[graylog2] Problems with Cisco Routers

[Israel Martinez Bermejo]

Hello  guys.

I have configurated grayog with alls switches Extreme Networks and work 
fine.

But now, I am working with Cisco Router but have the problem in source 
message, not put the IP or hsotname Cisco, it start with month, for example 
now is Sep.

I show an example:






Thans very much!


Regards.

Israel.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6b7cf129-8bd7-4571-bdfa-f23f68221f54%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] How to parse all keys using parse_json & select_jsonpath

[Ajay Kumar]

Hi All,

Just now I have learned that I can parse individual keys from json input as 
mentioned in below link:

https://github.com/Graylog2/graylog-plugin-pipeline-processor/blob/master/src/test/resources/org/graylog/plugins/pipelineprocessor/functions/jsonpath.txt

But I am wondering, how do I parse all fields including nested one?

I would appreciate if anyone could help me.

Regards,

Jay

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/42e3bf5c-b636-4965-af71-21a2be62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Email Transport Configuration is missing or invalid!

[Ciprian]

Good morning, I am trying to configure graylog to send alerts to my mail 
but for some reason I keep getting the following error:
The configuration for the email transport subsystem has shown to be missing 
or invalid. Please check the related section of your Graylog server 
configuration file. This is the detailed error message: Email transport is 
not enabled in server configuration file

The configuration for the email transport in the server.conf looks like 
this:

transport_email_enabled = true
transport_email_protocol = smtp
transport_email_hostname = smtp.office365.com
transport_email_port = 587
transport_email_use_auth = true
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_auth_username = secret
transport_email_auth_password = secret
transport_email_subject_prefix = [graylog2]
transport_email_from_email = t...@iname.com
transport_email_web_interface_url = http://192.168.1.22:12900/

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a0755cda-d7a8-44d8-a386-a006d6a5cabe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog isn't processing messages

[Phil Sumner]

You may need to delete the journal too, just be aware that you'll lose any 
messages in there.

On Friday, 2 September 2016 18:04:28 UTC+1, 8bits...@gmail.com wrote:
>
> Here is my elasticsearch log starting from when I restarted the 
> elasticsearch service.  http://pastebin.com/4WR3Nn5K
>
> On Friday, September 2, 2016 at 10:57:37 AM UTC-6, 8bits...@gmail.com 
> wrote:
>>
>> I had changed the path for elasticsearch data to a second HDD, but not 
>> the logs.  Today my root HDD reached 99% as a result.  I stopped Graylog, 
>> deleted the elasticsearch logs at /var/log/elasticsearch, and edited the 
>> elasticsearch.yml to point to the second HDD.  I rebooted my machine and my 
>> HDD's now have ample space again.  However, Graylog isn't processing any 
>> incoming messages.  I have ~400k messages showing unprocessed.  On the 
>> overview page everything is green.  I've restarted, Graylog, Elasticsearch, 
>> and the server.  No change.  Any ideas on what I can do?
>>
>> The journal contains 406,203 unprocessed messages in 5 segments. 0
>>  messages appended, 0 messages read in the last second.
>>
>> Thanks in advance for your help.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0a837532-7fdc-413a-8f4e-aa3cafde00d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Upgrading to 2.1 (package install)

[Aykisn]

I did this on my three graylog servers: 

> sudo rpm -Uvh 
> https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.rpm
> sudo yum update
>

Then had to restart graylog on my three graylog servers.
Worked fine, data, settings etc got preserved.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a108eff1-6f9e-4c4c-af72-830d605758dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: ERROR: org.graylog2.indexer.indices.Indices - Unable to create the Graylog index template: graylog-internal

[Krate Diggah]

Hi,

i cannot reproduce on my two test machines. Both work fine after another 
docker-compose up.

So this is considered resolved.

