[graylog2] Re: buglet: broken link http://info.graylog.org/marketplace-requests

2017-02-06 Thread Jochen Schalanda 
Hi Jason,

the link http://info.graylog.org/marketplace-requests 

 shows 
a contact form for me:



Which browser are you using? Which extensions (possibly blocking content 
like Javascript) are you using?

Cheers,
Jochen


On Tuesday, 7 February 2017 05:59:37 UTC+1, Jason Haar wrote:
>
> Hi there
>
> I just did a search on the marketplace for Azure related plugins and found 
> nothing. There was a link saying
>
> "Sorry, nothing matches your query.
>
> Not found what you are looking for? Let us know what you'd like to see in 
> the Marketplace!"
>
> But the link goes nowhere
>
> http://info.graylog.org/marketplace-requests
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/64e3af80-90ae-47ba-8858-606c0c9886c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-06 Thread Jochen Schalanda 
Hi Rob,

this sounds like either there is simply no new content in the files you've 
configured nxlog to watch, or that the file pattern is wrong. Try using 
another File pattern in the nxlog im_file input or switch to Filebeat.

Cheers,
Jochen

On Monday, 6 February 2017 23:22:59 UTC+1, Rob Repp wrote:
>
> Okay, I did a packet capture that's showing traffic between the two boxes. 
> There seems to be the Graylog host sending a json of the nxlog.conf config 
> data to the DHCP server once every four seconds or so, and the DHCP server 
> sending back HTTP requests on port 9000. None of the exchanges look like 
> they contain data from the DHCP logs.
>
> On Monday, February 6, 2017 at 10:37:44 AM UTC-6, Jochen Schalanda wrote:
>>
>> Hi Rob,
>>
>> since the configuration doesn't show any obvious errors, please use 
>> Wireshark or a similar tool like tcpdump to check if the log messages from 
>> nxlog are sent to the correct host and if the UDP packets actually arrive 
>> at the Graylog GELF UDP input.
>>
>> Cheers,
>> Jochen
>>
>> On Monday, 6 February 2017 17:08:21 UTC+1, Rob Repp wrote:
>>>
>>> The traffic is not being blocked. There's no firewall on either machine, 
>>> and the network path is unobstructed. Further, the Collector status for 
>>> that Collector is showing green, with Backend "Nxlog: running." It looks 
>>> like it's connected and responsive. It's just that there never seem to be 
>>> any messages on the associated Input.
>>> Tks,
>>> R.
>>>
>>> On Saturday, February 4, 2017 at 3:30:18 AM UTC-6, Jochen Schalanda 
>>> wrote:

 Hi Rob,

 the configuration looks good so far. Make sure that the host 
 "re.da.ct.ed" can be accessed by your Windows machine and that port 
 5441/udp is open and not blocked by a firewall.

 Cheers,
 Jochen

 On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote:
>
> Okay, in order:
>
> 1. I'm using the OVA VM image from Graylog, so most of the 
> configuration is already done. All I did was add a Connector with one 
> nxlog 
> input and one nxlog output, and then the GELF UDP input that the WinDHCP 
> json created.
>
> The WinDHCP input is configured like this:
>
> WinDHCPLogs-gelf GELF UDP RUNNING
> On node 771f3128 / graylog 
> 
>
>- bind_address:
>0.0.0.0
>- decompress_size_limit:
>8388608
>- override_source:
>**
>- port:
>5441
>- recv_buffer_size:
>1048576
>
>
> 2. The nxlog.conf file is:
>
> define ROOT C:\Program Files (x86)\nxlog
>
> 
>   Module xm_gelf
> 
>
> Moduledir %ROOT%\modules
> CacheDir %ROOT%\data
> Pidfile %ROOT%\data\nxlog.pid
> SpoolDir %ROOT%\data
> LogFile %ROOT%\data\nxlog.log
> LogLevel INFO
>
> 
> Module  xm_fileop
> 
> When@daily
> Execfile_cycle('%ROOT%\data\nxlog.log', 7);
>  
> 
>
> 
> Module im_file
> File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
> PollInterval 1
> SavePos True
> ReadFromLast True
> Recursive False
> RenameCheck True
> Exec $FileName = file_name(); # Send file name with each message
> 
>
> 
> Module om_udp
> Host re.da.ct.ed
> Port 5441
> OutputType  GELF
> Exec $short_message = $raw_event; # Avoids truncation of the 
> short_message field.
> Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32';
> Exec $Hostname = hostname_fqdn();
> 
>
> 
>   Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0
> 
>
> 3. collector_sidecar.yml is this:
>
> server_url: http://re.da.ct.ed:9000/api 
> update_interval: 10
> tls_skip_verify: false
> send_status: true
> list_log_files:
> node_id: NS1
> collector_id: file:C:\Program 
> Files\graylog\collector-sidecar\collector-id
> cache_path: C:\Program Files\graylog\collector-sidecar\cache
> log_path: C:\Program Files\graylog\collector-sidecar\logs
> log_rotation_time: 86400
> log_max_age: 604800
> tags: dhcp
> backends:
> - name: nxlog
>   enabled: true
>   binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
>   configuration_path: C:\Program 
> Files\graylog\collector-sidecar\generated\nxlog.conf
> - name: winlogbeat
>   enabled: false
>   binary_path: C:\Program 
> Files\graylog\collector-sidecar\winlogbeat.exe
>   configuration_path: C:\Program 
> Files\graylog\collector-sidecar\generated\winlogbeat.yml
> - name: filebeat
>   enabled: false
>   binary_path: C:\Program 
> Files\graylog\collector-sidecar\filebeat.exe
>   configuration_path: C:\Program 
> Files\graylog\collector-sidecar\generated\f

