[graylog2] Graylog doesn't process messages

[Пётр]

Hi, when i resize disk partition, graylog work's several days and stop 
process message. Graylog show that input buffer is full.
After reboot Linux, input buffer move to output buffer and processing work 
correctly. But now and restart does not help.
Where i can find logs of graylog or maybe someone has already solved a 
similar problem?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f86602e5-0452-4c1e-a33b-45e0c2cbac5b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog 1.3 UDP input "Error starting this input on node 572c0419 / Unknown: Permission denied."

[Mac Gyver]

Hi guys, my environments is Graylog 1.3, use the UDP input but show "Error 
starting this input on node 572c0419 / Unknown: Permission denied.". I have 
disable iptables and also use tcpdump check data. What should i do? Thanks.

#tcpdump dst port 555
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:20:54.165539 IP 10.0.3.28.ecnp > 10.0.1.127.dsf: UDP, length 531
...so on

My Graylog UDP input setting:

   - expand_structured_data: true
   - recv_buffer_size: 262144
   - port: 555
   - override_source:
   - allow_override_date: true
   - bind_address: 0.0.0.0
   - store_full_message: true

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/28619f9f-819a-4ef5-9cbe-cf769b324638%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Global input bind_address

[imperatives]

What is the best practice for the bind_address of global inputs (2 Graylog 
Nodes behind load balancer)?  Setting as 127.0.0.1 doesn't appear to work.  
When we were using a single Node the fqdn of the node worked fine, but 
doesn't seem like it would work with multiple servers.  Any assistance 
would be greatly appreciated.

Thank you in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/87a111ab-2c41-4a97-a695-429fe2789543%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Alerts not getting triggered Graylog v2.0.1

[Rakesh R]

Hi Justin,
  Thanks for the reply. I will try debugging more regarding this issue.

On Thursday, October 6, 2016 at 11:12:16 PM UTC+5:30, Justin Hildreth wrote:
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2009d1f2-d89a-4253-849c-0f53ef189839%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Unreadable or missing REST API private key

[Evgueni Gordienko]

Changed permissions to 0444 for cert/key files and 0755 for embracing 
folder - restarted without problem.
The issue starts when I login via GUI - attached WARN message - see 
attached file.
Why it refers to my secondary interface (10.0.0.16) and not primary one 
192.168.17.15 ?

Please clarify - what could be wrong?

Cheers
Evgueni
 

On Sunday, October 16, 2016 at 11:24:36 PM UTC-7, Jochen Schalanda wrote:
>
> Hi Evgueni,
>
> On Friday, 14 October 2016 22:32:58 UTC+2, Evgueni Gordienko wrote:
>>
>> I enabled tls and the file graylog complains about is there and hase 0777 
>> permissions set but still I get:
>>
>
> Access permissions of 0777 (readable, writable, and executable for 
> everyone) are a bit too permissive.
>
> The private key and certificate files must simply be readable and the 
> directories must be usable (i. e. readable and executable) by the system 
> user running Graylog (e. g. "graylog" in most cases).
>
> You can check this by running namei -l 
> /etc/graylog/secrets/pkcs8-encrypted.pem.
>
> On Sunday, 16 October 2016 17:16:44 UTC+2, Evgueni Gordienko wrote:
>>
>> But even after that it looks like I'm having same issue as in
>>
>> https://groups.google.com/forum/#!searchin/graylog2/read$20key|sort:relevance/graylog2/V4eqM5ah_ik/wDmRW7JFBQAJ
>>
>
> Which issue is this, specifically?
>
> Cheers,
> Jochen 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/af8c29bc-9a0c-4c05-a1d1-5ef341f9ca61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
2016-10-17T18:16:39.287Z INFO  [connection] Opened connection 
[connectionId{localValue:4, serverValue:135}] to 192.168.17.15:27017
2016-10-17T18:16:49.167Z WARN  [ProxiedResource] Unable to call 
https://10.0.0.16:9000/api/system/metrics/multiple on node 
<47a1a76e-45e1-4872-bd83-8daa2884fdc4>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
~[?:1.8.0_65]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) 
~[?:1.8.0_65]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) 
~[?:1.8.0_65]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) 
~[?:1.8.0_65]
at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) 
~[?:1.8.0_65]
at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) 
~[?:1.8.0_65]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) 
~[?:1.8.0_65]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) 
~[?:1.8.0_65]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) 
~[?:1.8.0_65]
at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) 
~[?:1.8.0_65]
at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) 
~[?:1.8.0_65]
at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) 
~[?:1.8.0_65]
at 
okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:241) 
~[graylog.jar:?]
at 
okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:198)
 ~[graylog.jar:?]
at 
okhttp3.internal.connection.RealConnection.buildConnection(RealConnection.java:174)
 ~[graylog.jar:?]
at 
okhttp3.internal.connection.RealConnection.connect(RealConnection.java:114) 
~[graylog.jar:?]
at 
okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:193)
 ~[graylog.jar:?]
at 
okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:129)
 ~[graylog.jar:?]
at 
okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:98)
 ~[graylog.jar:?]
at 
okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
 ~[graylog.jar:?]
at 
okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
 ~[graylog.jar:?]
at 
okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
 ~[graylog.jar:?]
at 
okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:109) 
~[graylog.jar:?]
at 
okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
 ~[graylog.jar:?]
at 
okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
 ~[graylog.jar:?]
at 
okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) 
~[graylog.jar:?]
  

