[graylog2] Re: [IndexerSetupService] Could not connect to Elasticsearch || [IndexerSetupService] If you're using multicast, check that it is working in your network and that Elasticsearch is accessibl

[Sgt Mako]

Also bumping, as I have the exact same problem, and have tried many 
different fixes, all to no avail.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b3efb3e8-0777-4c5f-aeb7-fe6f0ae9263a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: when following documentation for creating ss cert i get error messages

[John Babio]

 Server currently unavailable


We are experiencing problems connecting to the Graylog server running on 
*https://x.x.x.x:12900/*. Please verify that the server is healthy and 
working correctly.

You will be automatically redirected to the previous page once we can 
connect to the server.

Do you need a hand? We can help you 
.
Less details 
--

This is the last response we received from the server:
Error messageBad requestOriginal RequestGET 
https://192.168.1.21:12900/system/sessionsStatus codeundefinedFull error 
messageError: Request has been terminated Possible causes: the network is 
offline, Origin is not allowed by Access-Control-Allow-Origin, the page is 
being unloaded, etc.


On Tuesday, May 31, 2016 at 6:28:33 PM UTC-4, John Babio wrote:
>
> *i followed this in the documentation*
> Creating a self-signed private key/certificate 
>
> Create PKCS#5 and X.509 certificate:
>
> $ openssl version
> OpenSSL 0.9.8zh 14 Jan 2016
> $ openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout pkcs5-plain.pem 
> -out cert.pem
> Generating a 2048 bit RSA private key
> +++
> .+++
> writing new private key to 'pkcs5-plain.pem'
> -
> [...]
> If you enter '.', the field will be left blank.
> -
> Country Name (2 letter code) [AU]:DE
> State or Province Name (full name) [Some-State]:Hamburg
> Locality Name (eg, city) []:Hamburg
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Graylog, Inc.
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:graylog.example.com
> Email Address []:hostmas...@graylog.example.com
>
> Convert PKCS#5 private key into a *plaintext* PKCS#8 private key:
>
> $ openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
> *then i added my certs in like explained here.*
>
> # Enable HTTPS support for the REST API. This secures the communication with 
> the REST API# using TLS to prevent request forgery and 
> eavesdropping.rest_enable_tls = true
> # The X.509 certificate chain file in PEM format to use for securing the REST 
> API.rest_tls_cert_file = /path/to/graylog-certificate.pem
> # The PKCS#8 private key file in PEM format to use for securing the REST 
> API.rest_tls_key_file = /path/to/graylog-key.pem
> # The password to unlock the private key used for securing the REST 
> API.rest_tls_key_password = secret
> # Enable HTTPS support for the web interface. This secures the communication 
> the web interface# using TLS to prevent request forgery and 
> eavesdropping.web_enable_tls = true
> # The X.509 certificate chain file in PEM format to use for securing the web 
> interface.web_tls_cert_file = /path/to/graylog-certificate.pem
> # The PKCS#8 private key file in PEM format to use for securing the web 
> interface.web_tls_key_file = /path/to/graylog-key.pem
> # The password to unlock the private key used for securing the web 
> interface.web_tls_key_password = secret
>
> When I restart the service everything seems to start ok but when I connect to 
> the web interface I receive and error connecting to <1.1.1.1:12900>
>
> the rest api is accessible because if I turn web_tls and rest_tls back off i 
> can reach everything.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/85e3c3b2-8856-4324-ad27-4e928bc89ffc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Healthy Elastisearch not connecting

[Scott John]

I am getting the following error in my graylog log file.

2016-06-02T16:16:55.327-04:00 WARN  [BlockingBatchedESOutput] Error while 
waiting for healthy Elasticsearch cluster. Not flushing.
java.util.concurrent.TimeoutException: Elasticsearch cluster didn't get 
healthy within timeout
at 
org.graylog2.indexer.cluster.Cluster.waitForConnectedAndHealthy(Cluster.java:179)
 
~[graylog.jar:?]
at 
org.graylog2.indexer.cluster.Cluster.waitForConnectedAndHealthy(Cluster.java:184)
 
~[graylog.jar:?]
at 
org.graylog2.outputs.BlockingBatchedESOutput.flush(BlockingBatchedESOutput.java:112)
 