[graylog2] buglet: broken link http://info.graylog.org/marketplace-requests

2017-02-06 Thread Jason Haar 
Hi there

I just did a search on the marketplace for Azure related plugins and found
nothing. There was a link saying

"Sorry, nothing matches your query.

Not found what you are looking for? Let us know what you'd like to see in
the Marketplace!"

But the link goes nowhere

http://info.graylog.org/marketplace-requests

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrg%2Bwe_22V8TGNtrZ4oGQahJo%3D%3DxiU7%2BzXAi6ECUSN%2BH1ag%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-06 Thread Rob Repp 
Okay, I did a packet capture that's showing traffic between the two boxes. 
There seems to be the Graylog host sending a json of the nxlog.conf config 
data to the DHCP server once every four seconds or so, and the DHCP server 
sending back HTTP requests on port 9000. None of the exchanges look like 
they contain data from the DHCP logs.

On Monday, February 6, 2017 at 10:37:44 AM UTC-6, Jochen Schalanda wrote:
>
> Hi Rob,
>
> since the configuration doesn't show any obvious errors, please use 
> Wireshark or a similar tool like tcpdump to check if the log messages from 
> nxlog are sent to the correct host and if the UDP packets actually arrive 
> at the Graylog GELF UDP input.
>
> Cheers,
> Jochen
>
> On Monday, 6 February 2017 17:08:21 UTC+1, Rob Repp wrote:
>>
>> The traffic is not being blocked. There's no firewall on either machine, 
>> and the network path is unobstructed. Further, the Collector status for 
>> that Collector is showing green, with Backend "Nxlog: running." It looks 
>> like it's connected and responsive. It's just that there never seem to be 
>> any messages on the associated Input.
>> Tks,
>> R.
>>
>> On Saturday, February 4, 2017 at 3:30:18 AM UTC-6, Jochen Schalanda wrote:
>>>
>>> Hi Rob,
>>>
>>> the configuration looks good so far. Make sure that the host 
>>> "re.da.ct.ed" can be accessed by your Windows machine and that port 
>>> 5441/udp is open and not blocked by a firewall.
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote:

 Okay, in order:

 1. I'm using the OVA VM image from Graylog, so most of the 
 configuration is already done. All I did was add a Connector with one 
 nxlog 
 input and one nxlog output, and then the GELF UDP input that the WinDHCP 
 json created.

 The WinDHCP input is configured like this:

 WinDHCPLogs-gelf GELF UDP RUNNING
 On node 771f3128 / graylog 
 

- bind_address:
0.0.0.0
- decompress_size_limit:
8388608
- override_source:
**
- port:
5441
- recv_buffer_size:
1048576


 2. The nxlog.conf file is:

 define ROOT C:\Program Files (x86)\nxlog

 
   Module xm_gelf
 

 Moduledir %ROOT%\modules
 CacheDir %ROOT%\data
 Pidfile %ROOT%\data\nxlog.pid
 SpoolDir %ROOT%\data
 LogFile %ROOT%\data\nxlog.log
 LogLevel INFO

 
 Module  xm_fileop
 
 When@daily
 Execfile_cycle('%ROOT%\data\nxlog.log', 7);
  
 

