Re: [graylog2] Graylog 1.0 UDP process buffer performance
I installed unbound locally and used this, and it seems to have resolved the issue. It's odd that the old server didn't show this behavior, but I'm happy enough that it's resolved anyway. :) Regards Johan On Friday, February 27, 2015 at 2:02:08 PM UTC+1, Bernd Ahlers wrote: > > Johan, Henrik, > > I tried to track this problem down.The problem is that the JVM does > not cache reverse DNS lookups. The available JVM DNS cache settings > like "networkaddress.cache.ttl" only affect forward DNS lookups. > > The code for doing the reverse lookups in Graylog did not change in a > long time, so this problem is not new in 1.0. > > I my test setup enabling "force_rdns" for a syslog input reduced the > throughput from around 7000 msg/s to 300 msg/s. This was without a > local DNS cache. Once I installed a DNS cache on the Graylog server, > the throughput went up to around 3000 msg/s. > > We will investigate if there is a sane way to cache the reverse > lookups ourselves. In the meantime I suggest to test with a DNS cache > installed on the Graylog server nodes to see if that helps or to > disable the "force_rdns" setting. > > Regards, > Bernd > > On 25 February 2015 at 18:00, Bernd Ahlers > wrote: > > Johan, Henrik, > > > > thanks for the details. I created an issue on GitHub and will > investigate. > > > > https://github.com/Graylog2/graylog2-server/issues/999 > > > > Regards, > > Bernd > > > > On 25 February 2015 at 17:48, Henrik Johansen > wrote: > >> Bernd, > >> > >> Correct - that issue started after 0.92.x. > >> > >> We are still seeing evaluated CPU utilisation but we are attributing > that > >> to the fact that 0.92 was loosing messages in our setup. > >> > >> > >>> On 25 Feb 2015, at 17:37, Bernd Ahlers > wrote: > >>> > >>> Henrik, > >>> > >>> uh, okay. I suppose it worked for you in 0.92 as well? > >>> > >>> I will create an issue on GitHub for that. > >>> > >>> Bernd > >>> > >>> On 25 February 2015 at 17:14, Henrik Johansen > wrote: > Bernd, > > We saw the exact same issue - here is a graph over the CPU idle > percentage across a few of the cluster nodes during the upgrade : > > http://5.9.37.177/graylog_cluster_cpu_idle.png > > We went from ~20% CPU utilisation to ~100% CPU utilisation across > ~200 cores and things only settled down after disabling force_rdns. > > > On 25 Feb 2015, at 11:55, Bernd Ahlers > wrote: > > Johan, > > the only thing that changed from 0.92 to 1.0 is that the DNS lookup > is > now done when the messages are read from the journal and not in the > input path where the messages are received. Otherwise, nothing has > changed in that regard. > > We do not do any manual caching of the DNS lookups, but the JVM > caches > them by default. Check > > http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html > for networkaddress.cache.ttl and networkaddress.cache.negative.ttl. > > Regards, > Bernd > > On 25 February 2015 at 08:56, > > wrote: > > This is strange, I went through all of the settings for my reply, and > we are > indeed using rdns, and it seems to be the culprit. The strangeness is > that > it works fine on the old servers even though they're on the same > networks, > and using the same DNS's and resolver settings. > Did something regarding reverse DNS change between 0.92 and 1.0? I'm > thinking perhaps the server is trying to do one lookup per message > instead > of caching reverse lookups, seeing as the latter would result in very > little > DNS traffic since most of the logs will be coming from a small number > of > hosts. > > Regards > Johan > > On Tuesday, February 24, 2015 at 5:08:54 PM UTC+1, Bernd Ahlers > wrote: > > > Johan, > > this sounds very strange indeed. Can you provide us with some more > details? > > - What kind of messages are you pouring into Graylog via UDP? (GELF, > raw, syslog?) > - Do you have any extractors or grok filters running for the messages > coming in via UDP? > - Any other differences between the TCP and UDP messages? > - Can you show us your input configuration? > - Are you using reverse DNS lookups? > > Thank you! > > Regards, > Bernd > > On 24 February 2015 at 16:45, wrote: > > Well that could be a suspect if it wasn't for the fact that the old > nodes > running on old hardware handle it just fine, along with the fact that > the > traffic seems to reach the nodes just fine(i.e it actually fills the > journal > up just fine, and the input buffer never breaks a sweat). And it's > really > not that much traffic, even spr