[graylog.jar:?]
at 
org.graylog2.outputs.BlockingBatchedESOutput.write(BlockingBatchedESOutput.java:105)
 
[graylog.jar:?]
at 
org.graylog2.buffers.processors.OutputBufferProcessor$1.run(OutputBufferProcessor.java:189)
 
[graylog.jar:?]
at 
com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
 
[graylog.jar:?]
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
[?:1.8.0_91]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) 
[?:1.8.0_91]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
[?:1.8.0_91]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
[?:1.8.0_91]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]

The web interface comes up but reports that it cannot connect to the server 
on port 12900.
GL - 2.0.2
ES - 2.3.3
MDB - 3.0.12
OS - RHEL 7.2
Installed from repos.

curl -XGET http://localhost:9200/_cluster/health?pretty
{
  "cluster_name" : "graylog2",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 48,
  "active_shards" : 48,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

elasticsearch.yml

cluster.name: graylog2
network.host: 127.0.0.1 
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"]
script.inline: on
script.indexed: on

server.conf

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = 
root_password_sha2 = 
root_email = "ad...@email.com"
root_timezone = UTC
rest_listen_uri = http://127.0.0.1:12900/
rotation_strategy = count
elasticsearch_max_docs_per_index = 2000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog2
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_http_enabled = false
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
elasticsearch_network_host = 127.0.0.1
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
dead_letters_enabled = false
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog2
mongodb_max_connections = 100
mongodb_threads_allowed_to_block_multiplier = 5
mongodb_useauth = false
transport_email_enabled = false
transport_email_hostname = mailhost.email.com
transport_email_port = 587
transport_email_use_auth = false
transport_email_use_tls = true
transport_email_subject_prefix = [graylog2]
transport_email_from_email = g...@email.com
transport_email_web_interface_url = https://glog.email.com
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json


What am I missing here?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/340cf3bd-417a-4506-95cd-bdc661856293%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Persist Data when using docker version of graylog

[Niklas Karlsson]

I´m a beginner with graylog.
I have trouble to config the persist data configuaration. 
Everytime I do "docker-compose rm" and then start again with 
"docker-compose up" every "input" is gone.
I have tried to config the node-id path in the graylog.conf file with a 
absolut path to a file and also recreated the file to make sure the 
permission is ok but it newer writes anything in the file.
Anyone have som clues?

My graylog.conf looks like this:
some-mongo:
  image: "mongo:3"
  volumes:
- /graylog/data/mongo
some-elasticsearch:
  image: "elasticsearch:2"
  command: "elasticsearch -Des.cluster.name='graylog'"
  volumes:
- /graylog/data/elasticsearch
graylog:
  image: graylog2/server:2.0.0-1
  volumes:
- /graylog/data/journal
- /graylog/config
  environment:
GRAYLOG_PASSWORD_SECRET: somepasswordpepper
GRAYLOG_ROOT_PASSWORD_SHA2: 
8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
GRAYLOG_REST_TRANSPORT_URI: http://10.100.16.150:12900

  links:
- some-mongo:mongo
- some-elasticsearch:elasticsearch
  ports:
- "9000:9000"
- "12900:12900"



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5b4a4c5e-036c-447c-892e-ba8353ee4747%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2 - CentOS 7 - Server Currently Unavailable

[Glenn Mate]

Having the same issue as well. Curling localhost:12900/system/sessions 
shows the is_valid:false return, so I know the API is answering locally. 
However, curling the example.com:12900/system/sessions leaves me with (35) 
Unknown SSL protocol error in connection. I believe this may be related to 
my nginx reverse proxy...