 
 Module im_file
 File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
 PollInterval 1
 SavePos True
 ReadFromLast True
 Recursive False
 RenameCheck True
 Exec $FileName = file_name(); # Send file name with each message
 

 
 Module om_udp
 Host re.da.ct.ed
 Port 5441
 OutputType  GELF
 Exec $short_message = $raw_event; # Avoids truncation of the 
 short_message field.
 Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32';
 Exec $Hostname = hostname_fqdn();
 

 
   Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0
 

 3. collector_sidecar.yml is this:

 server_url: http://re.da.ct.ed:9000/api 
 update_interval: 10
 tls_skip_verify: false
 send_status: true
 list_log_files:
 node_id: NS1
 collector_id: file:C:\Program 
 Files\graylog\collector-sidecar\collector-id
 cache_path: C:\Program Files\graylog\collector-sidecar\cache
 log_path: C:\Program Files\graylog\collector-sidecar\logs
 log_rotation_time: 86400
 log_max_age: 604800
 tags: dhcp
 backends:
 - name: nxlog
   enabled: true
   binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
   configuration_path: C:\Program 
 Files\graylog\collector-sidecar\generated\nxlog.conf
 - name: winlogbeat
   enabled: false
   binary_path: C:\Program 
 Files\graylog\collector-sidecar\winlogbeat.exe
   configuration_path: C:\Program 
 Files\graylog\collector-sidecar\generated\winlogbeat.yml
 - name: filebeat
   enabled: false
   binary_path: C:\Program 
 Files\graylog\collector-sidecar\filebeat.exe
   configuration_path: C:\Program 
 Files\graylog\collector-sidecar\generated\filebeat.yml





 On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda wrote:
>
> Hi Rob,
>
> How did you configure Graylog? Which inputs did you create and how did 
> you configure them?
> How did you configure the Graylog Collector Sidecar and what's the 
> generated nxlog configuration?
>
> Cheers,
> Jochen
>
> On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote:
>

[graylog2] Logging of Graylog-Server to Syslog

2017-02-06 Thread Frank Engler 
Hi,

I'm trying to log messages from graylog-server to a syslog listener. But log4j 
included in graylog-server package does not send any message to the listener.

A test with a Socket Appender seems to work fine, nc -klp 9500 127.0.0.1 
outputs a lot of garbage:






















But if I test the Syslog Appender, no message arrives at nc -klp 8514 
127.0.0.1. I copy and pasted from 
https://logging.apache.org/log4j/2.x/manual/appenders.html#SyslogAppender to 
avoid typos:



















Any clue what is going wrong? Why is only the Socket example working and the 
Syslog test isn't?

Thanks
Frank

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2356262.h3jl1WoZ6B%40studio.engler.invalid.
For more options, visit https://groups.google.com/d/optout.

[graylog2] help regex message

2017-02-06 Thread Rafael Pereira Silva 
Hello, I need help in regex logstash.

Mount a regex to get this line:

*[13:24:20.118] [ERROR] [qtp1817789863-23] 
[c.c.c.v.h.ControllerExceptionHandler] : Uncaught Exception: {}*

I tried use: 


^\[(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])]\s+(\[%{WORD:loglevel}\]) 


However ,I just captured *[13:24:20.118] [ERROR]* ,  help me capture an 
entire line.



Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9703c2a4-efc2-4d7c-8b89-3cf13a417d4f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SysLog-udp traffic ignored from tomcat

2017-02-06 Thread alaa barqawi 
Hi Jochen
The issue was in timezone on the graylog server after sync it with all 
production servers ,issue got fixed
Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b9483e4f-7e1b-4348-ac2b-8b43a2e908a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Azure Metrics alerts to Graylog

2017-02-06 Thread Pablo Daniel Estigarribia Davyt 
Hello, 

Anyone have used https://docs.microsoft.com/en-us/azure/monitoring 
https://teams.upm.com/sites/urudata/databases/Bases%20de%20datos%20de%20informacin%20infraestructura/IT-Infra_URY/Infra/Monitoring.one#Azure%20metric%20alerts§ion-id={D5121F26-272A-4BEA-83C7-3E9B62BB1065}&page-id={4B24A74E-3ED9-43DC-8698-6ED6EB5B11CC}&object-id={CFFD80E9-9B04-01B4-25B8-A4B9CC306BD0}&20>
  
(Web view 
)
 
to send data in http POST message to graylog? 

As I have seen, there is no standard http post input only GELF in graylog? 
Or using tcp port could be possible? (I will try this and extractor 
configuration). 

