[graylog2] Re: Replace hostname in logging

[John Babio]

Nevermind, i spoofed the hostname using an rsyslog template for this 
particular host. If anyone is interested let me know.

On Thursday, June 16, 2016 at 9:41:50 PM UTC-4, John Babio wrote:
>
> I have an hp switch logging as host 1.1.1.1-1. How can I replace this with 
> a hostname of my liking as its being logged?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7b06c560-0dda-4efa-8bb1-128871371700%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Replace hostname in logging

[John Babio]

I have an hp switch logging as host 1.1.1.1-1. How can I replace this with 
a hostname of my liking as its being logged?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/982af42e-de14-4bf2-aab8-2e4957746ed6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] ApiError "HTTP 404 Not Found" when curling graylog-server:12900

[Sebastien Liu]

I'm new to Graylog and launched the service using Docker, 
docker-compose.yml file provided by the official website.

some-mongo:
  image: "mongo:3"
  volumes:
- /graylog/data/mongo:/data/dbsome-elasticsearch:
  image: "elasticsearch:2"
  command: "elasticsearch -Des.cluster.name='graylog'"
  volumes:
- /graylog/data/elasticsearch:/usr/share/elasticsearch/datagraylog:
  image: graylog2/server
  volumes:
- /graylog/data/journal:/usr/share/graylog/data/journal
- /graylog/config:/usr/share/graylog/data/config
  environment:
GRAYLOG_PASSWORD_SECRET: somepasswordpepper
GRAYLOG_ROOT_PASSWORD_SHA2: 
8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
GRAYLOG_REST_TRANSPORT_URI: http://127.0.0.1:12900

  links:
- some-mongo:mongo
- some-elasticsearch:elasticsearch
  ports:
- "9000:9000"
- "12900:12900"
- "12201/udp:12201/udp"
- "1514/udp:1514/udp"

But after `docker-compose up`, servername:9000 is reporting:

Error messageBad requestOriginal RequestGET 
http://127.0.0.1:12900/system/sessionsStatus codeundefinedFull error 
messageError: Request has been terminated Possible causes: the network is 
offline, Origin is not allowed by Access-Control-Allow-Origin, the page is 
being unloaded, etc.

I logged on the container, locally curling localhost:12900 then got 
"{"type":"ApiError","message":"HTTP 404 Not Found"}".

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/554d5338-ca6d-41e8-b3ad-c2de40951bfd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Input Failed to Start

[Justin Reid]

   Greetings All,
  I am very new to linux/graylog and am trying to get my server to 
run. I've set it up, " #service graylog-server status" command says its 
running. My problem comes when I try to add an input on the web interface. 
I keep receiving this error:

An input has failed to start (triggered 5 days ago)
Input 575c888722383508a780383d has failed to start on node 
7123ded0-3444-467e-9181-a214195da068 for this reason: »Permission denied.«. 
This means that you are unable to receive any messages from this input. 
This is mostly an indication for a misconfiguration or an error. You can 
click here  to solve this.

I've been trying to resolve the issue for a couple days now and cannot 
figure it out. Any ideas as to what it could possibly be? Thanks Very Much 
in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6efbfdd2-9312-42ea-a7d2-2b855c0caa45%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Journal utilization is too high and uncommited messages

[Eric Green]

On Tuesday, April 14, 2015 at 10:23:32 AM UTC-7, roberto...@gmail.com wrote:
>
> Dear, I've installed the current versions of Graylog and Elasticsearch:
>
> graylog-server 1.0.1-1 / graylog-web 1.0.1-1 / graylog2-stream-dashboard 
> 0.90.0-1 /elasticsearch 1.5.1
>
> My server is Debian Wheezy, with 2 processors and 20 GB RAM (now I have 15 
> GB free).
>


Graylog needs more processors than that for your load. My rough guesstimate 
is that you need one core per 500 messages per second, plus a couple more 
cores for overhead, web, etc.  You can validate this by looking at idle% on 
iostat -c 1 , my guess is that you'll see less than 10% idle on a 
consistent basis.

