Re: [graylog2] Re: Geo-Location Processor doesn't create _geolocation fields for custom fields created by pipeline rules

[Jason Haar]

On Thu, Sep 1, 2016 at 2:12 AM, Jan  wrote:

> Found the error. In my original pipeline-rule I used the "to_ip" function
> to convert the pattern match to an IP. With this setting resolving the IP
> to a geo location fails.
> I changed the rule now to convert the pattern match to a string by using
> the "to_string" function. Voila... geo location works for all custom fields
> now.
>

(to Graylog devs). That's a bug isn't it? I mean, what's wrong with
assuming an IP address is an IP address? Shouldn't the GeoIP processor
support both string and "ip" fields types?


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgJFzC5HFDnX2c1soixC_7LH5n%3D2-MEiymEp88GQeUHhuw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Indicators of Compromise (IOCs)

[Jason Haar]

On Tue, Aug 30, 2016 at 3:03 AM, Jochen Schalanda 
wrote:

> there's currently no official integration of TAXII with Graylog. I guess
> you would need to write a custom plugin for integrating TAXII or other IoC
> feeds and check against them.
>

I've just been thinking about this myself. It should be handled in a
similar way to the GeoIP processor IMHO. Let's call it the "Reputation"
processor. it could load an external 'database' of 'name,field,value' and
when the INPUT data stream contains 'field: value' then trigger a new
'reputation:name' record.

eg

TALOS, src_ip, 1.2.3.4
SPAMHAUS, email_ip, 3.2.1.2

Then your firewall logs involving src_ip == 1.2.3.4 would get a
"reputation:TALO" record and your email logs (email_ip == 3.2.1.2) would
get a "reputation:SPAMHAUS" record

This would be a more generalised solution - could be abused in all sorts of
ways :-)

Hmm, I thought I added this to the Ideas site a few days ago - can't find
it now?


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgK0n3A%2BWvFyvb1dCE60Eh0UyhVB-UNvHd9-Dnp-1mt8sQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [ANNOUNCE] Graylog v2.1.0 has been released

[walderbachjoshua]

Are there instructions on how to upgrade a single 2.0 instance?  The 
download info on 
http://docs.graylog.org/en/2.1/pages/installation/operating_system_packages.html
 
still points to downloading the 2.0 release.  Would I simply need to run 
the following?

$ wget 
https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb 

$ sudo dpkg -i graylog-2.1-repository_latest.deb
$ sudo apt-get update
$ sudo apt-get install graylog-server

And would this preserve all my users, settings, data, etc?



On Thursday, September 1, 2016 at 11:30:40 AM UTC-6, lennart wrote:
>
> Hi everyone, 
>
> we just released the final version of Graylog v2.1.0. You can find all 
> required information, download links, new features and changelog here: 
>
> * https://www.graylog.org/blog/68-announcing-graylog-v-2-1-0-ga 
>
> Thanks, 
> Lennart 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5e9d3fe0-4415-4b58-bc98-e8932a023145%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [ANNOUNCE] Graylog v2.1.0 has been released

[walderbachjoshua]

Are there instructions on how to upgrade a single 2.0 instance?  The 
download info on 
http://docs.graylog.org/en/2.1/pages/installation/operating_system_packages.html
 
still points to downloading the 2.0 release.  Would I simply need to run 
the following?

$ wget 
https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb 

$ sudo dpkg -i graylog-2.0-repository_latest.deb
$ sudo apt-get update
$ sudo apt-get install graylog-server

And would this preserve all my users, settings, data, etc?



On Thursday, September 1, 2016 at 11:30:40 AM UTC-6, lennart wrote:
>
> Hi everyone, 
>
> we just released the final version of Graylog v2.1.0. You can find all 
> required information, download links, new features and changelog here: 
>
> * https://www.graylog.org/blog/68-announcing-graylog-v-2-1-0-ga 
>
> Thanks, 
> Lennart 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cdae1eb6-820c-4ef2-9886-eae0f9a07802%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [ANNOUNCE] Graylog v2.1.0 has been released

[walderbachjoshua]

Are there instructions on how to upgrade a single 2.0 instance?  The 
download info on 
http://docs.graylog.org/en/2.1/pages/installation/operating_system_packages.html
 
still points to downloading the 2.0 release.  Would I simply need to run 
the following?

$ wget 
https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.deb
$ sudo dpkg -i graylog-2.0-repository_latest.deb
$ sudo apt-get update
$ sudo apt-get install graylog-server

And would this preserve all my users, settings, data, etc?