One other possibility I have seen is to configure logstash http-input 
https://www.elastic.co/blog/introducing-logstash-input-http-plugin then use 
RabbitMQ to send data to Graylog? 

Any other possibility? 

Kind regards,
Pablo. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7a29aa81-209b-4140-9d86-e47a0842b585%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-06 Thread Jochen Schalanda 
Hi Rob,

since the configuration doesn't show any obvious errors, please use 
Wireshark or a similar tool like tcpdump to check if the log messages from 
nxlog are sent to the correct host and if the UDP packets actually arrive 
at the Graylog GELF UDP input.

Cheers,
Jochen

On Monday, 6 February 2017 17:08:21 UTC+1, Rob Repp wrote:
>
> The traffic is not being blocked. There's no firewall on either machine, 
> and the network path is unobstructed. Further, the Collector status for 
> that Collector is showing green, with Backend "Nxlog: running." It looks 
> like it's connected and responsive. It's just that there never seem to be 
> any messages on the associated Input.
> Tks,
> R.
>
> On Saturday, February 4, 2017 at 3:30:18 AM UTC-6, Jochen Schalanda wrote:
>>
>> Hi Rob,
>>
>> the configuration looks good so far. Make sure that the host 
>> "re.da.ct.ed" can be accessed by your Windows machine and that port 
>> 5441/udp is open and not blocked by a firewall.
>>
>> Cheers,
>> Jochen
>>
>> On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote:
>>>
>>> Okay, in order:
>>>
>>> 1. I'm using the OVA VM image from Graylog, so most of the configuration 
>>> is already done. All I did was add a Connector with one nxlog input and one 
>>> nxlog output, and then the GELF UDP input that the WinDHCP json created.
>>>
>>> The WinDHCP input is configured like this:
>>>
>>> WinDHCPLogs-gelf GELF UDP RUNNING
>>> On node 771f3128 / graylog 
>>> 
>>>
>>>- bind_address:
>>>0.0.0.0
>>>- decompress_size_limit:
>>>8388608
>>>- override_source:
>>>**
>>>- port:
>>>5441
>>>- recv_buffer_size:
>>>1048576
>>>
>>>
>>> 2. The nxlog.conf file is:
>>>
>>> define ROOT C:\Program Files (x86)\nxlog
>>>
>>> 
>>>   Module xm_gelf
>>> 
>>>
>>> Moduledir %ROOT%\modules
>>> CacheDir %ROOT%\data
>>> Pidfile %ROOT%\data\nxlog.pid
>>> SpoolDir %ROOT%\data
>>> LogFile %ROOT%\data\nxlog.log
>>> LogLevel INFO
>>>
>>> 
>>> Module  xm_fileop
>>> 
>>> When@daily
>>> Execfile_cycle('%ROOT%\data\nxlog.log', 7);
>>>  
>>> 
>>>
>>> 
>>> Module im_file
>>> File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
>>> PollInterval 1
>>> SavePos True
>>> ReadFromLast True
>>> Recursive False
>>> RenameCheck True
>>> Exec $FileName = file_name(); # Send file name with each message
>>> 
>>>
>>> 
>>> Module om_udp
>>> Host re.da.ct.ed
>>> Port 5441
>>> OutputType  GELF
>>> Exec $short_message = $raw_event; # Avoids truncation of the 
>>> short_message field.
>>> Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32';
>>> Exec $Hostname = hostname_fqdn();
>>> 
>>>
>>> 
>>>   Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0
>>> 
>>>
>>> 3. collector_sidecar.yml is this:
>>>
>>> server_url: http://re.da.ct.ed:9000/api 
>>> update_interval: 10
>>> tls_skip_verify: false
>>> send_status: true
>>> list_log_files:
>>> node_id: NS1
>>> collector_id: file:C:\Program 
>>> Files\graylog\collector-sidecar\collector-id
>>> cache_path: C:\Program Files\graylog\collector-sidecar\cache
>>> log_path: C:\Program Files\graylog\collector-sidecar\logs
>>> log_rotation_time: 86400
>>> log_max_age: 604800
>>> tags: dhcp
>>> backends:
>>> - name: nxlog
>>>   enabled: true
>>>   binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
>>>   configuration_path: C:\Program 
>>> Files\graylog\collector-sidecar\generated\nxlog.conf
>>> - name: winlogbeat
>>>   enabled: false
>>>   binary_path: C:\Program 
>>> Files\graylog\collector-sidecar\winlogbeat.exe
>>>   configuration_path: C:\Program 
>>> Files\graylog\collector-sidecar\generated\winlogbeat.yml
>>> - name: filebeat
>>>   enabled: false
>>>   binary_path: C:\Program 
>>> Files\graylog\collector-sidecar\filebeat.exe
>>>   configuration_path: C:\Program 
>>> Files\graylog\collector-sidecar\generated\filebeat.yml
>>>
>>>
>>>
>>>
>>>
>>> On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda wrote:

 Hi Rob,

 How did you configure Graylog? Which inputs did you create and how did 
 you configure them?
 How did you configure the Graylog Collector Sidecar and what's the 
 generated nxlog configuration?

 Cheers,
 Jochen

 On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote:
>
> I set up a Graylog 2.1.2 server by deploying the downloadable OVA from 
> graylog.org. I'm trying to monitor a Windows 2008 R2 server with the 
> DHCP role installed. The DHCP server deposits activity data into log 
> files 
> at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have collector-sidecar 
> and 
> nxlog installed on the Windows machine, and configured to send the log 
> data 
> back to a collector input on the Graylog server.
>
> My configuration is based on the WindowsDHCP content pack available in 
> the Graylog marketplace. I

[graylog2] Re: Monitoring Windows DHCP Server Activity

2017-02-06 Thread Rob Repp 
The traffic is not being blocked. There's no firewall on either machine, 
and the network path is unobstructed. Further, the Collector status for 
that Collector is showing green, with Backend "Nxlog: running." It looks 
like it's connected and responsive. It's just that there never seem to be 
any messages on the associated Input.
Tks,
R.

On Saturday, February 4, 2017 at 3:30:18 AM UTC-6, Jochen Schalanda wrote:
>
> Hi Rob,
>
> the configuration looks good so far. Make sure that the host "re.da.ct.ed" 
> can be accessed by your Windows machine and that port 5441/udp is open and 
> not blocked by a firewall.
>
> Cheers,
> Jochen
>
> On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote:
>>
>> Okay, in order:
>>
>> 1. I'm using the OVA VM image from Graylog, so most of the configuration 
>> is already done. All I did was add a Connector with one nxlog input and one 
>> nxlog output, and then the GELF UDP input that the WinDHCP json created.
>>
>> The WinDHCP input is configured like this:
>>
>> WinDHCPLogs-gelf GELF UDP RUNNING
>> On node 771f3128 / graylog 
>> 
>>
>>- bind_address:
>>0.0.0.0
>>- decompress_size_limit:
>>8388608
>>- override_source:
>>**
>>- port:
>>5441
>>- recv_buffer_size:
>>1048576
>>
>>
>> 2. The nxlog.conf file is:
>>
>> define ROOT C:\Program Files (x86)\nxlog
>>
>> 
>>   Module xm_gelf
>> 
>>
>> Moduledir %ROOT%\modules
>> CacheDir %ROOT%\data
>> Pidfile %ROOT%\data\nxlog.pid
>> SpoolDir %ROOT%\data
>> LogFile %ROOT%\data\nxlog.log
>> LogLevel INFO
>>
>> 
>> Module  xm_fileop
>> 
>> When@daily
>> Execfile_cycle('%ROOT%\data\nxlog.log', 7);
>>  
>> 
>>
>> 
>> Module im_file
>> File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
>> PollInterval 1
>> SavePos True
>> ReadFromLast True
>> Recursive False
>> RenameCheck True
>> Exec $FileName = file_name(); # Send file name with each message
>> 
>>
>> 
>> Module om_udp
>> Host re.da.ct.ed
>> Port 5441
>> OutputType  GELF
>> Exec $short_message = $raw_event; # Avoids truncation of the 
>> short_message field.
>> Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32';
>> Exec $Hostname = hostname_fqdn();
>> 
>>
>> 
>>   Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0
>> 
>>
>> 3. collector_sidecar.yml is this:
>>
>> server_url: http://re.da.ct.ed:9000/api 
>> update_interval: 10
>> tls_skip_verify: false
>> send_status: true
>> list_log_files:
>> node_id: NS1
>> collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id
>> cache_path: C:\Program Files\graylog\collector-sidecar\cache
>> log_path: C:\Program Files\graylog\collector-sidecar\logs
>> log_rotation_time: 86400
>> log_max_age: 604800
>> tags: dhcp
>> backends:
>> - name: nxlog
>>   enabled: true
>>   binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
>>   configuration_path: C:\Program 
>> Files\graylog\collector-sidecar\generated\nxlog.conf
>> - name: winlogbeat
>>   enabled: false
>>   binary_path: C:\Program 
>> Files\graylog\collector-sidecar\winlogbeat.exe
>>   configuration_path: C:\Program 
>> Files\graylog\collector-sidecar\generated\winlogbeat.yml
>> - name: filebeat
>>   enabled: false
>>   binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe
>>   configuration_path: C:\Program 
>> Files\graylog\collector-sidecar\generated\filebeat.yml
>>
>>
>>
>>
>>
>> On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda wrote:
>>>
>>> Hi Rob,
>>>
>>> How did you configure Graylog? Which inputs did you create and how did 
>>> you configure them?
>>> How did you configure the Graylog Collector Sidecar and what's the 
>>> generated nxlog configuration?
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote:

