process 1/3 of the logs it was processing a week
>> ago?
>>
>> {
>>   "cluster_name" : "X",
>>   "status" : "green",
>>   "timed_out" : false,
>>   "number_of_nodes" : 3,
>>   "number_of_data_nodes" : 2,
>>   "active_primary_shards" : 320,
>>   "active_shards" : 320,
>>   "relocating_shards" : 0,
>>   "initializing_shards" : 0,
>>   "unassigned_shards" : 0
>> }
>>
>>
>> On Tuesday, May 6, 2014 12:29:53 PM UTC-6, lennart wrote:
>>>
>>> Can you check your ElasticSearch logs for errors? I am pretty sure it
>>> is the reason.
>>>
>>> On Tue, May 6, 2014 at 5:57 PM, Tyler Bell 
>>> wrote:
>>> > I'm having an issue with Graylog continuously falling behind with log
>>> > processing, and the MasterCache filling up til the 10G of Heap Space
>>> > maxes
>>> > out and crashes. The really weird thing is that a week ago, everything
>>> > was
>>> > processing fine and I was taking between 1500-2000 msg/s. Now I barely
>>> > get
>>> > over 500-750 msg/s. I don't think ElasticSearch is the issue because
>>> > none of
>>> > the OutputCache or Buffer is increasing.
>>> >
>>> > I'm wondering if it has something to do with this: Number of indices
>>> > (80)
>>> > higher than limit (20). Running retention for 60 indices. It doesn't
>>> > look
>>> > like Graylog is properly rotating indexes and running this retention
>>> > instead.
>>> >
>>> > After restarting graylog2 and emptying cache...
>>> > [util][caches][2014-05-06T08:46:04.850-07:00] InputCache size: 5758
>>> > [util][caches][2014-05-06T08:46:04.850-07:00] OutputCache size: 0
>>> > [util][buffers][2014-05-06T08:46:04.850-07:00] OutputBuffer is at 0.0%.
>>> > [0/2048]
>>> > [util][buffers][2014-05-06T08:46:04.850-07:00] ProcessBuffer is at
>>> > 33.251953%. [681/2048]
>>> > [util][heap][2014-05-06T08:46:04.850-07:00] Used memory (MB): 1465
>>> > [util][heap][2014-05-06T08:46:04.850-07:00] Free memory (MB): 8330
>>> > [util][heap][2014-05-06T08:46:04.850-07:00] Total memory (MB): 9814
>>> > [util][heap][2014-05-06T08:46:04.850-07:00] Max memory (MB): 9814
>>> > [util][written][2014-05-06T08:46:04.850-07:00] Messages written to all
>>> > outputs: 1561
>>> >
>>> >
>>> > After MasterCache fills up a bit
>>> > [util][caches][2014-05-06T08:42:18.109-07:00] InputCache size: 2487587
>>> > [util][caches][2014-05-06T08:42:18.109-07:00] OutputCache size: 0
>>> > [util][buffers][2014-05-06T08:42:18.109-07:00] OutputBuffer is at 0.0%.
>>> > [0/2048]
>>> > [util][buffers][2014-05-06T08:42:18.109-07:00] ProcessBuffer is at
>>> > 40.429688%. [828/2048]
>>> > [util][heap][2014-05-06T08:42:18.109-07:00] Used memory (MB): 6392
>>> > [util][heap][2014-05-06T08:42:18.109-07:00] Free memory (MB): 3736
>>> > [util][heap][2014-05-06T08:42:18.109-07:00] Total memory (MB): 10129
>>> > [util][heap][2014-05-06T08:42:18.109-07:00] Max memory (MB): 10129
>>> > [util][written][2014-05-06T08:42:18.109-07:00] Messages written to all
>>> > outputs: 3100
>>> >
>>> >
>>> > ES Node config: (GLNode0 is the Graylog server). I know mlockall is
>>> > false,
>>> > and is configured to be true, but these are virtualized servers and
>>> > there
>>> > are some issues there.
>>> >
>>> > {
>>> >   "ok" : true,
>>> >   "cluster_name" : "Graylog2",
>>> >   "nodes" : {
>>> > "X.X.X.X" : {
>>> >   "name" : "GLNode1",
>>> >   "transport_address" : "inet[/X.X.X.X:9300]",
>>> >   "hostname" : "X.X.X.X",
>>> >   "version" : "0.90.10",
>>> >   "http_address" : "inet[/X.X.X.X:9200]",
>>> >   "attributes" : {
>>> > "master" : "true"
>>> >   },
>>> >   "process" : {
>>> > "refresh_interval" : 1000,
>>> > "id" : 1611,
>>> > "max_file_descriptors" : 32000,
>>> > "mlockall" : false
>>> >   }
>>> > },
>>> > "X.X.X.X" : {
>>> >   "name" : "GLNode0",
>>> >   "transport_address" : "inet[/X.X.X.X:9350]",
>>> >   "hostname" : "X.X.X.X",
>>> >   "version" : "0.90.10",
>>> >   "attributes" : {
>>> > "client" : "true",
>>> > "data" : "false",
>>> > "master" : "false"
>>> >   },
>>> >   "process" : {
>>> > "refresh_interval" : 1000,
>>> > "id" : 28382,
>>> > "max_file_descriptors" : 4096,
>>> > "mlockall" : false
>>> >   }
>>> > },
>>> > "X.X.X.X" : {
>>> >   "name" : "GLNode2",
>>