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Roberto, you replace the Syslog input with a Raw input. The extractors are applied to the Raw input to parse the logs then. In your setup, remove the Syslog input and start a Raw input on the same port. Then add the extractors as described in the blog post I sent you earlier. Regards, Bernd On 27 February 2015 at 20:17, wrote: > Dear Bernd, thanks for your helpful respondebut now I have a new > question. > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on port > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > suppose listening on port UDP/. > > How can I connect the raw input with the syslog input ??? I got lost... > > Thanks in advance, > > Roberto > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers escribió: >> >> Roberto, >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to >> create a "Raw" input and create extractors. >> >> There is a blog post about this here: >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ >> >> Hope that helps! >> >> Regards, >> Bernd >> >> On 27 February 2015 at 15:57, wrote: >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our >> > company. >> > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after >> > that we >> > point several Windows and Linux servers to the Graylog2 with no >> > problems. >> > >> > But in the case of the Cisco ASA firewalls, we have a problem because >> > the >> > source sometimes matches something like: >> > >> > :%ASA-session-6-302013: >> > >> > In the Cisco ASA's I setup: >> > >> > logging enable >> > logging emblem >> > logging trap informational >> > logging history debugging >> > logging asdm debugging >> > logging device-id hostname >> > logging host inside_Frontend 10.1.1.1 format emblem >> > >> > I want to have the original hostname in the "source" field, so what can >> > I >> > do??? >> > >> > Regards, >> > >> > Roberto >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to graylog2+u...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Steckelhörn 11 >> 20457 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] journal broken
Ed, if you want to delete all of the journal, stop the server, delete the journal dir (see "message_journal_dir" setting in graylog.conf) and start the server again. Bernd On 26 February 2015 at 16:13, Ed Totman wrote: > Thanks for the reply. How do I clear the journal of old messages before I > restart it? > > On Wednesday, February 25, 2015 at 10:54:42 PM UTC-8, Bernd Ahlers wrote: >> >> Ed, >> >> as Tristan already said, if you constantly sending in more messages >> than Graylog or Elasticsearch can process, you will always fill up >> your journal. >> Disabling the journal does not really fix the problem, because you >> will now lose messages. >> >> Please check the node details page (System -> Nodes -> click on the >> node name) and check the disk journal stats. If you writing more into >> the journal than reading from it, you have a problem with processing >> throughput. >> >> Regards, >> Bernd >> >> On 26 February 2015 at 00:50, Tristan Rhodes wrote: >> > Ed, >> > >> > I had this same problem. However, increasing the journal size will only >> > help if your rate of messages periodically decreases below what your >> > system >> > can process. (For example, you will grow the journal during peak hours >> > of >> > the day, and drain the journal when fewer logs are being sent to >> > Graylog). >> > >> > If you are always sending more messages than your Elasticsearch can >> > ingest, >> > the journal will not help. I increased my Elasticsearch ingesting >> > performance by changing this setting in elasticsearch.yml: >> > >> > index.refresh_interval: 30s >> > >> > You can read more about this setting here: >> > >> > >> > http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/ >> > >> > http://www.elasticsearch.org/blog/performance-considerations-elasticsearch-indexing/ >> > >> > Disclaimer: I am new to graylog+elastisearch and barely know what I am >> > doing. :) >> > >> > Cheers! >> > >> > Tristan >> > >> > On Mon, Feb 23, 2015 at 10:41 AM, Ed Totman wrote: >> >> >> >> I deployed the latest appliance from the ova file. Graylog2 worked >> >> fine >> >> for several days, but then the journal files grew to 5GB which is the >> >> default limit and search returns no current results. On the System >> >> page >> >> this error appeared: >> >> >> >> Journal utilization is too high a few seconds ago >> >> Journal utilization is too high and may go over the limit soon. Please >> >> verify that your Elasticsearch cluster is healthy and fast enough. You >> >> may >> >> also want to review your Graylog journal settings and set a higher >> >> limit. >> >> (Node: 43a9cc82-dc5a-4492-936b-418e1bc98f5e, journal utilization: >> >> 96.0%) >> >> >> >> I increased the journal limit to 10GB but this did not fix the problem. >> >> I >> >> restarted all services and checked the logs, but could not find any >> >> obvious >> >> problem. The VM is running on very fast storage with lots of CPU and >> >> memory. I set "message_journal_enabled = false" which seems to have >> >> temporarily resolved the problem. >> >> >> >> How do I troubleshoot the journal? All of the other components are >> >> working fine. >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "graylog2" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to graylog2+u...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > >> > -- >> > Tristan Rhodes >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to graylog2+u...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Steckelhörn 11 >> 20457 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Problem generating/loading chunked Gelf message in graylog2
Hey,
if you want to send GELF messages from your PHP application, you might
want to look at https://github.com/bzikarsky/gelf-php/.