On Wednesday, May 18, 2016 at 12:47:41 PM UTC-4, Chris Chalmers wrote:
>
> Hi All,
>
> I recently installed Graylog 2 using this guide: 
> http://www.systeen.com/2016/05/12/install-graylog-2-0-centos-7-collect-windows-logs/
>
> It was working for a couple of days I added around 10 Windows servers 
> using NXLog and could see all of the events coming in. Since this morning 
> when I go to the webpage I can't get passed -
>
> Error messageBad requestOriginal RequestGET 
> http://10.251.0.90:12900/system/sessionsStatus codeundefinedFull error 
> messageError: Request has been terminated Possible causes: the network is 
> offline, Origin is not allowed by Access-Control-Allow-Origin, the page is 
> being unloaded, etc.
>
> I have restarted the individual services (graylog-server, elasticsearch 
> and mongod), restarted the server, disabled iptables and selinux is 
> disabled. 
>
> The logs all look clean 
> - /var/log/graylog-server/server.log, /var/log/elasticsearch/graylog.log 
> and /var/log/mongodb/mongod.log. 
>
> Has anyone else come across the same issue? Are there any other logs I can 
> look at?
>
> Thanks,
>
> Chris
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/79880657-9460-406f-a9cc-4fde52db87a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Custom Index Template

[Jimmy Chen]

Currently we have a cluster of Graylog/ES nodes that is strictly taking UDP 
GELF log messages as input. We are noticing high amount of large log 
messages being injected into the data nodes and would like to track down 
which of the messages are unusually large. My search for a solution first 
brought me to ES mapper size plugin. However, after digging deeper, I 
realized that the mapping for the indices are managed by Graylog so having 
the plugin didn't really offer me a solution. After raising the question 
with Graylog on Github, I was told that a Custom Index Template is what I 
need. I did a read up 
on 
https://www.elastic.co/guide/en/elasticsearch/reference/2.3/indices-templates.html
 
article. I get the idea of what it is doing, though I am still not clear on 
how to properly configure this. It does not appear there are any way to 
directly create/modify a template in the frontend. Can anyone provide some 
guidance on how I can implement this in our environment without changing 
our existing logging capabilities?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e38bf596-9184-4e4a-9941-369ffd65694a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.x upgrade

[Jimmy Chen]

Good luck with the fires and I'll check back to see how it went.

On Thursday, June 2, 2016 at 6:03:34 AM UTC-7, Robert Hough wrote:
>
> Well, "out of the box", no that didn't work.  I've got faith that it can 
> be done using this approach, but we'll also need to utilize Elastic's 
> "de_dot" filter plugin.  I'm hoping to make some progress with that today, 
> and I'll provide an update by the end of the day. I've got about 10 fires 
> to put out first... :(
>
> Here's the link to the de_dot documentation:
>
> https://www.elastic.co/guide/en/logstash/current/plugins-filters-de_dot.html
>
>
> In a nutshell:
>
> 1) Logstash pulls in old index data from old ES cluster
> 2) Logstash sends that through filter
>   1a)  Match any dots in fields  (user.id)
>   2a)  Add new field as replacement for old field (user.id == user_id)
>   3a)  Populate user_id with value from user.id
>   4a)  remove old field (user.id)
> 3) Logstash pushes new index data to new ES cluster
>
> I'm sure I've left out something crucial here. Seems to be par for the 
> course, but I'm hopeful. :)
>
>
>
>
> On Wednesday, June 1, 2016 at 3:06:34 PM UTC-4, Jimmy Chen wrote:
>>
>> Did this work for you? I am going to be looking into upgrading our 
>> existing cluster to 2.x too.
>>
>> On Tuesday, May 31, 2016 at 5:08:05 PM UTC-7, Robert Hough wrote:
>>>
>>> Came across this:  
>>> https://gist.github.com/markwalkom/8a7201e3f6ea4354ae06 
>>> 
>>>
>>> third time's the charm?  :)
>>>
>>>
>>> On Friday, May 27, 2016 at 4:43:18 PM UTC-4, Robert Hough wrote:

 Recently built a Graylog 2.x cluster, and that seems to be working 
 fine.  I had some questions though, but right now the biggest nagging 
 question has been...

 How do we migrate our existing indexes over to the new system?  The 
 whole dots in field names issue seems to be what is preventing us from 
 pulling this off.  How do we correct these, and then import them into the 
 our new system? 

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b679c252-8fb9-489e-ab0a-f4f51bb302fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Max log message size

[Jimmy Chen]

Thanks for the reply. Is there way to see how big the messages are then?

