[graylog2] Beta 3 Question

[David Gerdeman]

I have been testing beta3 and I have a few questions.

   1. The blog post about the beta release shows a picture of a pie 
   chart...how does one add a pie chart to a dashboard?
   2. When I look at the "inputs" page, the throughput/metrics fields never 
   populate.  This has been an issue for me in all of the betas I've tested so 
   far.  The browser I am running is IE11 and the message in the browser 
   console is "SCRIPT12008: WebSocket Error: Incorrect HTTP response. Status 
   code 400, Bad Request".  I am running the virtual appliance.
   3. Speaking of virtual appliances, is there any way to upgrade the 
   version of Graylog on the appliances when a new appliance is released?  Or 
   would one just install the new binaries when they are released?

Thanks in advance!

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog2 server High CPU, configuration questions

[Matt Hines]

Hey guys,

We've just updated our Graylog setup by moving the ES to another box to 
give it space to breathe.

But now we're seeing a large increase in msg/s coming into the 
graylog-server, at peak times, between 600-1200. This amount is only going 
to get bigger as users increase.

My issue is, when the number breaches the 600 msgs/s number, graylog starts 
to struggle and starts filling up its process buffer and the CPU ramps up 
to 100% and stays there until the peak period is over and it has cleared 
the buffer out.
The box is an AWS box, 2CPU, 8GB RAM. I have no idea if this hardware 
should be enough for this number of messages? If so, is there some tweaking 
I can do to optimise the system?
If not, what would you recommend, I know it's mainly CPU based but would it 
be best to cluster a second box, or increase this box?

Also, at what point will I start to lose messages incoming? When the 
process buffer and journal are both full?

We're running Graylog v1.0.2

Thanks for any help!

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog2 server High CPU, configuration questions

[Henrik Johansen]

Hello Matt, Are you by any chance running inputs that have the force_rdns flag 
set?  

---HenrikJ

On 2. jun. 2015 kl. 17.37.16 CEST, Matt Hines  
wrote:Hey guys, We've just updated our Graylog setup by moving the ES to 
another box to give it space to breathe.  But now we're seeing a large increase 
in msg/s coming into the graylog-server, at peak times, between 600-1200. This 
amount is only going to get bigger as users increase.  My issue is, when the 
number breaches the 600 msgs/s number, graylog starts to struggle and starts 
filling up its process buffer and the CPU ramps up to 100% and stays there 
until the peak period is over and it has cleared the buffer out. The box is an 
AWS box, 2CPU, 8GB RAM. I have no idea if this hardware should be enough for 
this number of messages? If so, is there some tweaking I can do to optimise the 
system? If not, what would you recommend, I know it's mainly CPU based but 
would it be best to cluster a second box, or increase this box?  Also, at what 
point will I start to lose messages incoming? When the process buffer and 
journal are both full?  We're running Graylog v1.0.2  Thanks for any help! 
--  You received this message because you are subscribed to the Google Groups 
"graylog2" group. To unsubscribe from this group and stop receiving emails from 
it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, 
visit https://groups.google.com/d/optout. 

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog 1.1 Beat 3 startu issue

[Arie]

Solved in 1.1 RC3

Op vrijdag 29 mei 2015 18:56:32 UTC+2 schreef Bernd Ahlers:
>
> Arie, 
>
> thank you for the report! I created an issue in GitHub for this: 
> https://github.com/Graylog2/graylog2-server/issues/1194 
>
> It will be fixed in 1.1.0-rc.2 or later. 
>
> Thanks, 
> Bernd 
>
> On 29 May 2015 at 16:27, Arie > wrote: 
> > Hi, 
> > 
> > When starting graylog with the following function enabled it fails on 
> > bootup. 
> > 
> > collector_expiration_threshold = 14d (or 20d or 30d) 
> > 
> > Fail message: 
> > 
> > Exception in thread "main" java.lang.ClassCastException: 
> > com.github.joschi.jadconfig.util.Duration cannot be cast to 
> > java.lang.Integer 
> > at 
> > 
> com.github.joschi.jadconfig.validators.PositiveIntegerValidator.validate(PositiveIntegerValidator.java:11)
>  
>
> > at 
> > 
> com.github.joschi.jadconfig.JadConfig.validateParameter(JadConfig.java:207) 
> > at 
> > 
> com.github.joschi.jadconfig.JadConfig.processClassFields(JadConfig.java:141) 
>
> > at 
> com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:99) 
> > at 
> > 
> org.graylog2.bootstrap.CmdLineTool.readConfiguration(CmdLineTool.java:316) 
> > at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:161) 
> > at org.graylog2.bootstrap.Main.main(Main.java:58) 
> > 
> > Centos 6.6 and either with java 1.7 or 1.8 
> > 
> > 
> > The other collector functions are fine. 
> > 
> > Arie. 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "graylog2" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to graylog2+u...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>
>
>
> -- 
> Developer 
>
> Tel.: +49 (0)40 609 452 077 
> Fax.: +49 (0)40 609 452 078 
>
> TORCH GmbH - A Graylog company 
> Steckelhörn 11 
> 20457 Hamburg 
> Germany 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
> Geschäftsführer: Lennart Koopmann (CEO) 
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: how to keep the log message in one field?