This is a ready to use PHP GELF library which also supports chunking.
Hope that helps!
Regards,
Bernd
On 1 March 2015 at 19:31, Jesús Alberto Vidal Cortés
wrote:
> Can anyone write a detailed sample of a a chunked message?
>
> Thank you very much
>
>
> On Friday, February 27, 2015 at 6:32:46 PM UTC+1, Jesús Alberto Vidal Cortés
> wrote:
>>
>> Hi, I'm trying to process with gawk a PHP log for loading it graylog2 (I
>> have many log lines really big). I'm not able of send the correct
>> information to graylog2 input UDP 12200
>>
>> If I want to send the next log (is gelf formated) entry to graylog2 using
>> two chunks how could I do it? What information must have exactly each chunk?
>>
>> {\n \"version\": \"1.1\",\n \"host\":\"phcaeproma01\",\n
>> \"short_message\":\"Chunked message\",\n \"timestamp\": 123455134,\n
>> \"level\":1,\n \"_remote_addr\":\"10.1.104.57\",\n
>> \"_idf\":\"987297342\",\n \"_process\":\"Process\",\n
>> \"_uid\":\"9798742.938292\",\n \"_idcert\":\"9386101233\" \n}
>>
>> I'm able of loading this log line without using chunks (it's a simple log
>> line sample) I'm trying to send the next two chunks to graylog2:
>>
>> 1.
>> \x1e\x0f000102{\n \"version\": \"1.1\",\n
>> \"host\":\"phcaeproma01\",\n \"short_message\":\"%s\",\n \"timestamp\":
>> %d,\n \"level\":%d,\n \"_remote_addr\":\"%s\",\n \"_idf\":\"%s\",\n
>> \"_process\":\"%s\",\n
>>
>> 2.
>> \x1e\x0f000112\"_uid\":\"%s\",\n \"_idcert\":\"%s\" \n}
>>
>> and I obtain the next trace in graylog2 server log
>>
>> 2015-02-26 16:59:05,389 DEBUG:
>> org.graylog2.plugin.inputs.transports.NettyTransport - More chunks necessary
>> to complete this message
>> 2015-02-26 16:59:05,390 DEBUG:
>> org.graylog2.inputs.codecs.GelfChunkAggregator - Dumping GELF chunk map
>> [chunks for 1 messages]:
>> Message <3030303030303031> Chunks:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ID: 3030303030303031Sequence: 49/50 Arrival:
>> 1424966345389 Data size: 212
>>
>>
>> 2015-02-26 16:59:05,390 DEBUG:
>> org.graylog2.plugin.inputs.transports.NettyTransport - More chunks necessary
>> to complete this message
>>
>>
>> What I'm doing wrong?
