[graylog2] Re: Alert when Graylog stop to receiving data from some server
The other way to do this would be to output to something like Riemann, particularly if you have (like we do) a very large number of hosts and don't want to configure a stream for each host. The other reason streams may be impractical is if you have hosts being configured to send to Graylog that you don't necessarily know about. In my case most data comes from a few general purpose Syslog servers and any newly provisioned servers are pointed at Syslog without my knowledge. I'm trying to achieve a similar result in the other direction with Riemann at the moment, namely alerting on hosts that have a large spike in messages in certain circumstances. Hope that helps. Cheers, Pete On Wednesday, 15 July 2015 23:43:35 UTC+10, Jochen Schalanda wrote: > > Hi Juan, > > you can create multiple streams with messages coming from a certain server > (by filtering by the source field), one for each server, and then add a > message count alert condition to send you a message if there are no > messages within a certain timeframe in that stream; see > http://docs.graylog.org/en/1.1/pages/streams.html for details. > > Cheers, > Jochen > > On Wednesday, 15 July 2015 15:39:49 UTC+2, Juan Andres Ramirez wrote: >> >> Hello guys, >> It is possible by any way?. >> I need create an alert when any server stop send data for the last >> 20 minutes, for example. >> >> Thank you. >> > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Load Balancer State Persistence?
Thanks Jochen, I thought as much. For my needs, I have two server nodes that don't normally perform any processing and are essentially reserved as search nodes. These are the only nodes configured for the web interface to communicate with. They are still in my load balancer pool on the F5's but I manually override the load balancer status to "DEAD". If I experience a peak in input messages and the other nodes start queuing messages in the journal, I can simply set the override to "ALIVE" and get some extra processing power until the peak has passed. However, if I do any work that requires the two "search" nodes to be restarted, I have to remember to go and set manual override again. This allows me to have users successfully searching no matter what load the rest of the nodes are under. In addition, it's also useful in a scenario where there is one node that has been having issues and ends up with a full journal. It would be good to be able to have the override persist in that scenario as more than likely the server will be rebooted or have a service restart when trying to diagnose whatever has caused that issue in the first place. Of course, if I'm going about this the wrong way and there is a better way please let me know! Cheers, Pete On Wednesday, 15 July 2015 18:39:26 UTC+10, Jochen Schalanda wrote: > > Hi Pete, > > the load balancer status cannot be persisted over service restarts right > now. > > Could you please elaborate a little bit, why you would need this in order > for your setup to work? > > Cheers, > Jochen > > On Wednesday, 15 July 2015 01:57:05 UTC+2, Pete GS wrote: >> >> Hi all, >> >> Is there any way for the load balancer state to remain persistent across >> service restarts at all? >> >> I have two nodes that I use as dedicated search nodes but I like to be >> able to have them in the load balancer config as emergency nodes if one of >> my other nodes is having issues or for when I'm upgrading Graylog. >> >> At the moment I need to manually override the load balancer status for >> these two nodes after every service restart but it would be nice if this >> setting was able to be persisted. >> >> Cheers, Pete >> > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Alert when Graylog stop to receiving data from some server
I think I need bit help with this please. So I have 1 rule: source must match exactly serverName And I want the alarm triggered when this field doesn't has this value: serverName in last 5 min, but I'm lost with "alerts of streams", I selected the next value, but nothing happend: Alert is triggered when the field source has a lower sum than 1 in the last 2 minutes. Grace period: 0 minutes. Including last message in alert notification Any other idea? Thank you. On Wednesday, July 15, 2015 at 10:39:49 AM UTC-3, Juan Andres Ramirez wrote: > > Hello guys, > It is possible by any way?. > I need create an alert when any server stop send data for the last > 20 minutes, for example. > > Thank you. > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Alert when Graylog stop to receiving data from some server
Hi Juan, you can create multiple streams with messages coming from a certain server (by filtering by the source field), one for each server, and then add a message count alert condition to send you a message if there are no messages within a certain timeframe in that stream; see http://docs.graylog.org/en/1.1/pages/streams.html for details. Cheers, Jochen On Wednesday, 15 July 2015 15:39:49 UTC+2, Juan Andres Ramirez wrote: > > Hello guys, > It is possible by any way?. > I need create an alert when any server stop send data for the last > 20 minutes, for example. > > Thank you. > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Alert when Graylog stop to receiving data from some server
Hello guys, It is possible by any way?. I need create an alert when any server stop send data for the last 20 minutes, for example. Thank you. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Elasticsearch + Shield = Graylog can't connect
Hi Pavel,
seems elasticsearch is running but can you check status with:
curl -XGET http://localhost:9200/_cluster/health?pretty
should be status green, otherwise your graylog server doesn't start.
Can you post graylog server log also?
Ciao
Alberto
On Tuesday, July 14, 2015 at 2:55:51 PM UTC+2, Paul Letski wrote:
>
> Hello,
>
> I have fluentd + elasticsearch + graylog setup.
> I've installed Shield plugin for elasticsearch, create admin user and now
> graylog can't connect.
> I understand, that I must write my credentials somewhere in graylog
> configs. But I don't know where?
>
> Versions:
> Graylog-server 1.1.4-1
> Elasticsearch: 1.6.0
>
> Here is error message from graylog-server log:
>
> 2015-07-14T13:49:41.977+03:00 ERROR [IndexerSetupService] Could not
> connect to Elasticsearch at http://127.0.0.1:9200/. Is it running?
>
> Here is elasticsearch status:
>
> # curl -u che -XGET 'http://localhost:9200/'
> Enter host password for user 'che':
> {
> "status" : 200,
> "name" : "Unthinnk",
> "cluster_name" : "my_logs",
> "version" : {
> "number" : "1.6.0",
> "build_hash" : "cdd3ac4dde4f69524ec0a14de3828cb95bbb86d0",
> "build_timestamp" : "2015-06-09T13:36:34Z",
> "build_snapshot" : false,
> "lucene_version" : "4.10.4"
> },
> "tagline" : "You Know, for Search"
> }
>
> Thank you in advance.
>
> --
> Best regards,
> Pavel Letski
>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Cant find part of a word using the search absoult method on the web api
Hi, currently only some specific message fields (message, full_message, and source) are being analyzed during index time. This means that wildcard searches cannot be executed for other, individual fields. You can work around this limitation by creating an index template ( https://www.elastic.co/guide/en/elasticsearch/reference/1.6/indices-templates.html) for the indices created by Graylog. Cheers, Jochen On Tuesday, 14 July 2015 18:05:25 UTC+2, itsik hackmon wrote: > > Hello All , > > I have a 'UserName' field that is used for logging new users that were > inserted in our systems > I created few users - Test1 , Test2 , Test3 , Test4 > > In the web api im using the SearchAbsolute method and in the query field i > wrote: > UserName: Test* and i get no results. > > Any idea how can i search for part of a word? > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Load Balancer State Persistence?
Hi Pete, the load balancer status cannot be persisted over service restarts right now. Could you please elaborate a little bit, why you would need this in order for your setup to work? Cheers, Jochen On Wednesday, 15 July 2015 01:57:05 UTC+2, Pete GS wrote: > > Hi all, > > Is there any way for the load balancer state to remain persistent across > service restarts at all? > > I have two nodes that I use as dedicated search nodes but I like to be > able to have them in the load balancer config as emergency nodes if one of > my other nodes is having issues or for when I'm upgrading Graylog. > > At the moment I need to manually override the load balancer status for > these two nodes after every service restart but it would be nice if this > setting was able to be persisted. > > Cheers, Pete > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