[graylog2] Re: Highly available GrayLog configuration for Production

[imperatives]

Two Graylog Nodes should be more than sufficient for your requirements.  
However, if you are planing on running a MongoDB replica set it requires 
three members.  

On Monday, October 17, 2016 at 8:31:35 AM UTC-4, Yuriy Petrenko wrote:
>
> Hi,
>
> We are trying to get *highly available GrayLog* configuration for 
> Production.
>
> 1) I used Graylog sizing estimator (beta) - 
> https://www.graylog.org/tools/sizing-estimator
> According to our requirements: 
>a) Expected messages/sec - 100
>b) Average message size (bytes) - 1400
>c) Retention period (days) - 14
>d) Replication factor  2
> We got the following result(Graylog sizing estimator)
>
> Role   #   CPU cores  RAM  Storage   
> 1)  Load Balancer -  1 instance ;   n/a ;   n/a   ;   n/a
> 2)  *graylog-server - 2 servers  ;12 ;12Gb ;   26Gb*
> 3)  MongoDB- 3 servers  ;2  ;4Gb  ;   30Gb
> 4) Elasticsearch   - 2 servers  ;16 ;48Gb ;   0.2Tb 
>
>
> As we can see in this recommendation from (Graylog sizing estimator) that 
> should be *THO *graylog-servers in this configuration.
>
>
> 2) However, as we can see from documentation that should be et least *THREE 
> *graylog-servers.
>
>
> http://docs.graylog.org/en/2.1/pages/architecture.html#bigger-production-setup
>
>
> http://docs.graylog.org/en/1.0/pages/architecture.html#bigger-production-setup
>
> --
> *So, could you please provide us recommendation how many  graylog-servers 
> (THO or THREE) we should use according to the our requirements(see above).*
> --
>
> Thank you in advance
>
>
> 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e0bf15d4-f2e7-4b7d-8b8f-c62b37dd57aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog 2.1 lost saved searches

[Tommy Grignon]

I recently updated Graylog on Ubuntu from 1.x to 2.1 and lost my saved 
searches templates.

Where can I try to find where is it?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/53de8cb2-8cb4-465a-aeef-f4ab77ba2fc9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Seperate input required for each Node?

[imperatives]

I just noticed the "Global" option button when creating an Input.

