Re: [graylog2] Re: No Graylog servers available.
Does anyone have to answer ? How do I solve this elasticsearch problem ? On Tuesday, March 17, 2015 at 8:36:23 PM UTC+2, Abdüllatif ERKAYA wrote: I am getting 500 logs per second. It may have an impact ? On Tuesday, March 17, 2015 at 3:12:37 PM UTC+2, Abdüllatif ERKAYA wrote: I started from the beginning. i deployed it . Allocated 8GB Memory and 8 core cpu. IP Address: DHCP. I did not change. I made the time- zone setting and graylog-ctl reconfigure Login to web interface. Add an syslog udp input. Received logs. After 2 hours, I rebooted it. same results. 17 Mart 2015 Salı 12:20:27 UTC+2 tarihinde Marius Sturm yazdı: Looks like Elasticsearch is not starting properly after the reboot. This can be caused by several reasons. One is too few system resources, make sure your vm has enough memory allocated. 3-4 Gb at least. Another would be a wrong IP setup, please double check that you exactly followed these steps: https://github.com/Graylog2/graylog2-images/tree/master/ova#assign-a-static-ip On 17 March 2015 at 11:09, Abdüllatif ERKAYA aerk...@gmail.com wrote: I installed again. Version 1.0.1 of. I've configured. Everything was going smoothly. I add an input. (Syslog UDP). I reboot. started giving the same error. The log file is attached. On Monday, March 16, 2015 at 5:41:43 PM UTC+2, Marius Sturm wrote: Could you please check if there are any errors in /var/log/graylog/server/current ? Also check if the server is restarting constantly! On 16 March 2015 at 15:21, Abdüllatif ERKAYA aerk...@gmail.com wrote: Yes, i did. On Monday, March 16, 2015 at 9:39:38 AM UTC+2, Marius Sturm wrote: Hi Abdüllatif, did you run graylog-ctl reconfigure after changing the IP? On 15 March 2015 at 14:37, Abdüllatif ERKAYA aerk...@gmail.com wrote: root@graylog:~# graylog-ctl status run: elasticsearch: (pid 13318) 624s; run: log: (pid 982) 1695s run: etcd: (pid 9648) 900s; run: log: (pid 985) 1695s run: graylog-server: (pid 19409) 9s; run: log: (pid 974) 1695s run: graylog-web: (pid 13400) 623s; run: log: (pid 986) 1695s run: mongodb: (pid 9814) 894s; run: log: (pid 971) 1695s run: nginx: (pid 9827) 894s; run: log: (pid 984) 1695s -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog Company Steckelhörn 11 20457 Hamburg Germany https://www.graylog.com https://www.torch.sh/ Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog Company Steckelhörn 11 20457 Hamburg Germany https://www.graylog.com https://www.torch.sh/ Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog Company Steckelhörn 11 20457 Hamburg Germany https://www.graylog.com https://www.torch.sh/ Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Stream or Search for Excessive Windows Events from the Same Source
Are you sending them with Gelf? All to the same input? If you do, then you possibly could configure a stream alert on that input, making a trigger on your event, and in the alert condition you can configure the amount of alerts in a time based manner. On Monday, March 16, 2015 at 11:38:38 PM UTC+1, Pete GS wrote: NXLog is how we send them also and we get source/system names, the problem is alerting or searching based on the number of events from the same source without having to specify a particular source. I haven't looked at Kibana at present so maybe that's also worth a shot. Cheers, Pete On Tuesday, 17 March 2015 03:31:32 UTC+10, Arie wrote: We send windows events with nxlog (type: gelf), and the system names are automatically included. We look at ES with kibana and have created a view te see what is going on. Op maandag 16 maart 2015 05:48:12 UTC+1 schreef Pete GS: Hi all, We've been continuing to discuss various other use cases for Graylog here and there is one scenario that I can't figure out a solution for. Essentially, if an unknown Windows issue occurs, it will generally result in the Windows Event Logs being spammed with hundreds or thousands of events within a very short time frame (usually seconds). Flagging a lot of Windows events in a short time frame is pretty simple, but what is not simple is that this count of events needs to be on a unique source. As we are currently sending hundreds of Windows server Event Logs to Graylog, we can't set a stream up for each individual server. Is there any way anyone can think of solving this? We're currently running 0.92.3 but I will soon be looking to upgrade to 1.0. The only way I can think to do this right now is to perform some scheduled scripted searches via the REST API. Any help or thoughts would be greatly appreciated. Cheers, Pete -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Inputs gone after updating to 1.0.1 from the latest 0.9x