On Thursday, June 2, 2016 at 12:46:40 AM UTC-7, Jochen Schalanda wrote:
>
> Hi Jimmy,
>
> the maximum (GELF) message size can currently not be limited in Graylog.
>
> Cheers,
> Jochen
>
> On Wednesday, 1 June 2016 20:33:28 UTC+2, Jimmy Chen wrote:
>>
>> Is there a way to configure max log message size in Graylog 2.0.1. Our 
>> input is limited to UDP GELF only.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/41913768-292b-4091-89a5-d4d883a7aa4d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: LDAP Error

[Jochen Schalanda]

Hi Robert,

check the "ldap_settings" collection in MongoDB and make sure that only 1 
entry exists in there.

Cheers,
Jochen

On Thursday, 2 June 2016 15:07:37 UTC+2, Robert Hough wrote:
>
> Unable to locate said user in those areas.  For the sake of clarity;   
> this account was initially used to setup LDAP, but was done so in error.  
> LDAP was then reconfigured with the correct credentials.  It's like Graylog 
> has somehow held onto this incorrect ldap configuration, somewhere, but I 
> can't seem to figure out where it is.
>
>
> On Friday, May 27, 2016 at 8:34:54 PM UTC-4, Robert Hough wrote:
>>
>> 2016-05-28T00:28:12.333Z ERROR [LdapUserAuthenticator] Error during LDAP 
>> user account sync. Cannot log in user user_redacted
>> java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR 
>> Failure on underlying Cursor.
>> at 
>> org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:86)
>>  
>> ~[graylog.jar:?]
>> at 
>> org.graylog2.security.ldap.LdapConnector.search(LdapConnector.java:139) 
>> ~[graylog.jar:?]
>>
>> We keep seeing the error above. The user "user_redacted" was originally 
>> configured (incorrectly) but we have since added the correct user. The 
>> problem is the above error continually shows up in the graylog server.log,  
>> even though we are no longer using it.  We've tried restarting, rebooting, 
>> but it keeps coming back.  I suspect it is still somewhere in mongo, but 
>> I'm not really sure where to look to remove.  Any ideas?  Thanks
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0c9503bf-81ff-4612-9ccc-bbf7306645b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: LDAP Error

[Robert Hough]

Unable to locate said user in those areas.  For the sake of clarity;   this 
account was initially used to setup LDAP, but was done so in error.  LDAP 
was then reconfigured with the correct credentials.  It's like Graylog has 
somehow held onto this incorrect ldap configuration, somewhere, but I can't 
seem to figure out where it is.


On Friday, May 27, 2016 at 8:34:54 PM UTC-4, Robert Hough wrote:
>
> 2016-05-28T00:28:12.333Z ERROR [LdapUserAuthenticator] Error during LDAP 
> user account sync. Cannot log in user user_redacted
> java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure 
> on underlying Cursor.
> at 
> org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:86)
>  
> ~[graylog.jar:?]
> at 
> org.graylog2.security.ldap.LdapConnector.search(LdapConnector.java:139) 
> ~[graylog.jar:?]
>
> We keep seeing the error above. The user "user_redacted" was originally 
> configured (incorrectly) but we have since added the correct user. The 
> problem is the above error continually shows up in the graylog server.log,  
> even though we are no longer using it.  We've tried restarting, rebooting, 
> but it keeps coming back.  I suspect it is still somewhere in mongo, but 
> I'm not really sure where to look to remove.  Any ideas?  Thanks
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f4bcc1d1-90e2-4a15-ab2e-fe28d5647e6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Case insensitive search in extracted fields

[Marcin Pawlikowski]

Hi,

I need search in case insesitive mode in extracted fields of message.

I try use solutions described in this post :

https://groups.google.com/forum/#!topic/graylog2/xunuSZPgGIc
>

 But with no positive effects.

I plan paste some piece with example code but before I will do this - Maybe 
someone know  other solution or www source about that issue?

I use the gl2 API for connect with the gl2 server. 