On Thursday, September 1, 2016 at 11:30:40 AM UTC-6, lennart wrote:
>
> Hi everyone, 
>
> we just released the final version of Graylog v2.1.0. You can find all 
> required information, download links, new features and changelog here: 
>
> * https://www.graylog.org/blog/68-announcing-graylog-v-2-1-0-ga 
>
> Thanks, 
> Lennart 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8842e7e3-7b37-4779-a817-4c5087fd3860%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog Stack on Docker with Rancher

[Sebastien Malinge]

erratum : the "docker-compose" file :)

On Thu, Sep 1, 2016 at 8:27 PM, Sebastien Malinge 
wrote:

> Hi tm-operations,
>
> Can you share the dockerfile with the community ?
>
>
>
> On Wednesday, August 31, 2016 at 11:33:05 AM UTC+2, tm-operations wrote:
>>
>> Hello Jochen
>>
>> Thanks for the reply.
>>
>> Since we are using Docker framework, the IP addresses are random as well
>> as the host names, so we can not "predict" the host names in the replica
>> set.
>> If one of the replica set will "die" another one will start
>> with different name and IP.
>> Rancher is managing all the underlying framework and 3 docker containers
>> running MongoDB are names "Service".
>>
>> Since we could not make this configuration to work,at this point we only
>> added 1 MongDB node.
>>
>>
>>
>>
>> 
>>
>>
>>
>> On Monday, August 29, 2016 at 5:56:14 PM UTC+3, Jochen Schalanda wrote:
>>>
>>> Hi Yossi,
>>>
>>> I'm not sure what the specific problem is, but you can configure Graylog
>>> to connect to a MongoDB replica set providing more than one MongoDB URI,
>>> see https://github.com/Graylog2/graylog2-server/blob/2.0.3/
>>> misc/graylog.conf#L384-L385 for an example.
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Sunday, 28 August 2016 16:58:10 UTC+2, tm-operations wrote:

 Hi,

 We are working for the past couple of weeks on implementing a Graylog
 stack in Docker with Rancher management.

 At this point, we were able to get a working stack fully redundant
 (single site) configuration.
 The only part which is missing is MongoDB HA.

 When configuring MongoDB as a service, the rancher will point graylog
 servers to one of the MongoDB servers regardless they are Primary or
 Secondary.

 Anyone have an idea how to get a redundant configuration of MongDB in
 Docket with Rancher?

 Our current lab configuration is:

 3 Docker Hosts each runs on a VMWare Host

 *Container*

 1 x Rancher
 3 x NGNIX
 3 x Graylog Server
 3 x ElasticSearch Master nodes
 3 x ElasticSearch Data nodes
 3 x ElasticSearch Client nodes
 1 x MongoDB

 Any help will be greatly appreciated.

 Thanks.
 -Yossi




 --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/GoUHEOWgQxk/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/b8a451d8-9fac-4602-b70f-8a62775f5de0%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAHqF9zL-4AYYumugK5JEg1QW03htzHBxMq-ThLbo%3DNoGqz2A4w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog Stack on Docker with Rancher

[Sebastien Malinge]

Hi tm-operations,

Can you share the dockerfile with the community ?



On Wednesday, August 31, 2016 at 11:33:05 AM UTC+2, tm-operations wrote:
>
> Hello Jochen
>
> Thanks for the reply.
>
> Since we are using Docker framework, the IP addresses are random as well 
> as the host names, so we can not "predict" the host names in the replica 
> set.
> If one of the replica set will "die" another one will start 
> with different name and IP.
> Rancher is managing all the underlying framework and 3 docker containers 
> running MongoDB are names "Service".
>
> Since we could not make this configuration to work,at this point we only 
> added 1 MongDB node.
>
>
>
>
> 
>
>
>
> On Monday, August 29, 2016 at 5:56:14 PM UTC+3, Jochen Schalanda wrote:
>>
>> Hi Yossi,
>>
>> I'm not sure what the specific problem is, but you can configure Graylog 
>> to connect to a MongoDB replica set providing more than one MongoDB URI, 
>> see 
>> https://github.com/Graylog2/graylog2-server/blob/2.0.3/misc/graylog.conf#L384-L385
>>  
>> for an example.
>>
>> Cheers,
>> Jochen
>>
>> On Sunday, 28 August 2016 16:58:10 UTC+2, tm-operations wrote:
>>>
>>> Hi,
>>>
>>> We are working for the past couple of weeks on implementing a Graylog 
>>> stack in Docker with Rancher management.
>>>
>>> At this point, we were able to get a working stack fully redundant 
>>> (single site) configuration.
>>> The only part which is missing is MongoDB HA.
>>>
>>> When configuring MongoDB as a service, the rancher will point graylog 
>>> servers to one of the MongoDB servers regardless they are Primary or 
>>> Secondary.
>>>
>>> Anyone have an idea how to get a redundant configuration of MongDB in 
>>> Docket with Rancher?
>>>
>>> Our current lab configuration is:
>>>
>>> 3 Docker Hosts each runs on a VMWare Host
>>>
>>> *Container*
>>>
>>> 1 x Rancher
>>> 3 x NGNIX
>>> 3 x Graylog Server
>>> 3 x ElasticSearch Master nodes
>>> 3 x ElasticSearch Data nodes
>>> 3 x ElasticSearch Client nodes
>>> 1 x MongoDB
>>>
>>> Any help will be greatly appreciated.
>>>
>>> Thanks.
>>> -Yossi
>>>
>>>
>>>
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b8a451d8-9fac-4602-b70f-8a62775f5de0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [ANNOUNCE] Graylog v2.1.0 has been released

[Lennart Koopmann]

