[graylog2] Re: Nodes- Connection to machines

[sikender . mohammad]

Hi JOchen,



I dont know what might be the reason But I cant able to access REST API. 
 And one more thing is like, If i provide more nodes to server ad access 
graylog? What are the defects I will be facing ? 
For example; 

I have 10 environments, Can I access 5 environments in 1 node and other 5 
in another node ? IS it fine If i do that ? 

Thank you Jochen. 

Regards
Sikender

On Monday, April 11, 2016 at 3:36:22 AM UTC-7, Jochen Schalanda wrote:
>
> Hi Sikender,
>
> if you're using Graylog 1.3.x, the Graylog REST API must be accessible by 
> the Graylog web interface. If you're using Graylog 2.x, the Graylog REST 
> API must additionally be accessible by your web browser (since the web 
> interface is now a single-page application directly communicating with the 
> Graylog REST API from your browser).
>
> Cheers,
> Jochen
>
> On Thursday, 7 April 2016 10:36:53 UTC+2, sikender...@acesred.com wrote:
>>
>> HI Jochen,
>>
>>
>> My graylog server is different server compare to client server.  my 
>> graylog server is x.x.x.x:9000 and client server is on x.x.x.x:port.   DO 
>> we need this API access to perform well? I have mu graylog server up and 
>> able to receive logs though?
>>
>> When I run lsof -l :12900;
>> It gives me output like:
>>
>> COMMAND   PIDUSER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>> java12450 graylog  137u  IPv6 877480  0t0  TCP localhost:12900 
>> (LISTEN)
>>
>>
>>
>>
>> On Thursday, April 7, 2016 at 1:01:07 AM UTC-7, Jochen Schalanda wrote:
>>>
>>> Hi Sikender,
>>>
>>> the loopback interface  is 
>>> always only accessible from the very same machine, so your client or 
>>> browser also needs to run on that machine in order to access the Graylog 
>>> REST API at http://127.0.0.1:12900/.
>>>
>>> If that's already the case, then you need to check the logs of your 
>>> Graylog server for error messages. Checking that the actual process is 
>>> running (e. g. sudo lsof -i :12900 or sudo netstat -tplen | grep 
>>> :12900) would also help.
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Thursday, 7 April 2016 09:37:36 UTC+2, sikender...@acesred.com wrote:

 Hi Jochen,


 The graylog-server is running. 

 Status is "graylog-server (pid  24233) is running..."  But I can't able 
 to access http://127.0.0.1:12900/ . Even graylog server and server web 
 are on the same server. ?? CAn you please tell me where am I going wrong. 


 Thank you 
 Sikender


 On Thursday, March 31, 2016 at 2:54:27 AM UTC-7, Jochen Schalanda wrote:
>
> Hi Sikender,
>
> make sure that your Graylog server is running and that the web 
> interface can reach it at http://127.0.0.1:12900/ (which will only 
> work if it's running on the same machine).
>
> Cheers,
> Jochen
>
> On Thursday, 31 March 2016 01:45:07 UTC+2, sikender...@acesred.com 
> wrote:
>>
>> H Jochen, 
>>
>>
>> Awesome. That works for me. Now I am able to send logs so easily :) 
>>
>> Seems everything is fine , but when I see the logs of graylog-web 
>> server after restart, I see something like ; 
>>
>>
>> 2016-03-30T02:14:25.471-04:00 - [INFO] - from play in main
>> Application started (Prod)
>>
>> 2016-03-30T02:14:25.614-04:00 - [INFO] - from play in main
>> Listening for HTTP on /0:0:0:0:0:0:0:0:9000
>>
>> 2016-03-30T02:15:55.038-04:00 - [INFO] - from play in New I/O worker 
>> #13
>> Starting application default Akka system.
>>
>> 2016-03-30T17:12:42.253-04:00 - [ERROR] - from 
>> org.graylog2.restclient.lib.ApiClient in pool-22-thread-1
>> Connection refused: /127.0.0.1:12900 to 
>> http://127.0.0.1:12900/system/metrics/multiple
>>
>> 2016-03-30T17:12:46.427-04:00 - [ERROR] - from 
>> org.graylog2.restclient.lib.ApiClient in servernodes-refresh-0
>> Connection refused: /127.0.0.1:12900 to 
>> http://127.0.0.1:12900/system/cluster/node
>> "application.log" 145L, 7809C
>>
>>
>> Can you please tell me where exactly it is pointing to ! 
>>
>>
>> Thank you 
>>
>>
>> On Wednesday, March 30, 2016 at 2:10:03 AM UTC-7, Jochen Schalanda 
>> wrote:
>>>
>>> Hi Sikender,
>>>
>>> you cannot bind two inputs to the same network interface (in this 
>>> case 0.0.0.0:12201). One of those GELF TCP inputs has to use 
>>> another port (e. g. 12201 or anything above 1024).
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Wednesday, 30 March 2016 00:22:22 UTC+2, sikender...@acesred.com 
>>> wrote:

 HI Jochen,


 Sure. Below are the snapshots of GELF-TCP input running and the 
 other one saying "Address already in use" 

 Can you please go through it and let me know where am I going 
 wrong. I have also attached the config files for reference. 