Re: [graylog2] Doesn't work: Importing old logs using GELF.

2014-05-07 Thread Lennart Koopmann 
There is nothing logged to MongoDB in v0.20.1. Did you try searching
for "All messages" instead of selecting an actual timeframe? Also, can
you confirm that the message dates are not in the future respective to
your local timezone?

On Wed, May 7, 2014 at 4:31 PM, Mark Nickolai  wrote:
> Hi folks!
>
> I wrote a small parser script, which parses old logfiles to GELF format. I
> tried to send the parsed data to the graylog2 server input GELF UDP by using
> netcat. This works pretty so far except of a "lil" issue:
>
> The input statistic says it got a total amount of 140 MiB incoming Network
> IO data. If I try to look which messages these are (Messages from this
> input), the system tells me that "Nothing found".
> The curious thing about that is the fact, that the source statistic for the
> affected source / timestamp shows up message activity (and no, if I try to
> choose the seen period of time, it still says "Nothing found").
>
> So I believe the Messages are logged in Mongo but for some weird reason not
> in elasticsearch.
>
> Any Ideas?
>
> I'm running graylog2 0.20.1
>
> --
> You received this message because you are subscribed to the Google Groups
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Hi , I installed Graylog2 and configure a cisco switch to send the log to graylog, after that start strange behaivor. HELP!!!

2014-05-07 Thread Lennart Koopmann 
Cisco is usually not sending valid RFC syslog and the parsing fails. What
device is sending this? Can you post (full, non-parsed) example messages?


On Wed, May 7, 2014 at 1:57 PM, Washington Gomez
wrote:

>
> 
>
>  --
> You received this message because you are subscribed to the Google Groups
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [ANNOUNCE] Graylog2 v0.20.2-rc.1 has been released

2014-05-07 Thread Lennart Koopmann 
Hey everybody,

I am happy to announce that we released the first RC version of
Graylog2 v0.20.2:

http://blog.torch.sh/graylog2-v0-20-2-rc-1-has-been-released/

Thanks,
Lennart

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] RegEx Trouble

2014-05-07 Thread Lennart Koopmann 
Try this one: ^.+:\s.+?\s(.+?)\s

On Wed, May 7, 2014 at 6:03 PM, Jarred Masterson
 wrote:
> To confess upfront, I am a noob with RegEx but I've made some decent
> progress in the past few days.  I have a couple of extractors working well
> but I'm running into an issue with one that seems like it should work.
>
> First here is an example line that I am matching against:
> root: da2 75.6 49.7 4743.9 3183.8 6 1.3 6
>
> This is output from FreeBSD iostat -x and I have working extractors for the
> device name and the first numbered field which is read operations.  I'm on
> 0.20.1 and I had to pull the digits prior to the decimal place due to the
> number converter not dealing with floating point numbers. I see from the
> github commits that this has been fixed in 20.2!
>
> I am trying now to pull the second metric which is the write operations per
> second and in this case is 75.6.
>
> It seems like this should work:
> (?<=\d+\b)\d+(?=\.)
>
> I've also tried to move the \b around such as (?<=\d+)\b\d+(?=\.)  I am also
> a little confused as to if I do or do not need to enclose the whole thing in
> parenthesis. My working extractors are enclosed in () but I get errors when
> trying that with the above example.
>
> --
> You received this message because you are subscribed to the Google Groups
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] how to user the graph feature for a filed in graylog

2014-05-07 Thread Ankit Mittal 
Dear All,

I am using graylog V0.20.1 .In graylog web interface there is a feature to 
plot graph on a field in the message ( only applicable for INT fields)
I am using grok filter and defining the filed type as INT , but still not 
able to plot the graph of that filed.