Hi everyone,

we just released the final version of Graylog v2.1.0. You can find all
required information, download links, new features and changelog here:

* https://www.graylog.org/blog/68-announcing-graylog-v-2-1-0-ga

Thanks,
Lennart

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CADRA1n%3DTu8zx_uZTA6gaTYWK90Vu_zmYQDyqv61dWMQboXCgdA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Pipeline rules. key_value does not exist

[stella]

Hi, guys.
I tried to use key_value function as specified 
at http://docs.graylog.org/en/2.0/pages/pipelines/functions.html#

But when I write this


key_value("some_string")


it gives me error that key_value does not exist. Screenshot:



Is it a bug? Is there a workaround to use key_value?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ce69879e-000a-48d2-948f-dde181477a0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Autmatically parsed fields in Syslog TCP/UDP input

[Markus Fischbacher]

Well i guess you would be right if just those messages would be of any 
standard. But it seems like vmware with esxi doesn't keep standards high 
enough.
I don't understand how facility and level are provided but not on the very 
beginning of a message.

<166>2016-09-01T12:06:27.230Z xxx.local Rhttpproxy: [FFD09D90 verbose 
> 'Proxy Req 57863'] Connected to localhost : 8089


This is the message field of a message received by an Raw Text UDP Input. 
The same message on an Syslog UDP Input has level 6 and facility4. I had 
just a quick look at the source code but couldn't find the correct lines 
where you extract those infos.

Well, i understand that is no high priority - well more none of that - but 
i bugs me bad and i want to solve this s*** somehow. My current workaround 
works but with alot ... work ... and theres more to come on each change.

Am Dienstag, 30. August 2016 15:03:32 UTC+2 schrieb Jochen Schalanda:
>
> Hi Markus
>
> On Tuesday, 30 August 2016 11:51:48 UTC+2, Markus Fischbacher wrote:
>>
>> I don't see a way to extract syslog levels - they doesn't come in the 
>> message(-string) itself. Level and facility seems to come in additional udp 
>> sections/frames.
>>
>
> If you're using a Raw/Plaintext input, the syslog priority (a number 
> encoding facility and level) will be at the very beginning of each message, 
> see https://tools.ietf.org/html/rfc5424#section-6.2.1 and 
> https://tools.ietf.org/html/rfc5424#section-6.5.
>
> You can extract this using a regex extractor and use the Syslog converters 
> on it.
>
>
> Cheers,
> Jochen
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a4989927-eb57-4264-b8ee-3eff6bedfd25%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] ELK / Graylog integration

[jagoba]

Hi,

We are currently working with the ELK stack and decided to give Graylog2 a 
try (kibana doesn't fit our needs). So far, everything was working good, 
but we are having trouble "separating" data received from Logstash.

With elasticsearch we were storing different type of logs in different 
indexes using some metadata: *index => "%{type}-%{+.MM.dd}"*

I think the correct way of doing this is using Graylog's inputs (correct me 
if I'm wrong), so I would like to know if there is a way of having a single 
gelf output in Logstash but multiple inputs in Graylog. Or what would be 
the best solution to do this the "Graylog way".

So far we have managed make it work using different ports, but I'm not sure 
if its the best way of doing this:

output {

   if [type] == "application-log" {

   gelf {

   host => "localhost"

   port => 12201

   }

   }

   if [type] == "tomcat-access-log" {

gelf {

   host => "localhost"

   port => 12202

   }

   }

}

Thanks in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7778fdb3-5043-4436-a529-805fec1a71f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Pipelines vs extractors

[Markus Fischbacher]

As i understand it, extractors will be removed in comming releases.

Am Donnerstag, 1. September 2016 13:40:45 UTC+2 schrieb AForton:
>
> I've just read about pipelines and just found that they can do everything 
> that extractors can. So what is the use-case of extractors now?
>
> I thought that we could apply extractors before passing a message to 
> pipelines for more-specific processing, but I figured out that extractors 
> applied latter than pipelines do their job. 
>
> So when is it better to use extractors?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3a5a6cc4-cb9f-4731-aa56-1882d914cdb2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Source IP address of the syslog messages

[Thomas Vahé]

Hi,

Thanks for your answer again. I know this problem with Cisco syslog 
message. It's not my problem.

- IP address of Graylog VM server : 10.10.10.1/24
- IP address of Cisco device : 10.10.10.2/24

When I configure "logging source-interface Loopback 0" under my cisco I 
don't see syslog messages under the web interface, although they arrive in 
physical interface of the graylog server (seen with a tcpdump command).