>>>

[graylog2] Graylog collector

[sikender . mohammad]

HI all, I have some queries regarding graylog; 



Do we need root access to install graylog-collector in agent machine? 

1) How can we handle different log names in graylog ?

2) Can I able to stream particular error messages into streaming 

CAn you please do reply me .. !!



Thank you 
Sikender 


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f194ead8-97e6-4e15-bd01-6775cca06f71%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] web interface with v2.0 appears to require direct REST access?

[Jason Haar]

Hi there

Under graylog-1.3.4 I had published graylog-web behind a WAF - which nicely
mapped https://graylog.internet.domain to http://graylog.intranet.domain
(notice the different domain names too)

With v2.0 I can't get this to work. Now it appears graylog returns content
with hardwired URLs that are defined by rest_listen_uri? That means we end
up with browser errors as they are talking to the WAF over HTTPS and the
content contains HTTP links - to port 12900. Bad.

Am I correct that graylog-v2 requires browsers to talk to non-web ports (ie
12900)? That's quite a change. The comments say "Must be reachable by other
Graylog server nodes if you run a cluster" - no mention of this being
required by web browsers.

I'm confused?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgL8SC3ZoxkB2k4A_QsAsiy3a_rwO%2BamDYHdLJPK-4Ww_A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] best way to do a "read only" audit account?

[Jason Haar]

Hi there

I want to set up graylog (ldap auth) so that there's a group who have full
READ access (audit team). ie instead of creating a Stream and giving them
access to that, I want them to be able to access all the data - but not be
admins. I have Roles working well for other groups - but this corner case
doesn't sit well.

I want to use the LDAP groups to do this - so I have a group and can map it
to a Role. But the Role needs to be assigned to a Stream - and the
"default" Stream of "all" doesn't exist. I could go through and assign all
the Streams to the Role - but then I'd have to remember every time we added
a new Stream to go and update the Role... Alternatively I could create a
new Stream called "Read-Only" that has no filter - and assign that to the
Role - but that seems excessive. These Streams are not cheap (in terms of
resources) - so you shouldn't create more than are needed

Wouldn't it be sensible to always have a "default" Stream named "All data"
(would probably have to be hard-wired as readonly) - so that it can be
allocated to Roles? It's really a "virtual" Stream, consisting of everything

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgJ2YuaaAiuNOHoAHM8eT0T%3D-ppNajE9kkevQwKjQv_Fng%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Can I convert a field from string to integer?

[Jason Haar]

It would be great if graylog had an interface for doing this. I don't know
if this is the intent, but graylog sort of "hides" ES almost entirely, so
being able to use graylog to redefine field names would be useful and in
keeping with that concept (it would obviously just be a wrapper around the
actual ES template)

Good timing on this topic. I've just adding a new GELF feed of data
containing a "lastSeen" field and was wondering how to make it a field like
"timestamp". Now I know ;-)

On Wed, Apr 13, 2016 at 9:22 PM, Jochen Schalanda 
wrote:

> Hi Ryan,
>
> Elasticsearch tries to be smart about the types of document fields if no
> explicit mapping was provided. In this case, it assumes that those fields
> are strings. Since this dynamic mapping is applied on a per-index base,
> rotating the index (see System -> Indices -> Maintenance in the Graylog web
> interface) basically enables you to start with a "clean slate".
>
> If you want to enforce a certain mapping for your indices, you can create
> an explicit mapping (see
> https://www.elastic.co/guide/en/elasticsearch/reference/1.7/mapping.html)
> and use an index template (see
> https://www.elastic.co/guide/en/elasticsearch/reference/1.7/indices-templates.html)
> to apply it to newly created indices.
>
> Cheers,
> Jochen
>
> On Tuesday, 12 April 2016 19:35:13 UTC+2, Ryan Anstey wrote:
>>
>> I'm new to this and my scripts were accidentally pouring in data as
>> strings instead of integers. I've fixed that, but now those fields are
>> still set to be strings only. Is there any way for me to override this?
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/1ad4ff3c-4253-49b6-92c8-21bc0f661cf6%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgK204uW2%3Dbfi-m1tMN2oRizdy-1snKt9bZNLTV4dZUDaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Copy field containing date as a new date field does not work

[graylog2me]

Update: new field is created but also as type string.