On Monday, October 17, 2016 at 1:19:20 PM UTC-4, imper...@gmail.com wrote:
>
> Does each Graylog Node require a separate input in a multi-node 
> environment?  The log messages will be sent to a load balancer and 
> round-robin them to the Graylog Nodes.  To get this working in test I had 
> to create duplicate inputs (same type and port), each running on a 
> different Node.  Is this the correct way to set this up?
>
> Thank you in advance.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4ba3672b-d563-4a1d-8c15-9aa144117d60%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Seperate input required for each Node?

[imperatives]

Does each Graylog Node require a separate input in a multi-node 
environment?  The log messages will be sent to a load balancer and 
round-robin them to the Graylog Nodes.  To get this working in test I had 
to create duplicate inputs (same type and port), each running on a 
different Node.  Is this the correct way to set this up?

Thank you in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/64485fd9-5392-4e5a-8e13-ad2e70ac5751%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Highly available GrayLog configuration for Production

[yuriypetrenko3]

Hi,

We are trying to get *highly available GrayLog* configuration for 
Production.

1) I used Graylog sizing estimator (beta) - 
https://www.graylog.org/tools/sizing-estimator
According to our requirements: 
   a) Expected messages/sec - 100
   b) Average message size (bytes) - 1400
   c) Retention period (days) - 14
   d) Replication factor  2
We got the following result(Graylog sizing estimator)

Role   #   CPU cores  RAM  Storage   
1)  Load Balancer -  1 instance ;   n/a ;   n/a   ;   n/a
2)  *graylog-server - 2 servers  ;12 ;12Gb ;   26Gb*
3)  MongoDB- 3 servers  ;2  ;4Gb  ;   30Gb
4) Elasticsearch   - 2 servers  ;16 ;48Gb ;   0.2Tb 


As we can see in this recommendation from (Graylog sizing estimator) that 
should be *THO *graylog-servers in this configuration.


2) However, as we can see from documentation that should be et least *THREE 
*graylog-servers.

http://docs.graylog.org/en/2.1/pages/architecture.html#bigger-production-setup

http://docs.graylog.org/en/1.0/pages/architecture.html#bigger-production-setup

--
*So, could you please provide us recommendation how many  graylog-servers 
(THO or THREE) we should use according to the our requirements(see above).*
--

Thank you in advance



-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ca980007-9537-41f5-85a8-683cb1308be4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: ApiError http404 not found

[Jochen Schalanda]

Hi Mehmet,

On Monday, 17 October 2016 13:35:57 UTC+2, mehmet hasdemir wrote:
>
> my graylog server version is 2.03 
> web interface server version 1.3.2 
>

These are incompatible. The Graylog web interface has been integrated into 
the Graylog server starting with Graylog 2.0.0.

Please read http://docs.graylog.org/en/2.1/pages/upgrade/graylog-2.0.html 
for the upgrade notes and the rest of the documentation for specific 
instructions how to configure your Graylog setup. 

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/64e662d3-3602-4327-b711-ea7dd5249437%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: ApiError http404 not found

[mehmet hasdemir]

my graylog server version is 2.03
web interface server version 1.3.2


which two version should I use? which versions are compatible with each
other ?

when I upgrade the graylog version ,  is it  possible to fix the issue?

thx in advance





2016-10-17 14:28 GMT+03:00 Jochen Schalanda :

> Hi Mehmet,
>
> it looks like you're using a very old version of Graylog.
>
> If you're starting from scratch, please follow the installation
> instructions at http://docs.graylog.org/en/2.1/pages/installation.html
> for the latest version of Graylog.
>
> Cheers,
> Jochen
>
> On Monday, 17 October 2016 11:29:58 UTC+2, mehmet hasdemir wrote:
>>
>> *hi , I got this error *
>> *(You caused a org.graylog2.restclient.lib.APIException. API call failed
>> GET http://@10.200.65.12:12900/system/radios
>>  returned 404 Not Found body:
>> {"type":"ApiError","message":"HTTP 404 Not Found"})*
>>
>> *my graylog server IP  is 10.200.65.12 and web interface IP is
>> 10.200.65.10*
>>
>> *in my graylog server  conf file, rest uri is below  *
>>
>> *rest_listen_uri = http://0.0.0.0:12900/ in my web
>> interface conf file , server uri is below*
>>
>>
>> *graylog2-server.uris="http://10.200.65.12:12900/
>> "everything works well except this issue so
>> what is the problem ? *
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/CWBTl3VfQts/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/ec2263db-3852-4572-91c9-25debca67e4c%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAJpOUTGPVERGJha_mkRR9Ogt5A%2BSA%3DgdtBB5E-X_UO4xE%3D3RHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: ApiError http404 not found