[Arie]

Mark,,

Thank you for mentioning it in case I want to do the same thing.

Logs between server 2008 and later appear to be different from earlier 
versions. The need a different
confi file.


Arie..


Op dinsdag 2 juni 2015 01:04:12 UTC+2 schreef graylog...@gmail.com:
>
> Hello
>
> Thanks for info but my case is different (I think!) 
> If I'm not wrong your configuration for NXLOG is to fetch live eventlogs, 
>
> in my case I have a huge archive (5TB) of windows logs that have been 
> already exported as text file, so I'm not accessing the live eventlogs on a 
> windows system.
>
>
> Best regards
> Mark
>
>
>
> On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com wrote:
>>
>> Hello
>>
>> I'm having a problem with graylog and nxlog feed 
>>
>> I have a huge archive of windows event logs, I have been trying to import 
>> these logs into graylog using nxlog and gelf
>>
>> It all works well, nxlog pickup the logs and imports them but the 
>> messages are being split in several records rather tha a single one, 
>>
>>
>> Example if the event log contains the follow
>>
>>
>> *{"1331892664000, 4624, "Success", "Security", 
>> "Microsoft-Windows-Security-Auditing", "An account was successfully logged 
>> on.*
>>
>> *Subject:*
>> * Security ID: S-1-0-0*
>> * Account Name: -*
>> * Account Domain: -*
>> * Logon ID: 0x0*
>>
>> *Logon Type: 3*
>>
>>
>> *This event is generated when a logon session is created. It is generated 
>> on the computer that was accessed.*
>>
>> *Key length indicates the length of the generated session key. This will 
>> be 0 if no session key was requested." "}  *
>>
>>
>> It gets loaded into graylog as:
>>
>> Record 1: *{"1331892664000, 4624, "Success", "Security", 
>> "Microsoft-Windows-Security-Auditing", "An account was successfully logged 
>> on.*
>> Record 2: *Subject*
>> Record 3*: **Security ID: S-1-0-0*
>>
>> etc.
>> etc
>>
>>
>> I just would like to have all the message stored in one record
>>
>> Do you have any idea how this could be achieved?
>>
>> Thanks!
>> Mark
>>
>>
>>
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [ANNOUNCE] Graylog v1.1-rc.3 has been released

[Lennart Koopmann]

Happy to announce that we released the release candidate 3 of Graylog
v1.1: https://www.graylog.org/graylog-v1-1-rc3-is-now-available/

The final version of Graylog v1.1 is scheduled for Thursday at this
point in time. Give rc.3 a spin!

Cheers,
Lennart

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Error Connecting to Elasticsearch Cluster

[Kay Röpke]

Hi Tyler!

Have you double checked both the cluster.name on the master as well as the 
version of Elasticsearch?
Graylog in the version you are running is using Elasticsearch 1.3.7.

It looks like Graylog can successfully reach your master node for discovery, 
but then fails to join the cluster.
This usually indicates a problem with the cluster names, unfortunately 
Elasticsearch does not print a more helpful message in this case.

Did this work before? What has changed?

Best regards,
Kay

> On 02 Jun 2015, at 20:06, ty...@ospreyinformatics.com wrote:
> 
> Hello, 
> 
> We had a Graylog instance running and connected to our elasticsearch cluster. 
> We performed a rolling restart of the ES nodes to install an ES plugin and 
> then restarted the Graylog server. 
> 
> Now the graylog-server instance is unable to connect to the elasticsearch 
> cluster. I've ensured that multi-cast is disabled and that the unicast 
> discovery hosts, matching the elasticsearch config. 
> 
> We using Debian with Graylog installed via the .deb in AWS. Our elasticsearch 
> cluster has one master node (set in the discovery) and multiple data nodes. 
> 
> The elasticsearch.yml file being used for configuration 
> (/etc/graylog/server/elasticsearch.yml) will connect to the ES cluster if I 
> use it with the elasticsearch service on the same machine as the graylog 
> instance, so it does not appear to be an issue with firewalls, connectivity 
> between the graylog server and our ES master. 
> 
> I've tried various combinations of binding network and publish hosts to the 
> external and private IPs of the instance as well as swapping the URL in the 
> unicast discovery setting to the ip address of the master node as well as 
> completely uninstalling both elasticsearch and graylog, restarting the 
> machine and re-installing. 
> 
> To keep the post clean, I've attached sanitized versions of our graylog 
> config, elasticsearch and the log file with debug enabled.
> 
> Any help/comments/ideas are greatly appreciated. 
> 
> Cheers,
> Tyler
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com 
> .
> For more options, visit https://groups.google.com/d/optout 
> .
> 

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.