Regards,

On Thursday, September 1, 2016 at 6:10:13 PM UTC+2, Jochen Schalanda wrote:
>
> Hi,
>
> please post the complete error message from the Graylog logs.
>
> Cheers,
> Jochen
>
> On Thursday, 1 September 2016 16:56:06 UTC+2, Krate Diggah wrote:
>>
>> Hello,
>>
>> i am having issues with graylog v2 on a docker host setup. 
>>
>> *First of all some system information.*
>> OS: Debian Jessie
>> Docker: Docker version 1.12.1, build 23cf638
>>
>> Stack was built from the compose file as found here 
>> 
>>
>> *I altered the compose file and added the following:*
>> 1. Larger Head, now 4 GB
>> 2. Exposed Ports of elasticsearch so i could do some API tests
>> 3. Changed GRAYLOG_REST_TRANSPORT_URI to public Docker Host ip
>>
>> New compose file (of course passwords are changed):
>> version: '2'
>> services:
>>   mongo:
>> image: "mongo:3"
>>   elasticsearch:
>> image: "elasticsearch:2"
>> command: "elasticsearch -Des.cluster.name='graylog' 
>> -Des.logger.level=DEBUG"
>> environment:
>>   ES_HEAP_SIZE: 4g
>> ports:
>>  - "9200:9200"
>>  - "9300:9300"
>>   graylog:
>> image: graylog2/server:2.0.3-2
>> environment:
>>   GRAYLOG_PASSWORD_SECRET: kudos
>>   GRAYLOG_ROOT_PASSWORD_SHA2: 
>> c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2
>>   GRAYLOG_REST_TRANSPORT_URI: http://10.0.0.75:12900
>> depends_on:
>>   - mongo
>>   - elasticsearch
>> ports:
>>   - "9000:9000"
>>   - "12900:12900"
>>   - "12201/udp:12201/udp"
>>   - "1514/udp:1514/udp"
>>
>>
>> *What i have tried:*
>> 1. Restored the containers with docker-compose down
>> 2. Reinstalled docker host (was shaky before hand)
>> 3. Enabled debugging to check for exceptions
>> 4. Did a lot of google research
>>
>>
>> *Error Message*After startup i am gettign following errors (had to 
>> enable DEBUG) which imply that the template is missing and thus the indexes 
>> can't be created? 
>>
>> ERROR: org.graylog2.indexer.indices.Indices - Unable to create the 
>> Graylog index template: graylog-internalEnter code here...
>>
>>
>> *Expanded Error*
>> elasticsearch_1  | [2016-09-01 14:32:55,720][DEBUG][cluster.service 
>>  ] [Carmilla Black] processing [remove-index-template [graylog-
>> internal]]: execute
>> elasticsearch_1  | [2016-09-01 14:32:55,721][DEBUG][cluster.service 
>>  ] [Carmilla Black] cluster state update task [remove-index-template 
>> [graylog-internal]] failed
>> elasticsearch_1  | IndexTemplateMissingException[index_template [graylog-
>> internal] missing]
>> elasticsearch_1  | at org.elasticsearch.cluster.metadata.
>> MetaDataIndexTemplateService$1.execute(MetaDataIndexTemplateService.java:
>> 100)
>> elasticsearch_1  | at org.elasticsearch.cluster.
>> ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
>> elasticsearch_1  | at org.elasticsearch.cluster.service.
>> InternalClusterService.runTasksForExecutor(InternalClusterService.java:
>> 468)
>> elasticsearch_1  | at org.elasticsearch.cluster.service.
>> InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
>> elasticsearch_1  | at org.elasticsearch.common.util.concurrent.
>> PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.
>> runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
>> elasticsearch_1  | at org.elasticsearch.common.util.concurrent.
>> PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(
>> PrioritizedEsThreadPoolExecutor.java:194)
>> elasticsearch_1  | at java.util.concurrent.ThreadPoolExecutor.
>> runWorker(ThreadPoolExecutor.java:1142)
>> elasticsearch_1  | at java.util.concurrent.
>> ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> elasticsearch_1  | at java.lang.Thread.run(Thread.java:745)
>> elasticsearch_1  | [2016-09-01 14:32:55,721][DEBUG][action.admin.indices.
>> template.delete] [Carmilla Black] failed to delete templates [graylog-
>> internal]
>> elasticsearch_1  | IndexTemplateMissingException[index_template [graylog-
>> internal] missing]
>> elasticsearch_1  | at org.elasticsearch.cluster.metadata.
>> MetaDataIndexTemplateService$1.execute(MetaDataIndexTemplateService.java:
>> 100)
>> elasticsearch_1  | at org.elasticsearch.cluster.
>> ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
>> elasticsearch_1  | at org.elasticsearch.cluster.service.
>> InternalClusterService.runTasksForExecutor(InternalClusterService.java:
>> 468)
>> elasticsearch_1  | at org.elasticsearch.cluster.service.
>> InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
>> elasticsearch_1  | at org.elasticsearch.common.util.concurrent.
>> PrioritizedEsThreadPoolExecutor$TieBreakingPrio