[Jochen Schalanda]

Hi Mehmet,

it looks like you're using a very old version of Graylog.

If you're starting from scratch, please follow the installation 
instructions at http://docs.graylog.org/en/2.1/pages/installation.html for 
the latest version of Graylog.

Cheers,
Jochen

On Monday, 17 October 2016 11:29:58 UTC+2, mehmet hasdemir wrote:
>
> *hi , I got this error *
> *(You caused a org.graylog2.restclient.lib.APIException. API call failed 
> GET http://@10.200.65.12:12900/system/radios 
>  returned 404 Not Found body: 
> {"type":"ApiError","message":"HTTP 404 Not Found"})*
>
> *my graylog server IP  is 10.200.65.12 and web interface IP is 
> 10.200.65.10*
>
> *in my graylog server  conf file, rest uri is below  *
>
> *rest_listen_uri = http://0.0.0.0:12900/ in my web 
> interface conf file , server uri is below*
>
>
> *graylog2-server.uris="http://10.200.65.12:12900/ 
> "everything works well except this issue so 
> what is the problem ? *
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ec2263db-3852-4572-91c9-25debca67e4c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] ApiError http404 not found

[mehmet hasdemir]

*hi , I got this error *
*(You caused a org.graylog2.restclient.lib.APIException. API call failed 
GET http://@10.200.65.12:12900/system/radios returned 404 Not Found body: 
{"type":"ApiError","message":"HTTP 404 Not Found"})*

*my graylog server IP  is 10.200.65.12 and web interface IP is 10.200.65.10*

*in my graylog server  conf file, rest uri is below  *

*rest_listen_uri = http://0.0.0.0:12900/in my web interface conf file , 
server uri is below*


*graylog2-server.uris="http://10.200.65.12:12900/"everything works well 
except this issue so what is the problem ? *

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5e5e8c71-988f-48ee-a086-11843b4ff60d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog Field Auto Tagging

[Jochen Schalanda]

Hi Joe,

we're planning to enable generic dictionary lookups in the message processing 
pipelines  in a future 
release, but for now you'd have to do this with 
Drools: http://docs.graylog.org/en/2.1/pages/drools.html

Cheers,
Jochen

On Friday, 14 October 2016 20:27:28 UTC+2, Joe G wrote:
>
> What would be the best way to have fields populate based on the OUI from 
> MAC or DHCP options from a request (
> https://github.com/inverse-inc/fingerbank/blob/master/dhcp_fingerprints.conf)?
>  
> For instance, If I want to see how many requests to a DHCP server are from 
> VMWARE (00:50:56) Hyper-V (00-15-5D), each one uses a unique OUI and I'd 
> like to autotag as HyperVisor="x" based on the OUI. And do something 
> similar for the DHCP option such as OS="x" based on the FINGERPRINT log but 
> I'd like the import the database once a month instaed on modifying many 
> extractors. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2cfd6edc-6037-4d5b-a96b-a1f041d36244%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: graylog2 timestamp not from application log message

[Jochen Schalanda]

Hi Wayne

On Friday, 14 October 2016 19:36:17 UTC+2, Wayne wrote:
>
> I have tried your extractor, and it looks like it almost worked, except 
> that the timestamp seems to use UTC, instead of my local time zone.
>

The date converter can be configured to use a specific timezone.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/74b34aef-e64a-46be-9523-a3324a171e02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.