[graylog2] Re: [ANNOUNCE] Graylog v1.1.3 has been released

2015-06-23 Thread Sreenath V 
Upgrading from 1.1.2 to 1.1.3, was there any changes in config files ? Can 
you blindly copy the config files from 1.1.2 to 1.1.3 ?

On Friday, June 19, 2015 at 9:41:02 AM UTC-7, lennart wrote:
>
> Hey everybody, 
>
> I am happy to announce that we just released Graylog v.1.1.3. This 
> release is addressing several bugs and brings numerous improvements: 
>
>   * https://www.graylog.org/graylog-v1-1-3-is-now-available/ 
>
> Thanks, 
> Lennart 
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Upgrade steps for deb based system 1.0.2 --> 1.1.3

2015-06-23 Thread Peter Loron 
Hello. I've got a Graylog system running (Ubuntu 14.04) 1.0.2. I'm going to 
be upgrading, and have been unable to find any specific instructions. Do I 
need to do anything other than install the updated deb packages?

Thanks.

-Pete

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Confused by "message" filed truncation

2015-06-23 Thread Pete GS 
Hi all,

I'm sending my VMware vCenter server logs and Windows event logs into 
Graylog using nxlog-ce to send to GELF UDP inputs.

I'm getting confused as to why the "message" field is truncated compared 
with the "full_message".

At this point I have not tried defining any fields in nxlog for these nor 
have I defined any extractors on the inputs.

What can cause these messages to be truncated? I'm assuming Graylog is 
trying to process these into various fields which is leading to the 
truncated message but I'm not sure how I can overcome this.

Here's an example:

full_message: vpxd2015-06-24T10:36:18.302+10:00 info vpxd[10384] 
[Originator@6876 sub=vpxLro 
opID=opId-f89b4b1a-bd95-48fa-8193-d7f494ae37b2-3d-5a] [VpxLRO] -- FINISH 
task-internal-2506

message: vpxd2015-06-24T10:36:18.302+10:00 info vpxd[10384] [Originator@6

I am seeing the same behaviour for the Windows events and here's an example:

full_message: The system call to get account information completed. 
CN=VMM01,CN=Computers,DC=lab,DC=melbourneit,DC=com The call completed in 0 
milliseconds.

message: The system call to get account information completed. 
CN=VMM01

Here are the two relevant inputs used in nxlog.conf:


Module  im_msvistalog
EXEC if $ObjectName =~ /\\Nimsoft\\probes\\/ drop();



Module im_file
File "C:\\ProgramData\\VMware\\VMware 
VirtualCenter\\Logs\\vpxd-[0-9]*.log"
SavePos TRUE
ReadFromLast TRUE
Exec $Message = 'vpxd' + $raw_event;


I'm guessing It's probably going to be something as simple as defining 
fields in nxlog but I'm not real sure on that and am hoping someone else 
has come across this and has a solution or at least some pointers in the 
right direction.

Any help with this would be greatly appreciated!

Cheers, Pete

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Newbie Questin (Web Interface)

2015-06-23 Thread slhac tivist 
Hello All,

Just started using graylog. Love it. Read the docs, but still having this 
problem:

1) Using the web interface I made a "TEST" input, and setup some extractors.

2) From System|Inputs I select "Messages from this input" for TEST. Great.

Here's the problem:

1) SOMETIMES, the fields don't show up on the right (even when I select 
'all')

2) SOMETIMES, the Regex will work fine in the Extractormenu, but won't work 
when viewing the messages.

Probably an easy fix, but I can't figure this out.

So if anyone has any idea or suggestions, I'm all ears! :p

Thanks in advance!

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 0.20.2 field search trouble

2015-06-23 Thread slhac tivist 
Hi there Sean,

Not sure what "logstash" is, but when you search (i.e. for a field) can't 
you just append/prepend with a wild card?

E.g. Frequently I search:

source:123.456.*

I think appending wildcards is enabled by default and you'd have to enable 
prepending:

graylog-server.conf:

allow_leading_wildcard_searches = true

have you tried:

tags:nserv*

?

Cheers,



On Tuesday, May 27, 2014 at 6:02:28 PM UTC-5, Sean Talts wrote:
>
> Hey all,
>
> Just set up Graylog2 for the first time and got all of my logs are coming 
> from logstash :) They have tag field entries like this: "nserv, log," (for 
> some reason). I'm trying to search for all logs with the nserv tag like so: 
> `tag:nserv` because the documentation suggests that this will find any logs 
> with tag fields containing the string "nserv." However, no results come 
> back!
>
> The only results that come back from tag searches are exact strings: 
> `tags:"nserv, log,"`.  Any ideas?
>
> Thanks,
> Sean
>

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: hyper-v virtual appliance

2015-06-23 Thread Gabor.Technology 
Thanks guys for the tips. I have submitted a request to the ideas portal.