>>
>> I'm using the next sentences to send the information from gawk server to
>> graylog2 server:
>>
>> printf "\x1e\x0f%s%c%c%s","0001",48,50,substr(v_cad,1,200) |&
>> "/inet/udp/0/10.253.114.218/12200";
>> printf "\x1e\x0f%s%c%c%s","0001",49,50,substr(v_cad,201) |&
>> "/inet/udp/0/10.253.114.218/12200";
>>
>> Thank you very much for any help. It's very important to me be able of
>> send a long message in chunks
>
> --
> You received this message because you are subscribed to the Google Groups
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Developer
Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078
TORCH GmbH - A Graylog company
Steckelhörn 11
20457 Hamburg
Germany
Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Brend, is it possible to implement a syslog-ng in another server, receive the Cisco ASA logs and finally forward them to the Graylog2 server ??? Because I read in the Graylog docs that this maybe a solution too Regards, Roberto El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: > > Roberto, > > you replace the Syslog input with a Raw input. The extractors are > applied to the Raw input to parse the logs then. > In your setup, remove the Syslog input and start a Raw input on the > same port. Then add the extractors as described in the blog post I > sent you earlier. > > Regards, > Bernd > > On 27 February 2015 at 20:17, > > wrote: > > Dear Bernd, thanks for your helpful respondebut now I have a new > > question. > > > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on > port > > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > > suppose listening on port UDP/. > > > > How can I connect the raw input with the syslog input ??? I got lost... > > > > Thanks in advance, > > > > Roberto > > > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers > escribió: > >> > >> Roberto, > >> > >> the Cisco ASA does not send valid Syslog, unfortunately. You have to > >> create a "Raw" input and create extractors. > >> > >> There is a blog post about this here: > >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ > >> > >> Hope that helps! > >> > >> Regards, > >> Bernd > >> > >> On 27 February 2015 at 15:57, wrote: > >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our > >> > company. > >> > > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after > >> > that we > >> > point several Windows and Linux servers to the Graylog2 with no > >> > problems. > >> > > >> > But in the case of the Cisco ASA firewalls, we have a problem because > >> > the > >> > source sometimes matches something like: > >> > > >> > :%ASA-session-6-302013: > >> > > >> > In the Cisco ASA's I setup: > >> > > >> > logging enable > >> > logging emblem > >> > logging trap informational > >> > logging history debugging > >> > logging asdm debugging > >> > logging device-id hostname > >> > logging host inside_Frontend 10.1.1.1 format emblem > >> > > >> > I want to have the original hostname in the "source" field, so what > can > >> > I > >> > do??? > >> > > >> > Regards, > >> > > >> > Roberto > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "graylog2" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to graylog2+u...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> > >> > >> -- > >> Developer > >> > >> Tel.: +49 (0)40 609 452 077 > >> Fax.: +49 (0)40 609 452 078 > >> > >> TORCH GmbH - A Graylog company > >> Steckelhörn 11 > >> 20457 Hamburg > >> Germany > >> > >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > >> Geschäftsführer: Lennart Koopmann (CEO) > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to graylog2+u...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog company > Steckelhörn 11 > 20457 Hamburg > Germany > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Bernd, I've created a Raw INPUT as you said but after that all the sources from Windows servers are bad. So maybe I can correct de Cisco servers logs but I buy a new problem with my Windows servers. Is there any universal solution ? Maybe like Alejandro says, installing just a syslog-ng for cisco servers and forward the logs after that to graylog?? Thanks again, Roberto El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: > > Roberto, > > you replace the Syslog input with a Raw input. The extractors are > applied to the Raw input to parse the logs then. > In your setup, remove the Syslog input and start a Raw input on the > same port. Then add the extractors as described in the blog post I > sent you earlier. > > Regards, > Bernd > > On 27 February 2015 at 20:17, > > wrote: > > Dear Bernd, thanks for your helpful respondebut now I have a new > > question. > > > > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on > port > > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > > suppose listening on port UDP/. > > > > How can I connect the raw input with the syslog input ??? I got lost... > > > > Thanks in advance, > > > > Roberto > > > > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers > escribió: > >> > >> Roberto, > >> > >> the Cisco ASA does not send valid