Do you understand what I want to say ? Sorry for my bad english language :-(

Thanks,

Thomas


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/edd32a48-024e-4757-86cc-5d6a9a1a0946%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Cisco Catalyst added as Local Input

[Enrico]

Dear Friend , 
your suggestions solved my problem , thanks a lot for everythings !
Best Regards
Enrico

On Thursday, September 1, 2016 at 9:21:50 AM UTC+2, clikcspeed wrote:

> Hello Enrico,
>
> It looks like the extractor you downloaded is not parsing the Cisco logs 
> correctly. I would suggest you do the following:
>
>1. Create a new input (use raw UDP) and forward Cisco syslog to the 
>new input.
>2. Send a log to to Graylog (i.e login to the switch, enable, config 
>t, ctrl-z)
>3. Once you have seen the message structure, create the extractors for 
>every field in your message
>
> I have attached an extractor that I created and looks to be parsing the 
> messages well via raw UDP. You just need to import it once you have created 
> the new input. See screenshot below:
>
>
> 
>
>
> On Tuesday, August 30, 2016 at 3:28:26 PM UTC+2, Enrico wrote:
>>
>>  Dear All,
>> I'm using the version graylog virtual machine for managing all messagges of 
>> servers and network equipment. 
>> To log all the hostname names in the messages from cisco equipment I had 
>> to add an local input named Cisco Catalyst,
>> that I've downloaded from market place.
>>
>> After this installation I noticed that the number of recorded messages has 
>> increased a lot and the Top Sources is became
>> Elasticserach. for example I see a lot of this messages:
>>
>>
>> Timestamp 
>> 
>> source 
>> 
>>  
>> 
>> *2016-08-30 15:25:31.546* elasticsearch
>>
>> ... 22 more
>> *2016-08-30 15:25:31.546* elasticsearch
>>
>> at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:321)
>> *2016-08-30 15:25:31.545* elasticsearch
>>
>> at 
>> org.elasticsearch.index.mapper.core.NumberFieldMapper.parseCreateField(NumberFieldMapper.java:241)
>> *2016-08-30 15:25:31.544* elasticsearch
>>
>> at 
>> org.elasticsearch.index.mapper.core.LongFieldMapper.innerParseCreateField(LongFieldMapper.java:275)
>> *2016-08-30 15:25:31.542* elasticsearch
>>
>> at 
>> org.elasticsearch.common.xcontent.support.AbstractXContentParser.longValue(AbstractXContentParser.java:145)
>> *2016-08-30 15:25:31.541* elasticsearch
>>
>> at java.lang.Long.parseLong(Long.java:631)
>> *2016-08-30 15:25:31.540* elasticsearch
>>
>> at java.lang.Long.parseLong(Long.java:589)
>>
>>
>> Does anyone exaplain that behaviour ? How Can I drop these messages ?
>> Thanks a lot !
>> Best Regards
>> Enrico
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/eff28397-4809-46b5-867c-f5be83b87b35%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Source IP address of the syslog messages

[Jochen Schalanda]

Hi Thomas,

Cisco network appliances usually don't send valid syslog messages 
(according to RFC 3164 or RFC 5424). Try using a Raw/Plaintext UDP input in 
Graylog instead of the Syslog UDP input and use extractors to get the 
information you want into structured 
fields: http://docs.graylog.org/en/2.0/pages/extractors.html

Cheers,
Jochen

On Thursday, 1 September 2016 11:35:18 UTC+2, Thomas Vahé wrote:
>
>
> cisco-syslog Syslog UDP RUNNING
>
>
> 
>
>- allow_override_date:true
>- bind_address:0.0.0.0
>- expand_structured_data:false
>- force_rdns:false
>- override_source:**
>- port:5140
>- recv_buffer_size:262144
>- store_full_message:false
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6489598d-a644-443a-905c-941fc89d8526%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Source IP address of the syslog messages

[Thomas Vahé]

cisco-syslog Syslog UDP RUNNING



   - allow_override_date:true
   - bind_address:0.0.0.0
   - expand_structured_data:false
   - force_rdns:false
   - override_source:**
   - port:5140
   - recv_buffer_size:262144
   - store_full_message:false
   

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/07c992e2-f1ca-4941-85c1-77b0237d0982%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Source IP address of the syslog messages

[Thomas Vahé]

Le jeudi 1 septembre 2016 11:28:52 UTC+2, Thomas Vahé a écrit :
>
>
> Hi,
>
> Thanks for your answer.
>
>
> Graylog VM Server 10.10.10.1/24  <=> Syslog Client (My Cisco Router) 
> 10.10.10.2/24. Like this I receive the syslog messages under the web 
> interface.
> When I change the source IP address of my syslog client messages, I don t 
> see them although they arrived on the physical interface of the Graylog 
> server.
>
> root@graylog-beta:/opt/graylog/conf# tcpdump -n -i eth1
> IP 10.10.10.2.53192 > 10.10.10.1.5140: SYSLOG local7.notice, length: 
> 80   => OK. All is OK
>
> root@graylog-beta:/opt/graylog/conf# tcpdump -n -i eth1
> 192.168.255.1.61543 > 10.10.10.1.5140: UDP, length 
> 80=> I don't see syslog message under 
> the web interface
>
> Have got an idea ??
>
> Thanks in advance.
>
> Thomas
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/25a71733-41fd-4740-97ca-d824f5529a26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Source IP address of the syslog messages

[Thomas Vahé]

Hi,

Thanks for your answer.