Hi all, some help needed. After updating to 1.0.1 all my inputs (2) and extractors are gone. Before the updateI created a contend pack, is there anyone that can help rewriting it to get my inpus back? below her is the pack. { id : null, name : Nagios bundle, description : Backup, category : Monitoring, inputs : [ { title : nagiosserver, configuration : { port : 8100, allow_override_date : true, bind_address : 0.0.0.0, recv_buffer_size : 1048576 }, type : org.graylog2.inputs.syslog.tcp.SyslogTCPInput, global : false, extractors : [ { title : extracthostname, type : REGEX, configuration : { regex_value : ([a-zA-Z0-9\\-.]+)([a-z\\.]?)*; }, converters : [ ], order : 0, cursor_strategy : COPY, target_field : hostname, source_field : message, condition_type : NONE, condition_value : }, { title : service_message, type : SPLIT_AND_INDEX, configuration : { index : 2, split_by : ; }, converters : [ ], order : 0, cursor_strategy : COPY, target_field : service_message, source_field : message, condition_type : NONE, condition_value : }, { title : alert_status, type : SPLIT_AND_INDEX, configuration : { index : 3, split_by : ; }, converters : [ ], order : 0, cursor_strategy : COPY, target_field : alert_status, source_field : message, condition_type : NONE, condition_value : }, { title : error_message, type : SPLIT_AND_INDEX, configuration : { index : 6, split_by : ; }, converters : [ ], order : 0, cursor_strategy : COPY, target_field : error_message, source_field : message, condition_type : NONE, condition_value : }, { title : CBS_partner, type : REGEX, configuration : { regex_value : \\s([1-9][0-9]0_[A-Z][A-Z]*.\\b) }, converters : [ ], order : 0, cursor_strategy : COPY, target_field : CBS_Partner, source_field : message, condition_type : NONE, condition_value : }, { title : RIS_Partner, type : REGEX, configuration : { regex_value : \\s(SRK_[A-Z][A-Z]*.\\b) }, converters : [ ], order : 0, cursor_strategy : COPY, target_field : RIS_Partner, source_field : message, condition_type : NONE, condition_value : } ], static_fields : { } }, { title : ohdnetwerk, configuration : { port : 8000, bind_address : 0.0.0.0, recv_buffer_size : 1048576 }, type : org.graylog2.inputs.gelf.udp.GELFUDPInput, global : false, extractors : [ ], static_fields : { } } ], streams : [ { id : 54ae9b0724ac1c3ac18cf641, title : Java Service Error, description : Java Service Error Meldingen, disabled : false, outputs : [ ], stream_rules : [ { type : EXACT, field : service_message, value : proc_JAVA, inverted : false } ] }, { id : 54b7b9cd24acf433218a83d7, title : CBS Parter 900_SRK heeft status Fail, description : Partner 900_SRK probleem op het CBS systeem, disabled : false, outputs : [ ], stream_rules : [ { type : REGEX, field : message, value : (?=.*cbs-prod).*ALERT.*False.*900_SRK, inverted : false } ] }, { id : 54b7b3f524acf433218a7d80, title : RIS Parter SRK_CBS heeft status Fail, description : Parter SRK_CBS probleem op het RIS systeem, disabled : false, outputs : [ ], stream_rules : [ { type : REGEX, field : message, value : (?=.*ris-prod).*ALERT.*False.*SRK_CBS, inverted : false } ] }, { id : 549b001f24ac266f4e59c913, title : Hosts Down, description : Hosts die down gemeld worden in Nagios, disabled : false, outputs : [ ], stream_rules : [ { type : EXACT, field : service_message, value : DOWN, inverted : false } ] }, { id : 5464ab0124acdd8389e0f0f3, title : Hosts Unreachable, description : Message about Unreachable hosts, disabled : false, outputs : [ ], stream_rules : [ { type : EXACT, field : service_message, value : UNREACHABLE, inverted : false } ] } ], outputs : [ ], dashboards : [ { title : nagios, description : nagios, dashboard_widgets : [ { description : Logged Events Total 8h, type : SEARCH_RESULT_COUNT, configuration : { query : , timerange : { range : 28800, type : relative } }, col : 1, row : 1, cache_time : 60 }, { description : Server/Host events last 8h, type : SEARCH_RESULT_COUNT, configuration : { query : (\SERVICE ALERT\ OR
Re: [graylog2] Re: No Graylog servers available.