Syslog, unfortunately. You have to > >> create a "Raw" input and create extractors. > >> > >> There is a blog post about this here: > >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ > >> > >> Hope that helps! > >> > >> Regards, > >> Bernd > >> > >> On 27 February 2015 at 15:57, wrote: > >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our > >> > company. > >> > > >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after > >> > that we > >> > point several Windows and Linux servers to the Graylog2 with no > >> > problems. > >> > > >> > But in the case of the Cisco ASA firewalls, we have a problem because > >> > the > >> > source sometimes matches something like: > >> > > >> > :%ASA-session-6-302013: > >> > > >> > In the Cisco ASA's I setup: > >> > > >> > logging enable > >> > logging emblem > >> > logging trap informational > >> > logging history debugging > >> > logging asdm debugging > >> > logging device-id hostname > >> > logging host inside_Frontend 10.1.1.1 format emblem > >> > > >> > I want to have the original hostname in the "source" field, so what > can > >> > I > >> > do??? > >> > > >> > Regards, > >> > > >> > Roberto > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "graylog2" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to graylog2+u...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> > >> > >> -- > >> Developer > >> > >> Tel.: +49 (0)40 609 452 077 > >> Fax.: +49 (0)40 609 452 078 > >> > >> TORCH GmbH - A Graylog company > >> Steckelhörn 11 > >> 20457 Hamburg > >> Germany > >> > >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > >> Geschäftsführer: Lennart Koopmann (CEO) > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to graylog2+u...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog company > Steckelhörn 11 > 20457 Hamburg > Germany > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Roberto, ah, okay. Sorry, I didn't know that you have other machines reporting via Syslog. Then you should create the Syslog input again. Make sure that the Syslog and Raw input are not listening on the same port! So you either have to change the port on your Cisco ASA or on your windows machines. Regarding syslog-ng: You can install syslog-ng and forward the Cisco ASA messages via that one. But then you have to pre-process the messages in syslog-ng. Otherwise the same messages would arrive in Graylog. Regards, Bernd On 2 March 2015 at 16:47, wrote: > Bernd, I've created a Raw INPUT as you said but after that all the sources > from Windows servers are bad. > > So maybe I can correct de Cisco servers logs but I buy a new problem with my > Windows servers. > > Is there any universal solution ? Maybe like Alejandro says, installing just > a syslog-ng for cisco servers and forward the logs after that to graylog?? > > Thanks again, > > Roberto > > El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: >> >> Roberto, >> >> you replace the Syslog input with a Raw input. The extractors are >> applied to the Raw input to parse the logs then. >> In your setup, remove the Syslog input and start a Raw input on the >> same port. Then add the extractors as described in the blog post I >> sent you earlier. >> >> Regards, >> Bernd >> >> On 27 February 2015 at 20:17, wrote: >> > Dear Bernd, thanks for your helpful respondebut now I have a new >> > question. >> > >> > I have a Graylog2 server with just one INPUT "Syslog UDP" listening on >> > port >> > UDP/10514, and the tutorial said I have to create another INPUT "Raw" >> > suppose listening on port UDP/. >> > >> > How can I connect the raw input with the syslog input ??? I got lost... >> > >> > Thanks in advance, >> > >> > Roberto >> > >> > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers >> > escribió: >> >> >> >> Roberto, >> >> >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to >> >> create a "Raw" input and create extractors. >> >> >> >> There is a blog post about this here: >> >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ >> >> >> >> Hope that helps! >> >> >> >> Regards, >> >> Bernd >> >> >> >> On 27 February 2015 at 15:57, wrote: >> >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our >> >> > company. >> >> > >> >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and after >> >> > that we >> >> > point several Windows and Linux servers to the Graylog2 with no >> >> > problems. >> >> > >> >> > But in the case of the Cisco ASA firewalls, we have a problem because >> >> > the >> >> > source sometimes matches something like: >> >> > >> >> > :%ASA-session-6-302013: >> >> > >> >> > In the Cisco ASA's I setup: >> >> > >> >> > logging enable >> >> > logging emblem >> >> > logging trap informational >> >> > logging history debugging >> >> > logging asdm debugging >> >> > logging device-id hostname >> >> > logging host inside_Frontend 10.1.1.1 format emblem >> >> > >> >> > I want to have the original hostname in the "source" field, so what >> >> > can >> >> > I >> >> > do??? >> >> > >> >> > Regards, >> >> > >> >> > Roberto >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "graylog2" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to graylog2+u...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> -- >> >> Developer >> >> >> >> Tel.: +49 (0)40 609 452 077 >> >> Fax.: +49 (0)40 609 452 078 >> >> >> >> TORCH GmbH - A Graylog company >> >> Steckelhörn 11 >> >> 20457 Hamburg >> >> Germany >> >> >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> >> Geschäftsführer: Lennart Koopmann (CEO) >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "graylog2" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to graylog2+u...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Steckelhörn 11 >> 20457 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registerg