Graylog VM Server 10.10.10.1/24  <=> Syslog Client (My Cisco Router) 
10.10.10.2/24. Like this I receive the syslog messages under the web 
interface.
When I change the source IP address of my syslog client messages, I don t 
see them although they arrived on the physical interface of the Graylog 
server.

root@graylog-beta:/opt/graylog/conf# tcpdump -n -i eth1
IP 10.10.10.2.53192 > 10.10.10.1.514: SYSLOG local7.notice, length: 
80   => OK. All is OK

root@graylog-beta:/opt/graylog/conf# tcpdump -n -i eth1
192.168.255.1.61543 > 10.10.10.1.5140: UDP, length 
80=> I don't see syslog message under 
the web interface

Have got an idea ??

Thanks in advance.

Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f978e42d-4bca-4759-8e3c-daf8471f7a41%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Map Data Query Failed

[Jochen Schalanda]

Hi,

this doesn't look like a valid Syslog message (according to RFC 3164 
 or RFC 5424 
). If your device or syslog daemon 
doesn't emit valid, RFC-compliant syslog messages, you're probably better 
off using a Raw/Plaintext input and use extractors to get the required 
information into structured 
fields: http://docs.graylog.org/en/2.0/pages/extractors.html

Cheers,
Jochen

On Wednesday, 31 August 2016 21:18:44 UTC+2, TheKrazyKaveman wrote:
>
> In the message field, I get this:
>
> SSLVPN: id=sslvpn sn=SERIAL# time="2016-08-31 14:00:19" 
> vp_time="2016-08-31 18:00:19 UTC" fw=XX.XX.XX.XX pri=5 m=2 c=2 
> src=YY.YY.YY.YY dst=vpn.mydomain.com user="my.user" usr="my.user" 
> msg="User logged out" active=15 duration=15 agent="SonicWALL Mobile Connect 
> for Android 4.0.5 (samsung SAMSUNG-SM-G920A; Android 6.0.1; SDK 23; build 
> 405)"
>
> On Wednesday, August 31, 2016 at 1:28:39 PM UTC-4, TheKrazyKaveman wrote:
>>
>> Syslog UDP
>>
>> On Wednesday, August 31, 2016 at 3:34:40 AM UTC-4, Jochen Schalanda wrote:
>>>
>>> Hi,
>>>
>>> if the client is sending those messages directly to Graylog, you could 
>>> probably use the "hidden" field gl2_remote_ip for this.
>>>
>>> What kind of Graylog input are you using for receiving those messages?
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Tuesday, 30 August 2016 20:52:33 UTC+2, TheKrazyKaveman wrote:

 I'm having some trouble getting the world map widget to work on my 
 Graylog server.  It keeps telling me that I have an invalid geo data term 
 for field "source": sslvpn:.  I know that this is SUPPOSED to be an IP 
 address, but for some reason it renders the IP addresses as src:.  Any 
 suggestions on how to resolve this?

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0364d734-5020-4b34-8658-a32c9677ddb8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Journal not processing new messages after adding hard drive

[Jochen Schalanda]

Hi Jamie

On Wednesday, 31 August 2016 16:49:34 UTC+2, Jamie P wrote:
>
> On a side note.  I followed the instructions to expand to an extra hard 
> drive, but none of the settings saved when doing the command to save info 
> to /etc/fstab.  I had to put that info in manually and then then everything 
> saved.  
>

Did you run

echo "/dev/sdb1 /var/opt/graylog/data ext4 defaults 0 0" | sudo tee -a 
/etc/fstab


like described in 
http://docs.graylog.org/en/2.0/pages/configuration/graylog_ctl.html#extend-disk-space?
 
Didn't this append the necessary line to your /etc/fstab file inside the VM?

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2d7967c9-077b-4d35-894e-36ec1ae121a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Dynamic filed names with grok

[Jochen Schalanda]

Hi,

the converter is called "Key = Value Pairs to Fields" in the drop down.

Cheers,
Jochen

On Thursday, 1 September 2016 10:56:28 UTC+2, AForton wrote:
>
> I currently don't have that converter in converters drop-down-list. Where 
> to find it? I use 
> *graylog v2.1.0-beta.2-ffa3355*
> четверг, 1 сентября 2016 г., 10:44:39 UTC+3 пользователь Jochen Schalanda 
> написал:
>>
>> Hi,
>>
>> I think that's not possible with Grok, but you could try to use the 
>> Tokenizer converter (create a Copy Input extractor, then select the 
>> Tokenizer converter) for this.
>>
>> Cheers,
>> Jochen
>>
>> On Wednesday, 31 August 2016 14:19:39 UTC+2, AForton wrote:
>>>
>>> Is it possible to extract dynamic field name with grok? For instance, I 
>>> have the following message:
>>>
>>> Test message key=value key_1=value_1 key_2=value_2 ... etc
>>>
>>> The number n in key_n=value_n is not specified and may vary from message 
>>> to message. I need to extract all fields but with key1 and key3:
>>>
>>> key=value
>>> key_2=value_2
>>> key_4=value_4
>>> key_5=value_5
>>> key_6=value_6
>>> //etc...
>>>
>>> How can I do this? Is it possible to do with GROK?
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/74d48adc-347e-428a-b6ba-c6f947ca6b8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Source IP address of the syslog messages

[Jochen Schalanda]

Hi Thomas,

what exactly do you mean with "changing the source IP address"?
Do the messages still arrive on the relevant network interface and in the 
Syslog input of Graylog? How did you check that?
And how is your Syslog input and the Cisco syslog service configured?