 I set up a Graylog 2.1.2 server by deploying the downloadable OVA from 
 graylog.org. I'm trying to monitor a Windows 2008 R2 server with the 
 DHCP role installed. The DHCP server deposits activity data into log files 
 at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have collector-sidecar and 
 nxlog installed on the Windows machine, and configured to send the log 
 data 
 back to a collector input on the Graylog server.

 My configuration is based on the WindowsDHCP content pack available in 
 the Graylog marketplace. I imported the content pack json, 
 configured collector-sidecar on Windows and the Graylog collector starting 
 from the sample code at https://github.com/JulioQc/WinDHCP. 
 Unfortunately, when I do "show messages" for the collector, there's 
 nothing 
 coming in.

 Has anyone had any success with this configuration? If not, is there a 
 better method for monitoring Windows DHCP activity with Graylog? Thanks!

>>>

-- 
You received this message because you are subscribed to the Googl

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

2017-02-06 Thread Jochen Schalanda 
Hi,

On Monday, 6 February 2017 12:16:12 UTC+1, ql.w...@163.com wrote:
>
> I haved stopped input, the graylog should not receive all logs, BUT the 
> abnormal message can be received as before. 
>

Please verify with Wireshark or tcpdump, that these messages are indeed 
being received by Graylog or if they simply have a timestamp "in the 
future" so that they only show up now in a search query (try using an 
absolute search with its end some hours in the future).


Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f90d31e2-ae47-45f2-a72c-d8bd80657b19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: OutOfMemoryError for Beats plugin

2017-02-06 Thread Jochen Schalanda 
Hi Richard,

depending on the number and size of messages, 512 MiB of heap memory might 
be too little for Graylog 2.1.x.

Please assign at least 1 GiB of heap memory using the -Xms and -Xmx JVM 
parameters.

On a side note, the OutOfMemoryError occurring in the code of the Beats 
plugin doesn't necessarily imply a problem there, but it was simply the 
place where the JVM memory was exhausted already.

Cheers,
Jochen

On Monday, 6 February 2017 12:32:36 UTC+1, Richard S. Westmoreland wrote:
>
> 2.1, it is the Beats Input that came with that version of GL, 2G ram 1 
> core, 512mb assigned to heap.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b87bb35b-decc-4b67-a17f-2be94a75ee05%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: OutOfMemoryError for Beats plugin

2017-02-06 Thread Richard S. Westmoreland 
2.1, it is the Beats Input that came with that version of GL, 2G ram 1 core, 
512mb assigned to heap.