 

> Everything works OK, but because of the high volume of received logs, I 
> get these two error messages:
>
> Journal utilization is too high 9 minutes ago 
>
> Journal utilization is too high and may go over the limit soon. Please 
> verify that your Elasticsearch cluster is healthy and fast enough. You may 
> also want to review your Graylog journal settings and set a higher limit. 
> (Node: *b7b62947-250e-473b-b8df-7083d6df9886*, journal utilization: 
> 101.0%)
>
>  Uncommited messages deleted from journal 9 minutes ago
>
> Some messages were deleted from the Graylog journal before they could be 
> written to Elasticsearch. Please verify that your Elasticsearch cluster is 
> healthy and fast enough. You may also want to review your Graylog journal 
> settings and set a higher limit. (Node: 
> *b7b62947-250e-473b-b8df-7083d6df9886*)
>
> Also the JVM in the Node tab is using 750MB of 972MB heap space, and there 
> are 1 million messages in the journal.
>
> Please, how can I tune the system in order to avoid these messages and 
> expand the heap space??? I'm using the default settings for elasticsearch 
> and graylog.
>

You fail to mention what operating system you are running under. Without 
that, we can't help you. If you're running on AWS Linux or Centos, you need 
to modify /etc/sysconfig/graylog-server to add the following to your 
GRAYLOG_SERVER_JAVA_OPTS : "-Xmx2000m" . That'll raise your heap size to 
2Gb. In general adding more memory than 2gb really won't help Graylog, 
it'll just make garbage collection take longer, though "-XX:+UseG1GC" may 
help maintain responsiveness with more memory (that changes to the G1GC 
garbage collector, which sacrifices performance in favor of 
responsiveness).  Graylog is more CPU-intensive than memory-intensive 
(Elasticsearch is exactly the opposite, it needs lots of memory and doesn't 
use much CPU).

What is your Elasticsearch cluster configuration? Same machine as the 
Graylog server? In that case, you are *definitely* consuming all your CPU.

Please note that if you've used the commercial solution whose name starts 
with an "s", Graylog uses *considerably* more resources than that solution. 
So yes, your configuration would have been adequate for that solution, but 
Graylog needs considerably more CPU to operate reliably and will certainly 
fall over on a regular basis on a machine that only has two cores if you're 
attempting to throw 1,000 message per second at it.


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/722db3d8-5713-4510-8506-10d5f0d5ffbb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Slave nodes

[Shon Nixon]

On Thursday, June 16, 2016 at 2:57:10 PM UTC-4, Shon Nixon wrote:
>
> I have built three Graylog 2.0 servers using CentOS 7. After 
> configuration, all three work as an ES cluster, but I cannot get the 
> servers to join the master a slave nodes. I have is_master set correctly 
> with one true and the other two false. They do not show up in the web gui 
> as additional nodes. Is there a configuration option I am missing to join 
> the other two boxes to the master node?
>

Discovered the answer: point the other systems mongo instance to the server 
selected to be the master.  

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/1fd767f4-6e73-4a7e-93fb-b872629844e3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Slave nodes

[Shon Nixon]

I have built three Graylog 2.0 servers using CentOS 7. After configuration, 
all three work as an ES cluster, but I cannot get the servers to join the 
master a slave nodes. I have is_master set correctly with one true and the 
other two false. They do not show up in the web gui as additional nodes. Is 
there a configuration option I am missing to join the other two boxes to 
the master node?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bf7c73af-273c-46af-9504-deb60abcce70%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Slow web interface in 2.0.2

[Marko Lerota]

I didn't try any previous 2.0.x releases. I use Chrome and Firefox on 
Linux. The result is the same. 
I will try to dig up some old releases on AWS tomorrow and send the results 
here. I know about 
developer tools. I checked that also. Didn't get any info except big 
loading times that I already new
and strange network traffic in idle state. Every second something is 
sending data to my browser.

Try go to 
 https://your.graylog.url/gettingstarted

And open developer tools.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/af7d0241-8fab-4742-b0e3-13d458375c47%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Slow web interface in 2.0.2

[Edmundo Alvarez]

Hi Marko,

Did you try any previous 2.0.x releases? I'm wondering if this may be an issue 
specific to 2.0.2 or not.