Cheers,
Jochen

On Thursday, 1 September 2016 11:02:32 UTC+2, Thomas Vahé wrote:
>
> Hi,
>
> I added a new interface of the graylog VM in a 10.10.10.0/24 network. 
> When my device (Cisco) send a syslog message, when his source IP is in the 
> same network it's works, but when I change the source IP address of the 
> syslog messages (1.1.1.1 for example), I don't see the syslog messages 
> under the web interface (The syslog messages arrived on the interface).
>
> Have you got an idea ?
>
> Thanks in advance.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0bae5273-ba53-413d-ad46-4ff10e4e3f98%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Source IP address of the syslog messages

[Thomas Vahé]

Hi,

I added a new interface of the graylog VM in a 10.10.10.0/24 network. When 
my device (Cisco) send a syslog message, when his source IP is in the same 
network it's works, but when I change the source IP address of the syslog 
messages (1.1.1.1 for example), I don't see the syslog messages under the 
web interface (The syslog messages arrived on the interface).

Have you got an idea ?

Thanks in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/37d5345b-7277-4723-83c1-b741369bc86a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Geo-Location Processor doesn't create _geolocation fields for custom fields created by pipeline rules

[Jochen Schalanda]

Thanks for the feedback!

On Wednesday, 31 August 2016 16:12:11 UTC+2, Jan wrote:
>
> Found the error. In my original pipeline-rule I used the "to_ip" function 
> to convert the pattern match to an IP. With this setting resolving the IP 
> to a geo location fails.
> I changed the rule now to convert the pattern match to a string by using 
> the "to_string" function. Voila... geo location works for all custom fields 
> now.
>
> This is what my rule looks like now:
>
> let matcherSrcIp = regex(".*srcip=((? ?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,
> 2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|
> 25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])).*", 
> to_string($message.message));
> set_field("FW_SourceIP", to_string(matcherSrcIp["0"]));
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b117a1a1-405d-4f29-b4a7-576eba99f0a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Dynamic filed names with grok

[AForton]

I currently don't have that converter in converters drop-down-list. Where 
to find it? I use 
*graylog v2.1.0-beta.2-ffa3355*
четверг, 1 сентября 2016 г., 10:44:39 UTC+3 пользователь Jochen Schalanda 
написал:
>
> Hi,
>
> I think that's not possible with Grok, but you could try to use the 
> Tokenizer converter (create a Copy Input extractor, then select the 
> Tokenizer converter) for this.
>
> Cheers,
> Jochen
>
> On Wednesday, 31 August 2016 14:19:39 UTC+2, AForton wrote:
>>
>> Is it possible to extract dynamic field name with grok? For instance, I 
>> have the following message:
>>
>> Test message key=value key_1=value_1 key_2=value_2 ... etc
>>
>> The number n in key_n=value_n is not specified and may vary from message 
>> to message. I need to extract all fields but with key1 and key3:
>>
>> key=value
>> key_2=value_2
>> key_4=value_4
>> key_5=value_5
>> key_6=value_6
>> //etc...
>>
>> How can I do this? Is it possible to do with GROK?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ad2394e1-c799-4766-aaae-df0216e9180b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Add server.log to Graylog

[Jochen Schalanda]

Hi Praveena,

JBoss is using log4j under the hoods for logging. You can use one of the 
existing log4j GELF appenders from the Graylog Marketplace to send those 
logs into Graylog: https://marketplace.graylog.org/addons?tag=log4j

Also see https://docs.jboss.org/author/display/AS72/Logging+Configuration 
for details about the JBoss logging configuration.

You could also use a third party log shipper like filebeat, logstash, or 
nxlog to read the JBoss log file(s) and send them to Graylog.


On Wednesday, 31 August 2016 18:52:37 UTC+2, pj...@soasta.com wrote:
>
> Also added syslog and I don't see it in the Graylog.
>

What did you do exactly and what doesn't work? Also, which version of 
Graylog and Elasticsearch are you using and how did you install and 
configure them?


Cheers,
Jochen

On Wednesday, 31 August 2016 18:52:37 UTC+2, pj...@soasta.com wrote:
>
> Jboss server.log.
>
> Also added syslog and I don't see it in the Graylog.
>
> Thanks,
> -Praveena
>
> On Wednesday, August 31, 2016 at 12:31:25 AM UTC-7, Jochen Schalanda wrote:
>>
>> Hi Praveena,
>>
>> which server.log file do you mean specifically?
>>
>> Cheers,
>> Jochen
>>
>> On Tuesday, 30 August 2016 19:38:17 UTC+2, pj...@soasta.com wrote:
>>>
>>> Hi,
>>>
>>> I am new to Graylog.
>>>
>>> How to add server.log to Graylog?
>>>
>>> Thanks,
>>> -Praveena
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b2bd5d41-6ac0-4653-9d56-d39fea1c884e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: API connectivity with reverse proxy (nginx)

[Jochen Schalanda]

Hi,

are there any error messages in the logs of your Graylog node?