[graylog2] Re: How to use pipeline

[Ajay Kumar]

I believe at the moment, pipeline doesn't offer aggregation feature which 
is must to achieve this.
I would appreciate if anyone knows any workaround to achieve this.

On Sunday, September 4, 2016 at 2:51:02 PM UTC+5:30, Ajay Kumar wrote:
>
> Hi All,
>
> I am learning graylog to use as a SIEM solution, as per my knowledge we 
> can use only pipeline processor feature for below scenario:
>
> Alert when 5 authentication failures followed by a successful logon by 
> that same origin login
>
> I have went through document but unable to understand how to achieve this.
>
> I would appreciate if someone can help me.
>
> Regards,
>
> Jay
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d1c5ee7d-4989-42f2-8d0f-7f15aabee382%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog email alert frequency

[Ajay Kumar]

I am also facing same issue, not sure if there is any solution to deal with 
it.
Any thoughts?

Regards,

Jay

On Tuesday, April 12, 2016 at 11:13:31 PM UTC+5:30, David Rux wrote:
>
> Hey all,
>
> I have a stream that's set to send an email whenever an alert is triggered 
> that matches a channel. The email is received and all is well but graylog 
> seems to group a series of events together before sending the email. Is 
> there any way to change this? Basically I want an email whenever an event 
> matching the criteria hits that stream. One email per event. Does anyone 
> know if that's possible? My alert condition is as follows:
>
> Trigger alert when a message arrives that has the field 
>
>  
> set to  and 
> then wait at least  minutes until triggering a new alert. (grace period) 
> When sending an alert, include the last  messages of the stream evaluated 
> for this alert condition.
>
> I would have thought that a 0 minute grace period would do this but I 
> tested it and graylog lumped 4 backlog messages into the email where I 
> wanted 4 emails with one event in each. When I set the number of included 
> messages to 1, I only get one email with one alert and it seems to ignore 
> the other events that I triggered despite being logged on the dashboard.
>
> Thanks,
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/86fd3ae3-26e2-41cf-8f0b-bbaf1a6628f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] alerting plugins seem to lack all context?

[Jason Haar]

Hi there

I've been playing around with alerts. The native "email" alert works as
expected, but the HTTP and "Execute command" alarm options lack all detail
about the event that triggered the alert

I've written a script that simply dumps the command line options and
environment vars to a file - nothing related to the event shows up.
Similarly, the HTTP does a POST - but contains no variables at all

What am I missing? The alerting options are really not that sophisticated,
so I'd rather dump "alerts" into my own workflow program - but nothing
besides email appears to have any actual data??

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrg%2BhQS7XRHP8sAOGDmHCKZYX%3DTjCfW6DZN0De6xVK9yXFQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Upgrading to 2.1 (package install)

[T.J. Yang]

On Monday, September 5, 2016 at 6:59:44 AM UTC-5, Aykisn wrote:
>
> I did this on my three graylog servers: 
>
>> sudo rpm -Uvh 
>> https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.rpm
>> sudo yum update
>>
>
> Then had to restart graylog on my three graylog servers.
> Worked fine, data, settings etc got preserved.
>

Pointing to latest repo as above step and yum update -y && reboot  was able 
to upgrade my CentOS 7 graylog 2.x instance.


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/aeb2a56d-e2e2-46b1-810f-4720e1d8cc61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Smtp configuration in conf file

[Aykisn]

Hello,

I was wondering if we needed to put the smtp configuration part in all the 
graylog instances configuration file or just on one of them please ?

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/35882726-a0c2-405e-a87d-894d1c32c732%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.