Re: [graylog2] journal broken
I deleted the journal and re-enabled it, and also changed the index.refresh_interval as recommended by Tristan. On Monday, March 2, 2015 at 3:05:10 AM UTC-8, Bernd Ahlers wrote: > > Ed, > > if you want to delete all of the journal, stop the server, delete the > journal dir (see "message_journal_dir" setting in graylog.conf) and > start the server again. > > Bernd > > On 26 February 2015 at 16:13, Ed Totman > > wrote: > > Thanks for the reply. How do I clear the journal of old messages before > I > > restart it? > > > > On Wednesday, February 25, 2015 at 10:54:42 PM UTC-8, Bernd Ahlers > wrote: > >> > >> Ed, > >> > >> as Tristan already said, if you constantly sending in more messages > >> than Graylog or Elasticsearch can process, you will always fill up > >> your journal. > >> Disabling the journal does not really fix the problem, because you > >> will now lose messages. > >> > >> Please check the node details page (System -> Nodes -> click on the > >> node name) and check the disk journal stats. If you writing more into > >> the journal than reading from it, you have a problem with processing > >> throughput. > >> > >> Regards, > >> Bernd > >> > >> On 26 February 2015 at 00:50, Tristan Rhodes > wrote: > >> > Ed, > >> > > >> > I had this same problem. However, increasing the journal size will > only > >> > help if your rate of messages periodically decreases below what your > >> > system > >> > can process. (For example, you will grow the journal during peak > hours > >> > of > >> > the day, and drain the journal when fewer logs are being sent to > >> > Graylog). > >> > > >> > If you are always sending more messages than your Elasticsearch can > >> > ingest, > >> > the journal will not help. I increased my Elasticsearch ingesting > >> > performance by changing this setting in elasticsearch.yml: > >> > > >> > index.refresh_interval: 30s > >> > > >> > You can read more about this setting here: > >> > > >> > > >> > > http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/ > > >> > > >> > > http://www.elasticsearch.org/blog/performance-considerations-elasticsearch-indexing/ > > >> > > >> > Disclaimer: I am new to graylog+elastisearch and barely know what I > am > >> > doing. :) > >> > > >> > Cheers! > >> > > >> > Tristan > >> > > >> > On Mon, Feb 23, 2015 at 10:41 AM, Ed Totman > wrote: > >> >> > >> >> I deployed the latest appliance from the ova file. Graylog2 worked > >> >> fine > >> >> for several days, but then the journal files grew to 5GB which is > the > >> >> default limit and search returns no current results. On the System > >> >> page > >> >> this error appeared: > >> >> > >> >> Journal utilization is too high a few seconds ago > >> >> Journal utilization is too high and may go over the limit soon. > Please > >> >> verify that your Elasticsearch cluster is healthy and fast enough. > You > >> >> may > >> >> also want to review your Graylog journal settings and set a higher > >> >> limit. > >> >> (Node: 43a9cc82-dc5a-4492-936b-418e1bc98f5e, journal utilization: > >> >> 96.0%) > >> >> > >> >> I increased the journal limit to 10GB but this did not fix the > problem. > >> >> I > >> >> restarted all services and checked the logs, but could not find any > >> >> obvious > >> >> problem. The VM is running on very fast storage with lots of CPU > and > >> >> memory. I set "message_journal_enabled = false" which seems to have > >> >> temporarily resolved the problem. > >> >> > >> >> How do I troubleshoot the journal? All of the other components are > >> >> working fine. > >> >> > >> >> -- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "graylog2" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to graylog2+u...@googlegroups.com. > >> >> For more options, visit https://groups.google.com/d/optout. > >> > > >> > > >> > > >> > > >> > -- > >> > Tristan Rhodes > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "graylog2" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to graylog2+u...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> > >> > >> -- > >> Developer > >> > >> Tel.: +49 (0)40 609 452 077 > >> Fax.: +49 (0)40 609 452 078 > >> > >> TORCH GmbH - A Graylog company > >> Steckelhörn 11 > >> 20457 Hamburg > >> Germany > >> > >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > >> Geschäftsführer: Lennart Koopmann (CEO) > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email