On Friday, June 19, 2015 at 11:34:59 AM UTC+2, Marius Sturm wrote:
>
> You can follow these instructions in order to perfom an update on the 
> appliance: 
> https://github.com/Graylog2/graylog2-images/tree/master/ova#upgrade-graylog
>
> Hyper-V images produce some costs on our side because we dont have Windows 
> build servers at the moment. You can add that request to the ideas portal, 
> if there is a significant amount of people voting for it we can provide it 
> natively: https://www.graylog.org/product-ideas/
>
> On 17 June 2015 at 15:55, David Gerdeman  > wrote:
>
>> I've been running the virtual appliance in hyper-v for a while now.  Use 
>> some extraction program to open the OVA file.  Take the vmdk file out and 
>> use virtualbox or some other application to convert it to a VHD.  You can 
>> either use that VHD directly with Hyper-V or you can use Hyper-V to convert 
>> it again to a VHDX file and use that.  Either way works great.
>>
>> I don't know about your other question. I would like to know how to 
>> upgrade the virtual appliances as well.
>>
>>
>> On Tuesday, June 16, 2015 at 5:51:50 PM UTC-5, Gabor.Technology wrote:
>>>
>>> Hi guys,
>>>
>>> Few questions please:
>>>
>>> 1. With version 1.1.2 out, what is the recommended way to run Graylog in 
>>> production under Hyper-V? Convert Workstation image to vhdx? Chef / Puppet 
>>> / Ansible?
>>> 2. What is the best way to upgrade from 1.0 to 1.1.2 or is it just 
>>> better to create new VMs by using converted virtual appliances? Can data 
>>> from existing elastic cluster be imported?
>>>
>>> Cheers,
>>> Gabor
>>>
>>>
>>>
>>>
>>>
>>>
>>>  -- 
>> You received this message because you are subscribed to the Google Groups 
>> "graylog2" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to graylog2+u...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Steckelhörn 11
> 20457 Hamburg
> Germany
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>  

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog plugin - elastic field types

2015-06-23 Thread Jesse Skrivseth 
Hi Kay! Thanks for the detailed response. Using templates is the route we 
took and it works great. One shortcoming is that you must know the names of 
the fields to define them in the template. If you're coding a plugin that 
dynamically adds fields back to the message, and you can't know the names 
beforehand, you're kind of out of luck. You can add the elastic template 
and cycle the index deflector in Graylog and it'll hold from there on out. 
I suppose that'll do for the near term. 

Thanks again!

-Jesse

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Variable Length Key=Value pairs

2015-06-23 Thread David Gerdeman 
In the uri-query field of my IIS logs I have a website that generates 
values for this field that is key=value pairs delimited by "&".  Sometimes 
this field might have one or two key=value pairs, and sometimes it has as 
many as six or seven.  I would like to extract those key=value pairs and 
bring them into graylog as separate fields, but haven't had much luck.  Is 
there a good way to extract these fields?

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog plugin - elastic field types

2015-06-23 Thread Kay Röpke 
Hi Jesse!

> On 23 Jun 2015, at 00:11, Jesse Skrivseth  wrote:
> 
> The Message class has several field types that can be explicitly declared 
> when adding fields to messages. It seems to support:
> 
> Double
> Long
> String
> 
> If I want to attach a field as a custom elastic type such as "geo_point", how 
> can I declare this custom type? Without a custom type, my current format 
> would always be inserted as a string. I'd love to be able to:
> 
> msg.addCustomField(String type, String key, Object message)
> 
> so 
> 
> msg.addCustomField('geo_point', 'source_geopoint', "12.023,-57.012”);


Unfortunately this does not work the way you expect it to. The mapping itself 
is being applied when creating the index, and Graylog currently relies on ES 
auto detecting the dynamic mapping types.
Double, Long and String are actually separate data types, thus ES will create 
the correct mapping for them, but geo_point is actually just a String and 
there’s no way to set a mapping type per document during indexing, so even if 
we offered a addCustomField method this would not work as intended.

In the future we want to provide more control over the mapping, but right now 
what you can do is to look at index templates. If your geo_point fields end 
with *_geopoint this should be relatively straightforward to implement.

Please have a look at 
https://www.elastic.co/guide/en/elasticsearch/reference/1.6/indices-templates.html
 


Best,
Kay

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Upload logs to analyze in GrayLog

2015-06-23 Thread Edmundo Alvarez 
Hi Allan,

You can only upload logs to Graylog by sending them through a network 
interface, but you can do that from a different computer than the one 
generating the logs.

I would place the log file you want to analyse in a computer that can access 
Graylog, then create a raw TCP input in Graylog (you can also use an existing 
input or create another type, depending on what you want to do). Once the input 
is started, you can send the log file through the network by using nc from your 
command line, for example:

nc -w0   < ./logfile.log

As far as I know that only works on OS X and Linux, but I guess there will be a 
way of doing something similar on Windows :)

Hope that helps.

Regards,

Edmundo

> On 23 Jun 2015, at 03:46, Allan Vargas  wrote:
> 
> Hi! 
> Is there any option where I can upload logs to analyze in GrayLog?
> 
> I need to import logs from a CISCO ASA device that is not connected to the 
> network, so I need to include this manually.
> 
> 
> Thanks and regards,
> By the way sorry for my bad english,
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "graylog2" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Upload logs to analyze in GrayLog

2015-06-23 Thread Allan Vargas 
Hi! 
Is there any option where I can upload logs to analyze in GrayLog?

I need to import logs from a CISCO ASA device that is not connected to the 
network, so I need to include this manually.


Thanks and regards,
By the way sorry for my bad english,

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.