> On Feb 6, 2017, at 5:35 PM, Jochen Schalanda  wrote:
> 
> Hi Richard,
> 
> Which version of the Graylog Beats plugin are you using?
> Which version of Graylog are you using?
> What are the hardware specs of the machine(s) running Graylog?
> 
> Cheers,
> Jochen
> 
>> On Monday, 6 February 2017 09:03:09 UTC+1, Richard S. Westmoreland wrote:
>> I'm getting this error in my server.log:
>> 
>> 2017-02-06T07:55:17.016Z ERROR [NettyTransport] Error in Input 
>> [Beats/58785c6a57fe51420e73e1ea] (channel [id: 0x8183ee45, /127.0.0.1:52554 
>> :> /127.0.0.1:5051])
>> java.lang.OutOfMemoryError: Java heap space
>> at 
>> org.graylog.plugins.beats.BeatsFrameDecoder.processCompressedFrame(BeatsFrameDecoder.java:201)
>>  ~[?:?]
>> at 
>> org.graylog.plugins.beats.BeatsFrameDecoder.decode(BeatsFrameDecoder.java:120)
>>  ~[?:?]
>> at 
>> org.graylog.plugins.beats.BeatsFrameDecoder.decode(BeatsFrameDecoder.java:49)
>>  ~[?:?]
>> at 
>> org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:500)
>>  ~[graylog.jar:?]
>> at 
>> org.jboss.netty.handler.codec.replay.ReplayingDecoder.cleanup(ReplayingDecoder.java:554)
>>  ~[graylog.jar:?]
>> at 
>> org.jboss.netty.handler.codec.frame.FrameDecoder.channelDisconnected(FrameDecoder.java:365)
>>  ~[graylog.jar:?]
>> at 
>> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
>>  ~[graylog.jar:?]
>> at 
>> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
>>  ~[graylog.jar:?]
>> at 
>> org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
>>  ~[graylog.ja
>> r:?]
>> ...etc...
>> 
>> The thing is, my heap is fine when this happens.  I can watch it on the 
>> Nodes page, and with a min and slightly higher max set, I never see it grow 
>> beyond the original min.  Why would this happen?
>> 
>> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/d3e8440d-5ec0-4ea6-b937-589856664a57%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/B7F09007-00F6-4C1C-A4C6-E5E68436A372%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: json array parsing issue with logstash

2017-02-06 Thread Jochen Schalanda 
Hi Ashkay,

I'd recommend starting over with a blank "filter" section in your Logstash 
configuration and build up on working blocks. For example your "gsub" 
filter looks just strange.

For further questions about Logstash, please post to 
https://discuss.elastic.co/c/logstash.

Cheers,
Jochen

On Monday, 6 February 2017 11:48:36 UTC+1, Akshay Agarwal wrote:
>
> Hi Jochen,
>
> I had gone through the link that you have provided.
>
> Previously, I have tried the configuration mentioned in that link.
>
> But in that as well I was getting the same issue.
>
>
> On Monday, February 6, 2017 at 3:08:27 PM UTC+5:30, Jochen Schalanda wrote:
>>
>> Hi Akshay,
>>
>> you can use the Logstash split filter to split your message into 
>> individual events by splitting by the "data" field.
>>
>> See 
>> https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html 
>> for details.
>>
>> If you need more help with Logstash, please post to 
>> https://discuss.elastic.co/c/logstash
>>
>> Cheers,
>> Jochen
>>
>> On Monday, 6 February 2017 07:27:45 UTC+1, Akshay Agarwal wrote:
>>>
>>> Hi All,
>>>
>>> Want to implement service request trace using http plugin of logstash in 
>>> JSON Array format.
>>>
>>> Getting the following error when trying to parse the JSON array:
>>>
>>> error: 
>>>
>>> :message=>"gsub mutation is only applicable for Strings, skipping", 
>>> :field=>"message", :value=>nil, :level=>:debug, 
>>> :file=>"logstash/filters/mutate.rb", :line=>"322", :method=>"gsub"}
>>> :message=>"Exception in filterworker", 
>>> "exception"=>#>> are splittable. field:message is of type = NilClass>
>>>
>>>
>>>
>>> My json array is :
>>>
>>> {
>>> "data": [
>>> {
>>> "appName": "DemoApp",
>>> "appVersion": "1.1",
>>> "deviceId": "1234567",
>>> "deviceName": "moto e",
>>> "deviceOSVersion": "5.1",
>>> "packageName": "com.tcs.DemoApp",
>>> "message": "testing null pointer exception",
>>> "errorLog": "null pointer exception"
>>> },
>>> {
>>> "appName": "DemoApp",
>>> "appVersion": "1.1",
>>> "deviceId": "1234567",
>>> "deviceName": "moto e",
>>> "deviceOSVersion": "5.1",
>>> "packageName": "com.tcs.DemoApp",
>>> "message": "testing illegal state exception",
>>> "errorLog": "illegal state exception"
>>> }
>>> ]
>>> }
>>>
>>>
>>>
>>>
>>> my logstash config is :
>>>
>>> input {
>>> http {
>>> codec => "json"
>>> }
>>> }
>>> filter{
>>> json {
>>>   source => "message"
>>>  }
>>>mutate { gsub => [ "message", "},\r\n\r\n{", "}shr{" ] }
>>> split {
>>>   terminator => "shr"
>>>}
>>> }
>>> }
>>>
>>>
>>> output {
>>>  stdout { codec => "json" }
>>> gelf{
>>> host => localhost
>>> facility => "%{type}"
>>> level =>["%{SeverityLevel}", "INFO"]
>>> codec => "json"
>>> }
>>>file{
>>> path => "/chroot/result.log"
>>> }
>>> }
>>>
>>>
>>>
>>> Any help would be appreciated.
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/15c8c50b-b781-4a0b-b07b-4d710a4064df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

2017-02-06 Thread ql . wayne 
Hi,
 
I haved stopped input, the graylog should not receive all logs, BUT the 
abnormal message can be received as before. 