Re: [graylog2] Logs from Cisco ASA with bad "source" field
Bernd, thanks a lot for your help... Now I understand what you tell me, but just a comment: When I created the new Syslog UDP INPUT, I chek the "rDNS resolution" option. Because a don't have configured an internal DNS for reverse resolution in my Graylog server, the source fields now are just IP's and not hostnamesthis is better than having thrash in the source field. I think this solution is good, but I'll try what you suggest. Thanks a lot, Roberto El lunes, 2 de marzo de 2015, 13:02:16 (UTC-3), Bernd Ahlers escribió: > > Roberto, > > ah, okay. Sorry, I didn't know that you have other machines reporting > via Syslog. Then you should create the Syslog input again. Make sure > that the Syslog and Raw input are not listening on the same port! So > you either have to change the port on your Cisco ASA or on your > windows machines. > > Regarding syslog-ng: You can install syslog-ng and forward the Cisco > ASA messages via that one. But then you have to pre-process the > messages in syslog-ng. Otherwise the same messages would arrive in > Graylog. > > Regards, > Bernd > > On 2 March 2015 at 16:47, > wrote: > > Bernd, I've created a Raw INPUT as you said but after that all the > sources > > from Windows servers are bad. > > > > So maybe I can correct de Cisco servers logs but I buy a new problem > with my > > Windows servers. > > > > Is there any universal solution ? Maybe like Alejandro says, installing > just > > a syslog-ng for cisco servers and forward the logs after that to > graylog?? > > > > Thanks again, > > > > Roberto > > > > El lunes, 2 de marzo de 2015, 7:58:30 (UTC-3), Bernd Ahlers escribió: > >> > >> Roberto, > >> > >> you replace the Syslog input with a Raw input. The extractors are > >> applied to the Raw input to parse the logs then. > >> In your setup, remove the Syslog input and start a Raw input on the > >> same port. Then add the extractors as described in the blog post I > >> sent you earlier. > >> > >> Regards, > >> Bernd > >> > >> On 27 February 2015 at 20:17, wrote: > >> > Dear Bernd, thanks for your helpful respondebut now I have a new > >> > question. > >> > > >> > I have a Graylog2 server with just one INPUT "Syslog UDP" listening > on > >> > port > >> > UDP/10514, and the tutorial said I have to create another INPUT "Raw" > >> > suppose listening on port UDP/. > >> > > >> > How can I connect the raw input with the syslog input ??? I got > lost... > >> > > >> > Thanks in advance, > >> > > >> > Roberto > >> > > >> > El viernes, 27 de febrero de 2015, 13:57:08 (UTC-3), Bernd Ahlers > >> > escribió: > >> >> > >> >> Roberto, > >> >> > >> >> the Cisco ASA does not send valid Syslog, unfortunately. You have to > >> >> create a "Raw" input and create extractors. > >> >> > >> >> There is a blog post about this here: > >> >> http://spottedhyena.co.uk/2015/01/graylog2-cisco-asa-cisco-catalyst/ > >> >> > >> >> Hope that helps! > >> >> > >> >> Regards, > >> >> Bernd > >> >> > >> >> On 27 February 2015 at 15:57, wrote: > >> >> > Dear, I have a Graylog2 version 0.20.6 as our syslog server of our > >> >> > company. > >> >> > > >> >> > I defined an INPUT "Syslog UDP" running on port UDP/10514, and > after > >> >> > that we > >> >> > point several Windows and Linux servers to the Graylog2 with no > >> >> > problems. > >> >> > > >> >> > But in the case of the Cisco ASA firewalls, we have a problem > because > >> >> > the > >> >> > source sometimes matches something like: > >> >> > > >> >> > :%ASA-session-6-302013: > >> >> > > >> >> > In the Cisco ASA's I setup: > >> >> > > >> >> > logging enable > >> >> > logging emblem > >> >> > logging trap informational > >> >> > logging history debugging > >> >> > logging asdm debugging > >> >> > logging device-id hostname > >> >> > logging host inside_Frontend 10.1.1.1 format emblem > >> >> > > >> >> > I want to have the original hostname in the "source" field, so > what > >> >> > can > >> >> > I > >> >> > do??? > >> >> > > >> >> > Regards, > >> >> > > >> >> > Roberto > >> >> > > >> >> > -- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "graylog2" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to graylog2+u...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > >> >> > >> >> > >> >> -- > >> >> Developer > >> >> > >> >> Tel.: +49 (0)40 609 452 077 > >> >> Fax.: +49 (0)40 609 452 078 > >> >> > >> >> TORCH GmbH - A Graylog company > >> >> Steckelhörn 11 > >> >> 20457 Hamburg > >> >> Germany > >> >> > >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > >> >> Geschäftsführer: Lennart Koopmann (CEO) > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Gr
Re: [graylog2] Re: Problem generating/loading chunked Gelf message in graylog2
Thanks Bernd, but we want to send log to graylog2 without modifying PHP
configuration or application. Could you write a very simple sample of
chunked message for graylog2 (in the official documentation there isn't any
sample of chunked message, personally I think it is not sufficiently
explained)
Thank you again.