What's the result of the following curl command (insert your Graylog admin 
credentials):

curl -u admin:password https://graylog.corp.com/api/system/?pretty=true


Also, your web_endpoint_uri is wrong and should point to 
https://graylog.corp.com/api/, although this is overridden on a per-request 
basis by your X-Graylog-Server-URL HTTP request header.

Cheers,
Jochen


On Wednesday, 31 August 2016 22:42:00 UTC+2, w wrote:
>
> Hi All,
>
> I am having trouble getting a reverse proxy working that is doing SSL 
> termination / load balancing between graylog 2.0.3 servers. 
>
> I am getting the following error message.
>
> Error messagecannot GET https://graylog.corp.com/api/system/cluster/node 
> (404)
>
>
> So we are having trouble accessing the API...
>
> To make things simple I have reduced the config to a single nginx node and 
> single graylog server in the setup. 
>
> When I access the server directly over http it works just fine. 
>
> My nginx config looks like
>
> server {
>
> listen  443 ssl;
>
> server_name graylog.corp.com;
>
>
>
> access_log /var/log/nginx/graylog.access.log;
>
> error_log /var/log/nginx/graylog.error.log;
>
>
>
>
>
> sslon;
> # SSL Config Redacted
>
>
>
> location /
>
> {
>
> proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
>
> proxy_set_headerHost $http_host;
>
> proxy_set_headerX-Graylog-Server-URL https://
> graylog.corp.com/api;
>
>
>
> proxy_pass  http://graylog1.corp.com:9000;
>
> }
>
> location /api/
>
> {
>
> proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
>
> proxy_set_headerHost $http_host;
>
> proxy_pass  http://graylog1.corp.com:12900;
>
> }
>
> }
>
>
>
> My Graylog config looks like
>
> # REST API listen URI. Must be reachable by other Graylog server nodes if 
> you run a cluster.
>
> # When using Graylog Collectors, this URI will be used to receive 
> heartbeat messages and must be accessible for all collectors.
>
> rest_listen_uri = http://0.0.0.0:12900/
>
>
>
> # REST API transport address. Defaults to the value of rest_listen_uri. 
> Exception: If rest_listen_uri
>
> # is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 
> system address is used.
>
> # If set, this will be promoted in the cluster discovery APIs, so other 
> nodes may try to connect on
>
> # this address and it is used to generate URLs addressing entities in the 
> REST API. (see rest_listen_uri)
>
> # You will need to define this, if your Graylog server is running behind a 
> HTTP proxy that is rewriting
>
> # the scheme, host name or URI.
>
> # This must not contain a wildcard address (0.0.0.0).
>
> #rest_transport_uri = http://graylog.corp.com:12900/
>
>
>
> # Enable CORS headers for REST API. This is necessary for JS-clients 
> accessing the server directly.
>
> # If these are disabled, modern browsers will not be able to retrieve 
> resources from the server.
>
> # This is enabled by default. Uncomment the next line to disable it.
>
> #rest_enable_cors = false
>
>
>
> # Enable GZIP support for REST API. This compresses API responses and 
> therefore helps to reduce
>
> # overall round trip times. This is disabled by default. Uncomment the 
> next line to enable it.
>
> #rest_enable_gzip = true
>
>
>
> # Enable HTTPS support for the REST API. This secures the communication 
> with the REST API with
>
> # TLS to prevent request forgery and eavesdropping. This is disabled by 
> default. Uncomment the
>
> # next line to enable it.
>
> #rest_enable_tls = true
>
>
>
> # The X.509 certificate chain file in PEM format to use for securing the 
> REST API.
>
> #rest_tls_cert_file = /path/to/graylog.crt
>
>
>
> # The PKCS#8 private key file in PEM format to use for securing the REST 
> API.
>
> #rest_tls_key_file = /path/to/graylog.key
>
>
>
> # The password to unlock the private key used for securing the REST API.
>
> #rest_tls_key_password = secret
>
>
>
> # The maximum size of the HTTP request headers in bytes.
>
> #rest_max_header_size = 8192
>
>
>
> # The maximal length of the initial HTTP/1.1 line in bytes.
>
> #rest_max_initial_line_length = 4096
>
>
>
> # The size of the thread pool used exclusively for serving the REST API.
>
> #rest_thread_pool_size = 16
>
>
>
> # Enable the embedded Graylog web interface.
>
> # Default: true
>
> #web_enable = false
>
>
>
> # Web interface listen URI. It must not contain a path other than "/".
>
> web_listen_uri = http://0.0.0.0:9000/
>
>
>
> # Web interface endpoint URI. This setting can be overriden on a 
> per-request basis with the X-Graylog-Server-URL header.
>
> # Default: $rest_transport_uri
>
> web_endpoint_uri = https://graylog.corp.com
>
>
> Let me know if there are any other relevant sections of the graylog config 
> that should be shown.
>
>

-- 
You received this message because you are 

[graylog2] Re: Dynamic filed names with grok

[Jochen Schalanda]

Hi,

I think that's not possible with Grok, but you could try to use the 
Tokenizer converter (create a Copy Input extractor, then select the 
Tokenizer converter) for this.