I think the first thing to see is where the performance issue is. Since 2.0, 
the Graylog web interface runs entirely in your browser, so you should check if 
loading the assets is the problem, or if the page rendering itself is. You can 
use your browser's developer tools to take a look. This is how you can open 
them in Chrome, it's similar in other browsers: 
https://developers.google.com/web/tools/chrome-devtools/

Which browser are you using, by the way? Maybe using another one could help a 
bit.

Regards,
Edmundo

> On 16 Jun 2016, at 16:17, Marko Lerota  wrote:
> 
> Hi guys. I installed few 2.0.2 versions and the web interface is really slow. 
> 
> How to reproduce the problem: 
> Go to any page and then click refresh. The page reloads 6-12 seconds. Searches
> also. I thought that maybe I did something wrong in network/dns setup so I 
> tried 
> to change few things but it didn't help. I tried:
> 
> - install different java versions
> - check /etc/hosts file
> - alter some of default config in server.conf
> 
> but nothing helped. Then I decided to launch an official AWS 2.0.2 instance 
> and 
> the same thing happens. I tried few of them in different networks. But the 
> result
> is the same. Anyone knows about some bugs in 2.0.2 related to this?
> 
> Thanks
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/4519c2a0-39e4-4f85-a779-df40c8012f4e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/063AB30E-9AC1-4BCC-8DD8-B034A48D231D%40graylog.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] How to filter/group existing messages?

[timo . klement]

Hi,

I'm really new to Graylog and trying to find a way to group/filter 
duplicates.
We are using Graylog to filter Apache messages and as you know there is 
often the same message during a peroid.

There is no need to filter while streaming.
I need a way to filter existing messages e.g. to filter all 404 Not Found 
messages with the same URL.

Can you show me an example or provide a way on how to fix the problem?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7af972d2-e640-4edd-a72d-2574128f3bce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Slow web interface in 2.0.2

[Marko Lerota]

Hi guys. I installed few 2.0.2 versions and the web interface is really 
slow. 

How to reproduce the problem: 
Go to any page and then click refresh. The page reloads 6-12 seconds. 
Searches
also. I thought that maybe I did something wrong in network/dns setup so I 
tried 
to change few things but it didn't help. I tried:

- install different java versions
- check /etc/hosts file
- alter some of default config in server.conf

but nothing helped. Then I decided to launch an official AWS 2.0.2 instance 
and 
the same thing happens. I tried few of them in different networks. But the 
result
is the same. Anyone knows about some bugs in 2.0.2 related to this?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4519c2a0-39e4-4f85-a779-df40c8012f4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Could not create extractor (404)

[Dietmar Schurr]

Hello Edmundo,

this is Graylog 2.0.2 in a cluster of two VM appliances running under 
VMware.
The behaviour was the same on IE11 (Windows) and Chromium (from a Linux 
system).
 If I edit the same Extractor definition I don't get this error

Regards,

Dietmar Schurr

On Wednesday, June 15, 2016 at 5:39:38 PM UTC+2, Edmundo Alvarez wrote:
>
> Hi Dietmar, 
>
> Would you be so kind as to tell us which Graylog version and browser you 
> use? Additionally, do you see any errors in your browser's developer 
> console when the error occurs? This is how you can open the developer 
> console in Chrome, it's similar in other browsers: 
> https://developers.google.com/web/tools/chrome-devtools/ 
>
> Regards, 
> Edmundo 
>
> > On 15 Jun 2016, at 16:07, Dietmar Schurr  > wrote: 
> > 
> > Hello, 
> > 
> > if I choose the Condition Only attempt extraction if field contains 
> string it works. 
> > Hmm, I wonder why. The Grok pattern is the same. 
> > 
> > Regards, 
> > 
> > Dietmar Schurr 
> > 
> > On Tuesday, June 14, 2016 at 3:08:49 PM UTC+2, Dietmar Schurr wrote: 
> > Hello, 
> > 
> > now I have another problem: 
> > I try to apply an extractor to an input. 
> > 
> > I go to Systems/Input and choose "Manage extractors" next to the Input I 
> want to have it. 
> > 
> > In the wizard I click on "Get started" and load a message. 
> > 
> > I select "Grok Pattern" next to the field "message". Here I enter my 
> grok pattern in the field "Grok pattern". 
> > If I click on "Try" it works nice and all fields are extracted. 
> > 
> > Now I enter a name like test_extracotr in the field "Extractor title". 
> > 
> > If I click on "Create extractor" I get this error message: 
> > 
> > 
> > 
> > What am I doing wrong here? 
> > 
> > Thanks in advance for your help. 
> > 
> > Regards, 
> > 
> > Dietmar Schurr 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to graylog2+u...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/a778c117-043c-41dc-b0d9-c748a86963b6%40googlegroups.com.
>  
>
> > For more options, visit https://groups.google.com/d/optout. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/eed2ce38-462d-4402-aea6-a762e88230df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] How to configure mail alert