Marcin



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4a1f7966-aee4-4161-9946-0597c5b36009%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog 2.x upgrade

[Robert Hough]

Well, "out of the box", no that didn't work.  I've got faith that it can be 
done using this approach, but we'll also need to utilize Elastic's "de_dot" 
filter plugin.  I'm hoping to make some progress with that today, and I'll 
provide an update by the end of the day. I've got about 10 fires to put out 
first... :(

Here's the link to the de_dot documentation:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-de_dot.html


In a nutshell:

1) Logstash pulls in old index data from old ES cluster
2) Logstash sends that through filter
  1a)  Match any dots in fields  (user.id)
  2a)  Add new field as replacement for old field (user.id == user_id)
  3a)  Populate user_id with value from user.id
  4a)  remove old field (user.id)
3) Logstash pushes new index data to new ES cluster

I'm sure I've left out something crucial here. Seems to be par for the 
course, but I'm hopeful. :)




On Wednesday, June 1, 2016 at 3:06:34 PM UTC-4, Jimmy Chen wrote:
>
> Did this work for you? I am going to be looking into upgrading our 
> existing cluster to 2.x too.
>
> On Tuesday, May 31, 2016 at 5:08:05 PM UTC-7, Robert Hough wrote:
>>
>> Came across this:  
>> https://gist.github.com/markwalkom/8a7201e3f6ea4354ae06 
>> 
>>
>> third time's the charm?  :)
>>
>>
>> On Friday, May 27, 2016 at 4:43:18 PM UTC-4, Robert Hough wrote:
>>>
>>> Recently built a Graylog 2.x cluster, and that seems to be working 
>>> fine.  I had some questions though, but right now the biggest nagging 
>>> question has been...
>>>
>>> How do we migrate our existing indexes over to the new system?  The 
>>> whole dots in field names issue seems to be what is preventing us from 
>>> pulling this off.  How do we correct these, and then import them into the 
>>> our new system? 
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7d21cb0c-078e-4385-9058-e5124ec64b95%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Alerts not getting triggered Graylog v2.0.1

[Rakesh R]

Hi,
 Here are few rules from different streams

 *message* must match regular expression *RuntimeException: No Elastic 
Search server found for partner *
 *full_message* must match exactly *"Cannot find"  *

   - *message* must match regular expression 
   *java.util.concurrent.TimeoutException*
   - 
   
*message* must match regular expression 
   *InboundMessageInformationLoader*

Sample Alert condition

   - *Alert is triggered when there are more than 0 messages in the last 10 
   minutes. Grace period: 0 minutes. Not including any messages in alert 
   notification.*


These alerts are being triggered , but only for some time like for a few 
hours. After that the alerts wont be triggered and there are no errors in 
graylog server's logs. 
once the graylog server is restarted the alerts are triggered again. And 
after some time they stop and should be restarted again.
 
Sample Alert condition
On Monday, May 30, 2016 at 2:12:44 PM UTC+5:30, Rakesh R wrote:
>
> Hi, 
>
>   Graylog is setup properly and there seems to be some issue with the 
> alerts being triggered. Test mails are working fine. The alerts are 
> triggered from the streams when the server is restarted and after some time 
> the alerts are not triggered. I have checked the configuration and 
> everything is fine. Can some one help me. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e3cc14ef-0b52-46fa-9408-a7cd8bcbd60e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Regex Use in Pipeline Rule

[tokred]

Hi Chad,

I had a similar issue for which I found a solution: I think the reason for 
your non-match is that regex() needs the pattern to match fully on the 
message string. Try to modify your pattern to something like "^.+SomeProc
*.**".

*@ Jochen:* Could you comment on that? I think the reason is that 
org.graylog.plugins.pipelineprocessor.functions.strings.RegexMatcher uses 
Matcher.matches() which, according to javadoc, "Attempts to match the *entire 
region* against the pattern." From my point of view, regex() should comply 
to a standard behavior where /^foo/ matches "foobar", not requiring /^foo.*/. 
Actually, I already wanted to file an issue but am afraid of rejection. ;-)