On Wednesday, April 13, 2016 at 6:25:55 PM UTC+2, grayl...@gmx.de wrote:
>
> Unfortunately Graylog saves a field in ElasticSearch instead of date.
>
> Therefore I tried to copy the field in a new field as type date.
>
> I tried it that way but without success. Can somebody help?
>
> Message: 2016-04-13T16:18:24.739Z
>
> Converter: Convert to date type
>
> Format string: -MM-dd'HH:mm:ss.SSSZ
>
> Time zone: UTC
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/32821c08-7846-4557-b355-324b04f8cda4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Data type of @timestamp is sometimes string instead of date

[graylog2me]

Update: new field is created but also as type string.

On Friday, April 8, 2016 at 3:53:44 PM UTC+2, grayl...@gmx.de wrote:
>
> Hello,
>
> We have a problem with the @timestamp field. Sometimes it is wrongly 
> created as string instead of date.
>
> We use the following pipeline:
>
> Docker -- mixed logs in GELF format --> graylog2-server1 -- only JSON logs 
> in GELF format --> graylog2-server2.
>
> Both graylog2 servers are connected to the same ElasticSearch cluster. 
> Each graylog2-server uses a separate index-pattern.
>
> Graylog2 version is 1.3.4.
>
> The indexes of graylog2-server2 should always create the @timestamp field 
> as date. Is there a way to force graylog2 to use always date?
>
> Thanx in advancd!
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2dbc839c-5816-4292-a23d-4a62b140279d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Copy field containing date as a new date field does not work

[graylog2me]

Unfortunately Graylog saves a field in ElasticSearch instead of date.

Therefore I tried to copy the field in a new field as type date.

I tried it that way but without success. Can somebody help?

Message: 2016-04-13T16:18:24.739Z

Converter: Convert to date type

Format string: -MM-dd'HH:mm:ss.SSSZ

Time zone: UTC

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/69ce0b1b-7891-4215-bd63-e64dbbdcb045%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Load Balancer health check with Big-IP F5

[Micha -]

Hi Martin,

For tthis monitor you dont't need an external Monitor on the F5

Just Configure the monitor like one of that, and it should work

AS HTTP/1.0

*Send String:*
GET /system/lbstatus HTTP/1.0\r\n\r\n

*Receive String:*
Alive 

OR as HTTP/1.1

*Send String:*
GET /system/lbstatus HTTP/1.1\r\nHost: dummy\r\n\r\n

*Receive String:*
Alive 


Regards
Micha

Am Mittwoch, 13. April 2016 01:38:35 UTC+2 schrieb Marty:
>
> Hi Folks,
>
> Graylog V1.3.4
>
> Just wondering if anyone has integrated the Graylog LB state into the F5 
> native http health check.
> I can't get this to work when sending:
>
> GET /system/lbstatus HTTP/1.1
>
>
> From the command line (using netcat) on the graylog node, this also fails. 
> Just get a newline (no output).
>
> $ echo -e "GET /system/lbstatus HTTP/1.1\r\n" | nc 127.0.0.1 12900
>
> Using nc natively is OK, as seen below. Need to send  twice, as shown.
>
> $ nc 127.0.0.1 12900
> GET /system/lbstatus HTTP/1.1
> 
> HTTP/1.1 200 OK
> Content-Type: text/plain
> X-Graylog-Node-ID: ----x
> X-Runtime-Microseconds: 240 
> Transfer-Encoding: chunked 
>  
> 5
> ALIVE 
> 0 
> 
>
> Using curl is fine:
>
> S curl -w '\n' http://127.0.0.1:12900/system/lbstatus
> ALIVE
>
> I got around this on the F5, by using curl with an external script.
>
> Just wondering if there is an issue or I'm doing something incorrect.
>
> Cheers,
> Martin
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/43f7d237-ca8f-4ef4-97a3-25666c94deba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Running graylog-collector as a service with Solaris 10/11

[Marcella]

Hi all,

I want to run the graylog-collector as a service on a Solaris machine. I 
configured it as a SMF Service, it is running ok, but the status always 
shows "offline*" (which means starting). 

If I start it from the commandline it is running but the command is not 
coming back, when I try to send it in the background with 
"./bin/graylog-collector run -f collector.conf &" the process exits.

Is anybody running graylog-collector as a Service on Solaris successfully ? 
Or what else do you use (on Solaris) for collecting logs and sending them 
to a Graylog Server ?