Regards
Alberto
On Monday, March 2, 2015 at 1:54:53 PM UTC+1, Bernd Ahlers wrote:
>
> Hey,
>
> if you want to send GELF messages from your PHP application, you might
> want to look at https://github.com/bzikarsky/gelf-php/.
> This is a ready to use PHP GELF library which also supports chunking.
>
> Hope that helps!
>
> Regards,
> Bernd
>
> On 1 March 2015 at 19:31, Jesús Alberto Vidal Cortés
> > wrote:
> > Can anyone write a detailed sample of a a chunked message?
> >
> > Thank you very much
> >
> >
> > On Friday, February 27, 2015 at 6:32:46 PM UTC+1, Jesús Alberto Vidal
> Cortés
> > wrote:
> >>
> >> Hi, I'm trying to process with gawk a PHP log for loading it graylog2
> (I
> >> have many log lines really big). I'm not able of send the correct
> >> information to graylog2 input UDP 12200
> >>
> >> If I want to send the next log (is gelf formated) entry to graylog2
> using
> >> two chunks how could I do it? What information must have exactly each
> chunk?
> >>
> >> {\n \"version\": \"1.1\",\n \"host\":\"phcaeproma01\",\n
> >> \"short_message\":\"Chunked message\",\n \"timestamp\": 123455134,\n
> >> \"level\":1,\n \"_remote_addr\":\"10.1.104.57\",\n
> >> \"_idf\":\"987297342\",\n \"_process\":\"Process\",\n
> >> \"_uid\":\"9798742.938292\",\n \"_idcert\":\"9386101233\" \n}
> >>
> >> I'm able of loading this log line without using chunks (it's a simple
> log
> >> line sample) I'm trying to send the next two chunks to graylog2:
> >>
> >> 1.
> >> \x1e\x0f000102{\n \"version\": \"1.1\",\n
> >> \"host\":\"phcaeproma01\",\n \"short_message\":\"%s\",\n
> \"timestamp\":
> >> %d,\n \"level\":%d,\n \"_remote_addr\":\"%s\",\n \"_idf\":\"%s\",\n
> >> \"_process\":\"%s\",\n
> >>
> >> 2.
> >> \x1e\x0f000112\"_uid\":\"%s\",\n \"_idcert\":\"%s\" \n}
> >>
> >> and I obtain the next trace in graylog2 server log
> >>
> >> 2015-02-26 16:59:05,389 DEBUG:
> >> org.graylog2.plugin.inputs.transports.NettyTransport - More chunks
> necessary
> >> to complete this message
> >> 2015-02-26 16:59:05,390 DEBUG:
> >> org.graylog2.inputs.codecs.GelfChunkAggregator - Dumping GELF chunk map
> >> [chunks for 1 messages]:
> >> Message <3030303030303031> Chunks:
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ID: 3030303030303031Sequence: 49/50 Arrival:
> >> 1424966345389 Data size: 212
> >>
> >>
> >> 2015-02-26 16:59:05,390 DEBUG:
> >> org.graylog2.plugin.inputs.transports.NettyTransport - More chunks
> necessary
> >> to complete this message
> >>
> >>
> >> What I'm doing wrong?
> >>
> >> I'm using the next sentences to send the information from gawk server
> to
> >> graylog2 server:
> >>
> >> printf "\x1e\x0f%s%c%c%s","0001",48,50,substr(v_cad,1,200) |&
> >> "/inet/udp/0/10.253.114.218/12200";
> >> printf "\x1e\x0f%s%c%c%s","0001",49,50,substr(v_cad,201) |&
> >> "/inet/udp/0/10.253.114.218/12200";
> >>
> >> Thank you very much for any help. It's very important to me be able of
> >> send a long message in chunks
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups
> > "graylog2" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to graylog2+u...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog company
> Steckelhörn 11
> 20457 Hamburg
> Germany
>
> Commercial Reg. (Registergericht): Amtsgericht Ha