[Marius Sturm]

Hi Sangh,
please take a look here for persisting email configuration on the
appliances:
http://docs.graylog.org/en/2.0/pages/configuration/graylog_ctl.html#graylog-ctl
The sub-command you need is `set-email-config`.

Cheers,
Marius


On 16 June 2016 at 11:03, sangh  wrote:

> Hi, i am trying to configure mail alert no success.
> My graylog config file is in /opt/graylog i modified Email Transport section.
> but when i run graylog-ctl reconfigure my file goes back to its first
> configuration
>
> i am using graylog OVA 2.0.2
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/821f1029-27ff-44c9-95aa-554f8bb67eab%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com 

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbL%2B5jg2rBPuDcXj08cFfy02%2BghF2g4O3bB5KVvJUqKyoA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] How to configure mail alert

[sangh]

Hi, i am trying to configure mail alert no success.
My graylog config file is in /opt/graylog i modified Email Transport section. 
but when i run graylog-ctl reconfigure my file goes back to its first 
configuration 

i am using graylog OVA 2.0.2

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/821f1029-27ff-44c9-95aa-554f8bb67eab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: timezone weirdness

[Jochen Schalanda]

Hi John,

do you receive any messages at all from the syslog server after changing 
its configuration?

Also take a look 
at https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md 
for instructions how to configure rsyslog to work with Graylog.

Cheers,
Jochen

On Thursday, 16 June 2016 04:19:41 UTC+2, john tombin wrote:
>
> i have servers in different time zones which are not set to UTC.  I was 
> using RSYSLOG_TraditionalFileFormat and saw the messages delivered to 
> graylog but the timestamps were way off.  I started using 
> RSYSLOG_SyslogProtocol23Format since this sends TZ info but now i'm not 
> seeing the messages in graylog at all.  From all the documentation I've 
> read graylog should be able to read this.  Are there any recommendations or 
> has anyone else seen this behavior after switching rsyslog formats messages 
> stop showing up ?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2847951f-b9ff-4af0-add4-e3259d70c74b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Cardinality field of Statistics

[Jochen Schalanda]

Hi Steve,

it's just a SWAG , 
but field statistics only work for numeric fields, so maybe there are 
non-numeric values for that field in one or more of the indices covering 
the 8 hours time span but not in the indices covering the 1-2 hours time 
span.

Cheers,
Jochen

On Wednesday, 15 June 2016 20:48:26 UTC+2, Steve Kuntz wrote:
>
> Hi,
>
> I would like to see a list of unique values of a text filed and was trying 
> to use the Field Statistics to do so. It displays the correct information 
> for 1 and 2 hours but when I go to 8 hours all values show up 0. Any 
> suggestions? See attached.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/86c69cc3-0e4a-404d-8cbe-d9e8db097e72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: does graylog support multi-value queries?

[cazy]

Hi Jason,

from working with Logstash, I know you can add tags to the field "tags". 
However, I just realised that it is just a text field with its values being 
separated by commas. This means that indeed you have to do a wildcard 
lookup when searching those fields. Maybe this should be added as a product 
idea at the Graylog website...

Cheers
Carlos

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/871c392b-9813-411f-831e-3e72a831dd17%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.