Thank you in advance,
Marcella  

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2fe43111-136c-49d6-9362-edececa39909%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Load Balancer health check with Big-IP F5

[Jochen Schalanda]

Hi Marty,

the second CRLF is required by the HTTP/1.0 and HTTP/1.1 protocols, so it's 
not broken but simply as specified (see 
https://tools.ietf.org/html/rfc7230#section-3 for details). If you really 
want to use netcat for that stuff instead of a proper HTTP client like curl, 
you'll have success with the following command:

echo -e "GET /system/lbstatus HTTP/1.1\r\nConnection: close\r\n\r\n" | nc 
127.0.0.1 12900


Cheers,
Jochen

On Wednesday, 13 April 2016 01:38:35 UTC+2, Marty wrote:
>
> Hi Folks,
>
> Graylog V1.3.4
>
> Just wondering if anyone has integrated the Graylog LB state into the F5 
> native http health check.
> I can't get this to work when sending:
>
> GET /system/lbstatus HTTP/1.1
>
>
> From the command line (using netcat) on the graylog node, this also fails. 
> Just get a newline (no output).
>
> $ echo -e "GET /system/lbstatus HTTP/1.1\r\n" | nc 127.0.0.1 12900
>
> Using nc natively is OK, as seen below. Need to send  twice, as shown.
>
> $ nc 127.0.0.1 12900
> GET /system/lbstatus HTTP/1.1
> 
> HTTP/1.1 200 OK
> Content-Type: text/plain
> X-Graylog-Node-ID: ----x
> X-Runtime-Microseconds: 240 
> Transfer-Encoding: chunked 
>  
> 5
> ALIVE 
> 0 
> 
>
> Using curl is fine:
>
> S curl -w '\n' http://127.0.0.1:12900/system/lbstatus
> ALIVE
>
> I got around this on the F5, by using curl with an external script.
>
> Just wondering if there is an issue or I'm doing something incorrect.
>
> Cheers,
> Martin
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/97aa096f-c669-4f35-8000-fcedbb1ea0c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Can I convert a field from string to integer?

[Jochen Schalanda]

Hi Ryan,

Elasticsearch tries to be smart about the types of document fields if no 
explicit mapping was provided. In this case, it assumes that those fields 
are strings. Since this dynamic mapping is applied on a per-index base, 
rotating the index (see System -> Indices -> Maintenance in the Graylog web 
interface) basically enables you to start with a "clean slate".

If you want to enforce a certain mapping for your indices, you can create 
an explicit mapping (see 
https://www.elastic.co/guide/en/elasticsearch/reference/1.7/mapping.html) 
and use an index template (see 
https://www.elastic.co/guide/en/elasticsearch/reference/1.7/indices-templates.html)
 
to apply it to newly created indices.

Cheers,
Jochen

On Tuesday, 12 April 2016 19:35:13 UTC+2, Ryan Anstey wrote:
>
> I'm new to this and my scripts were accidentally pouring in data as 
> strings instead of integers. I've fixed that, but now those fields are 
> still set to be strings only. Is there any way for me to override this?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1ad4ff3c-4253-49b6-92c8-21bc0f661cf6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Chart treats no sample as 0

[Jochen Schalanda]

Hi Paweł,

please see https://github.com/Graylog2/graylog2-web-interface/issues/1621 
for a related issue on GitHub and feel free to subscribe to it to follow 
its progress.

Cheers,
Jochen

On Tuesday, 12 April 2016 19:10:39 UTC+2, Paweł Lampe wrote:
>
> Hi,
>
> I am using graylog v1.3.4, and I am bit confused about my charts. When I 
> have daily resolution and every day there is a sample, chart is ok.
> However, once on some day there is no sample, my chart treats lack of 
> sample as a 0 value, and chart is looking very strange.
> Can I disable this "weird feature" some way ?
>
> P.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/469f7ed0-081d-4136-8f72-e159c4d168ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: remote sites / servers

[Jochen Schalanda]

Hi Damien,

Is there a secure way to send logs from these remote offices?
>

You can either create a VPN spanning those remote offices and your data 
center (or wherever Graylog is running) or use pretty much any log shipper 
supporting TLS (e. g. nxlog, filebeat/winlogbeat, rsyslog, or the Graylog 
Collector).
 

> Is there a proxy I can use to collect the data onsite and send it to the 
> main server every 10 minutes or so?
>

Some of the log shippers I've mentioned before support buffering. Please 
refer to their respective documentation.


Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/426da7ce-416c-466b-8bfe-a981ec8b48b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.