Please help me to configure this feature .



Thanks
Ankit Mittal

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] 2 different index in a single graylog server

2014-05-07 Thread Ankit Mittal 
Dear All,

I am using graylog V0.20.1 ( server and web interface ) with elasticsearch 
0.90 .
My requirement is to use 2 different index in elasticsearch :
one contain the bulk data for that index can be rotate in a day.
while the other index contain the data that need to be preserve for some 
days.

Please let me know if there is a way to do the above requirement.

Thanks
Ankit Mittal

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] About Source name,in my graylog2,switch‘s name is not the source name.

2014-05-07 Thread Eddie Wong 
it's like the attach,i need help.
i want the source name to be my switch name.
how can i do?

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Hi , I installed Graylog2 and configure a cisco switch to send the log to graylog, after that start strange behaivor. HELP!!!

2014-05-07 Thread Washington Gomez 




-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Doesn't work: Importing old logs using GELF.

2014-05-07 Thread Mark Nickolai 
Hi folks!

I wrote a small parser script, which parses old logfiles to GELF format. I 
tried to send the parsed data to the graylog2 server input GELF UDP by 
using netcat. This works pretty so far except of a "lil" issue:

The input statistic says it got a total amount of 140 MiB incoming Network 
IO data. If I try to look which messages these are (Messages from this 
input), the system tells me that "Nothing found". 
The curious thing about that is the fact, that the source statistic for the 
affected source / timestamp shows up message activity (and no, if I try to 
choose the seen period of time, it still says "Nothing found").

So I believe the Messages are logged in Mongo but for some weird reason not 
in elasticsearch.

Any Ideas?

I'm running graylog2 0.20.1

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] RegEx Trouble

2014-05-07 Thread Jarred Masterson 
To confess upfront, I am a noob with RegEx but I've made some decent 
progress in the past few days.  I have a couple of extractors working well 
but I'm running into an issue with one that seems like it should work.

First here is an example line that I am matching against:
root: da2 75.6 49.7 4743.9 3183.8 6 1.3 6

This is output from FreeBSD iostat -x and I have working extractors for the 
device name and the first numbered field which is read operations.  I'm on 
0.20.1 and I had to pull the digits prior to the decimal place due to the 
number converter not dealing with floating point numbers. I see from the 
github commits that this has been fixed in 20.2!

I am trying now to pull the second metric which is the write operations per 
second and in this case is 75.6.

It seems like this should work:
(?<=\d+\b)\d+(?=\.)

I've also tried to move the \b around such as (?<=\d+)\b\d+(?=\.)  I am 
also a little confused as to if I do or do not need to enclose the whole 
thing in parenthesis. My working extractors are enclosed in () but I get 
errors when trying that with the above example.

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Syslog stops when Graylog full

2014-05-07 Thread Tyler Bell 
I have syslog-ng writing flat log files to a large data partition separate 
from root to prevent services from crashing. Then syslog-ng forwards logs 
to another port where I have Graylog listening. With this setup, you'll 
still have flat log file backups and logs forwarded to graylog would just 
be dropped if the server was full. You'd still need to monitor disk usage. 

I'm not sure why your services crashed because of syslog though. I have not 
seen that before, unless syslog started writing locally and filled up the 
root partition causing them to crash.

On Wednesday, May 7, 2014 5:48:01 AM UTC-6, André Coelho wrote:
>
> Hi
>
> I have a graylog server that became completely full, after that the syslog 
> daemons from the servers sending logs to graylog have stopped and all the 
> services that generates logs to syslog in theses servers like ssh/ldap/smtp 
> stopped to work consequently.
>
> The big problem was to find out that the problem was because the syslog 
> daemon stoped due the graylog server becoming full.
>
> *Is there anyway, besides monitoring graylog to avoid disk full, to 
> configure the servers or graylog to avoid this problem?*
>
>
> I have a line like that in the servers to send syslog messages:
>
> *.info @@graylogserver:10515
>
>
>
> Thanks
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Syslog stops when Graylog full

2014-05-07 Thread André Coelho 
Hi

I have a graylog server that became completely full, after that the syslog 
daemons from the servers sending logs to graylog have stopped and all the 
services that generates logs to syslog in theses servers like ssh/ldap/smtp 
stopped to work consequently.

The big problem was to find out that the problem was because the syslog 
daemon stoped due the graylog server becoming full.

*Is there anyway, besides monitoring graylog to avoid disk full, to 
configure the servers or graylog to avoid this problem?*


I have a line like that in the servers to send syslog messages:

*.info @@graylogserver:10515



Thanks


-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.