Cheers,
Jochen

On Wednesday, 31 August 2016 14:19:39 UTC+2, AForton wrote:
>
> Is it possible to extract dynamic field name with grok? For instance, I 
> have the following message:
>
> Test message key=value key_1=value_1 key_2=value_2 ... etc
>
> The number n in key_n=value_n is not specified and may vary from message 
> to message. I need to extract all fields but with key1 and key3:
>
> key=value
> key_2=value_2
> key_4=value_4
> key_5=value_5
> key_6=value_6
> //etc...
>
> How can I do this? Is it possible to do with GROK?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/62edc02e-a2a8-4550-8263-db9b447e8757%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Cisco Catalyst added as Local Input

[clikcspeed]

Hello Enrico,

It looks like the extractor you downloaded is not parsing the Cisco logs 
correctly. I would suggest you do the following:

   1. Create a new input (use raw UDP) and forward Cisco syslog to the new 
   input.
   2. Send a log to to Graylog (i.e login to the switch, enable, config t, 
   ctrl-z)
   3. Once you have seen the message structure, create the extractors for 
   every field in your message

I have attached an extractor that I created and looks to be parsing the 
messages well via raw UDP. You just need to import it once you have created 
the new input. See screenshot below:




On Tuesday, August 30, 2016 at 3:28:26 PM UTC+2, Enrico wrote:
>
>  Dear All,
> I'm using the version graylog virtual machine for managing all messagges of 
> servers and network equipment. 
> To log all the hostname names in the messages from cisco equipment I had 
> to add an local input named Cisco Catalyst,
> that I've downloaded from market place.
>
> After this installation I noticed that the number of recorded messages has 
> increased a lot and the Top Sources is became
> Elasticserach. for example I see a lot of this messages:
>
>
> Timestamp 
> 
> source 
> 
>  
> 
> *2016-08-30 15:25:31.546* elasticsearch
>
> ... 22 more
> *2016-08-30 15:25:31.546* elasticsearch
>
> at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:321)
> *2016-08-30 15:25:31.545* elasticsearch
>
> at 
> org.elasticsearch.index.mapper.core.NumberFieldMapper.parseCreateField(NumberFieldMapper.java:241)
> *2016-08-30 15:25:31.544* elasticsearch
>
> at 
> org.elasticsearch.index.mapper.core.LongFieldMapper.innerParseCreateField(LongFieldMapper.java:275)
> *2016-08-30 15:25:31.542* elasticsearch
>
> at 
> org.elasticsearch.common.xcontent.support.AbstractXContentParser.longValue(AbstractXContentParser.java:145)
> *2016-08-30 15:25:31.541* elasticsearch
>
> at java.lang.Long.parseLong(Long.java:631)
> *2016-08-30 15:25:31.540* elasticsearch
>
> at java.lang.Long.parseLong(Long.java:589)
>
>
> Does anyone exaplain that behaviour ? How Can I drop these messages ?
> Thanks a lot !
> Best Regards
> Enrico
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/fd550208-01f1-4578-8da0-8fbfc8778d81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
{
  "extractors": [
{
  "title": "cisco_username",
  "extractor_type": "regex",
  "converters": [],
  "order": 0,
  "cursor_strategy": "copy",
  "source_field": "message",
  "target_field": "cisco_username",
  "extractor_config": {
"regex_value": "User:([^\\s]+)"
  },
  "condition_type": "none",
  "condition_value": ""
},
{
  "title": "cisco_logged_command",
  "extractor_type": "regex",
  "converters": [],
  "order": 0,
  "cursor_strategy": "copy",
  "source_field": "message",
  "target_field": "cisco_logged_command",
  "extractor_config": {
"regex_value": "command:(.*)"
  },
  "condition_type": "none",
  "condition_value": ""
},
{
  "title": "cisco_syslog_severity",
  "extractor_type": "regex",
  "converters": [
{
  "type": "numeric",
  "config": {}
}
  ],
  "order": 0,
  "cursor_strategy": "copy",
  "source_field": "message",
  "target_field": "cisco_syslog_severity",
  "extractor_config": {
"regex_value": "-(\\d)-"
  },
  "condition_type": "none",
  "condition_value": ""
},
{
  "title": "cisco_syslog_facility",
  "extractor_type": "regex",
  "converters": [],
  "order": 0,
  "cursor_strategy": "copy",
  "source_field": "message",
  "target_field": "cisco_syslog_facility",
  "extractor_config": {
"regex_value": "%(.+?)-"
  },
  "condition_type": "none",
  "condition_value": ""
},
{
  "title": "cisco_syslog_message",
  "extractor_type": "regex",
  "converters": [],
  "order": 0,
  "cursor_strategy": "copy",
  "source_field": "message",
  "target_field": "cisco_syslog_message",
  "extractor_config": {
"regex_value": "%.+?:(.*)"
  },
  "condition_type": "none",
  "condition_value": ""
},
{
  "title": "cisco_syslog_mnemonic",