Wed, 18 Mar 2015 06:38:51 -0700 (PDT), Abdüllatif ERKAYA aerka...@gmail.com : Does anyone have to answer ? How do I solve this elasticsearch problem ? First you can be sure it's an elasticsearch problem. When you query the ElasticSearch cluster, what's the status? curl -XGET 'http://localhost:9200/_cluster/health?pretty=true' It should return at least Yellow. Graylog can use multicast to discover ElasticSearch. Try using the classic unicast instead. Does your /etc/hosts file include an entry for the server's own network IP? Java applications typically want to reverse lookup their IP. Did you disable iptables during installation but forgot to change the on-boot settings? Did you disable selinux (rhel, centos, oracle, etc) or apparmor (sles, ubuntu, etc) during installation but forgot to change the on-boot settings? Are you configuring the network with NetworkManager? If so, NetworkManager may be changing /etc/hosts or similar files. Try configuring the network the classic way. There can be issue with the service start order. Try stopping all Graylog-related services, then starting one by one (giving time to each service to boot-up for about 10-20 seconds) with Graylog server and web being the last ones. Are you using Oracle JDK or OpenJDK? If you're using OpenJDK, try using Oracle JDK (preferably the latest) which can solve some bizarre problems. If all the above fails, more info would be needed. What is the distribution / version of GNU/Linux you're using? How are you installing Graylog and its components? (RPM, Puppet, etc) Doruk -- Özgür Yazılım A.Ş. ~ # http://www.ozguryazilim.com.tr -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Timezone issues for User Admin Default JDK/JRE
Graylog 1.0.0. I've specified my local time zone for both server web interface and the system time is correct on all systems running graylog-related services (mongodb, elasticsearch, graylog-server, graylog-web). What did I miss? User admin:2015-03-16 11:50:29.354 -05:00Web browser:2015-03-16 12:50:30.508 -04:00Default JDK/JRE:2015-03-16 11:50:29.354 -05:00Graylog web interface:2015-03-16 12:50:29.355 -04:00Graylog master server: 2015-03-16 12:50:29.355 -04:00 -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] How to define default streams on a reader role in Graylog v1.0.0
Hey, I have a graylog v1.0.0 running on centos 6.6 like a charm. I have several stream and dashboard definitions in my server and i manage my graylog users with ldap integration which works great. But i've a question : When my ldap users login at the first time, graylog doesnt let them to see any stream or dashboards because all ldap users come with the default reader permissions which is normal. I'd like to define some default streams and dashboards for reader permission, and make all users allow to see those streams default. Is there anyway to do that? I do not want to give admin permission to everyone and i dont want to set permissions one by one for all the users. What do you guys suggest? Any help or answers will be appreciated, Thanks! -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Verify rewriting with Drool is working in 1.0.1
Can anyone running the new 1.0.1 code verify that their Drool rules are working? I've verified the rules_file path and the rules file. I am using the prebuillt OVA build from graylog with the changed config file at /opt/graylog/conf/graylog.conf and the rules file in the same location of /opt/graylog/conf/graylog.drl rules_file = /opt/graylog/conf/graylog.drl Thanks! -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] beginner help with streams.
Hello. I have a task to put up a stream that cathes all failed ssh attempts. The graylog2 service is already up and running and some streams are configured. I have understood how to make a new stream but after that im stuck. I have tried google, graylog2 stream guide, stream examples, graylog2 ssh alarm. But dont really find what im looking for. Can someone here please point me in the right direction or give any other help. Thank JN -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.