Best regards
tokred


On Wednesday, May 25, 2016 at 11:18:20 PM UTC+2, Chad Sheets wrote:
>
> I'm attempting to drop messages according to regular expressions and was 
> wondering if it can be done with pipelines.
>
> Looking at various other sources and reading the docs I came up with 
> something like this:
>
> rule "drop via regex"
> when
> regex("^.+SomeProc"), to_string($message.message)).matches
> then
> drop_message();
> end
>
>
>
> however I can't get it to work. 
>
> I could, alternatively, attempt to use a string of ` contains(...) ` 
> though that seems more cumbersome. 
>
> Please also let me know if I'm going about this the wrong way. I'm 
> attempting to use pipelines over drools since that seems to be the 
> direction graylog is heading.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/597eea2c-50e2-4c00-9541-a5822a6775c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How get message id using GrayLog2 API

[Marcin Pawlikowski]

Hi Cazy,

Thanks for your response. Seems that will work for me:)

Thanks for help:)

Marcin


On Thursday, June 2, 2016 at 11:19:45 AM UTC+2, cazy wrote:
>
> Hi Marcin,
>
> you can query the message ID by requesting the field *_id* (notice the 
> underscore).
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8e3ffa33-c513-4d00-ae45-a4ea4591b68a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Stream problem

[Kazed Wazabi]

Hello, i'm using graylog 2.0.2.
Today i wanted to use a stream to get email alert. But it seems there is a 
problem.

The stream rule works and my logs are redirected to it.


I have configured the condition to trigger alerts like so:

If i send test e-mail it works.

But when i receive a log that goes to my stream, i don't get alerts

Before, i was able to send alert for another stream. Something has changed 
about the streams since the last release?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/773a23e3-f771-4d55-a13b-0bcb18718c27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How get message id using GrayLog2 API

[cazy]

Hi Marcin,

you can query the message ID by requesting the field *_id* (notice the 
underscore).

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c8f15f94-5a11-4e14-8a90-94072b47b3de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Support for Ubuntu 16.04

[Jochen Schalanda]

Cool, thanks for the feedback!

Cheers,
Jochen

On Wednesday, 1 June 2016 22:25:06 UTC+2, beeg98 wrote:
>
> I was able to get it going without too many issues. This was my first time 
> installing it, so there was a bit of a learning curve, but the software 
> itself seems fine.
>
> Thanks,
> BJ
>
> On Wednesday, June 1, 2016 at 10:15:53 AM UTC-6, beeg98 wrote:
>>
>> I will give it a go. Thanks for the response! I'll let you know if there 
>> are any issues. 
>>
>> Thanks!
>>
>> On Wednesday, June 1, 2016 at 1:05:39 AM UTC-6, Jochen Schalanda wrote:
>>>
>>> Hi,
>>>
>>> the official DEB package (
>>> http://docs.graylog.org/en/2.0/pages/installation/operating_system_packages.html#deb-apt)
>>>  
>>> should also work with Ubuntu 16.04 LTS, we just didn't have time to test it 
>>> properly yet.
>>>
>>> It would be great if you could install it on your Ubuntu 16.04 LTS 
>>> machine and post some feedback whether it worked or not (but we're 
>>> confident that it does indeed work).
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Tuesday, 31 May 2016 21:55:11 UTC+2, beeg98 wrote:

 Ubuntu 16.04 was officially released a little over a month ago. The deb 
 download page shows that 12.04 and 14.04 are currently the only supported 
 versions of Ubuntu, but I presume that eventually 16.04 will be added to 
 that list. I would like to have an idea of when that package will be 
 released. I've been asked to install a new graylog server, and I'd prefer 
 to use the latest LTS release, but if it is going to be very long before 
 there is official support for it, then I will use 14.04 instead. Does 
 anyone know if there is a plan for this, and if there is what the plan is? 

 If you happen to know that there currently is no plan, then I'd like to 
 hear from you as well. I asked on IRC a couple of times today, and didn't 
 get a response. I just need to know which way to go. 

 Thanks!

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/31e6d848-8843-4f64-9b98-3d86a6332fcc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Max log message size

[Jochen Schalanda]

Hi Jimmy,

the maximum (GELF) message size can currently not be limited in Graylog.

Cheers,
Jochen

On Wednesday, 1 June 2016 20:33:28 UTC+2, Jimmy Chen wrote:
>
> Is there a way to configure max log message size in Graylog 2.0.1. Our 
> input is limited to UDP GELF only.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f376529f-325b-41d2-9c36-e78026d1a768%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.