在 2017年2月6日星期一 UTC+8下午6:40:50,Jochen Schalanda写道:
>
> Hi,
>
> are you sure that these messages are ingested right now and don't simply 
> have a timestamp "in the future" (e. g. because of timezone issues) and 
> have been ingested some hours ago?
>
> Cheers,
> Jochen
>
> On Monday, 6 February 2017 11:17:19 UTC+1, ql.w...@163.com wrote:
>>
>> Hi,
>> This messages shows received by deleted input on  0de4fb00 / Unknown, as 
>> shown in FIG:
>>
>>
>> 
>>
>> But the normal messages shows received by netsyslog on  0de4fb00 / 
>> Unknown,as shown in FIG:
>>
>>
>> 
>>
>>
>> 在 2017年2月6日星期一 UTC+8下午5:11:55,Jochen Schalanda写道:
>>>
>>> Hi,
>>>
>>> when you click on one of these messages, you can see on which input they 
>>> were received next to the "Received by" field.
>>>
>>> Once you have identified the input, you can use tools like Wireshark, 
>>> tcpdump, or simply lsof to identify where these messages come from.
>>>
>>> Cheers,
>>> Jochen
>>>
>>>
>>> On Monday, 6 February 2017 04:06:00 UTC+1, ql.w...@163.com wrote:

 Hi,

 I deleted the command that send logs to graylog server in the switch, 
 But, graylog can receive the logs of this switch as before. I don't know 
 where those logs received by the graylog server come from?  


 


 The switch do not send logs to graylog,  But, graylog can receive the 
 logs of this switch as before. As shown in FIG. 



 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道:
>
> Hi,
>
> please elaborate on your problem. I'm not sure what you're trying to 
> say.
>
> What did you expect to happen or retrieve? What did actually happen?
> As far as I see, the timestamps of the log messages are correct.
>
> Cheers,
> Jochen
>
> On Saturday, 4 February 2017 10:48:25 UTC+1, ql.w...@163.com wrote:
>>
>> My graylog server always collect expired logs, these logs are 
>> generated long before , and now the switch has no such logs.
>> [image: image] 
>> 
>>
>> The current log's source is 2017, The log whose source is 
>> G1-K115-ACC-SW-48 is very early, but the server is collecting now.
>>
>> This problem has troubled me for weeks. How to solve this problem?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e840d133-4d6c-4dfd-adbc-aa90eb2dd6ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: json array parsing issue with logstash

2017-02-06 Thread Akshay Agarwal 
Hi Jochen,

I had gone through the link that you have provided.

Previously, I have tried the configuration mentioned in that link.

But in that as well I was getting the same issue.


On Monday, February 6, 2017 at 3:08:27 PM UTC+5:30, Jochen Schalanda wrote:
>
> Hi Akshay,
>
> you can use the Logstash split filter to split your message into 
> individual events by splitting by the "data" field.
>
> See 
> https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html 
> for details.
>
> If you need more help with Logstash, please post to 
> https://discuss.elastic.co/c/logstash
>
> Cheers,
> Jochen
>
> On Monday, 6 February 2017 07:27:45 UTC+1, Akshay Agarwal wrote:
>>
>> Hi All,
>>
>> Want to implement service request trace using http plugin of logstash in 
>> JSON Array format.
>>
>> Getting the following error when trying to parse the JSON array:
>>
>> error: 
>>
>> :message=>"gsub mutation is only applicable for Strings, skipping", 
>> :field=>"message", :value=>nil, :level=>:debug, 
>> :file=>"logstash/filters/mutate.rb", :line=>"322", :method=>"gsub"}
>> :message=>"Exception in filterworker", 
>> "exception"=>#> are splittable. field:message is of type = NilClass>
>>
>>
>>
>> My json array is :
>>
>> {
>> "data": [
>> {
>> "appName": "DemoApp",
>> "appVersion": "1.1",
>> "deviceId": "1234567",
>> "deviceName": "moto e",
>> "deviceOSVersion": "5.1",
>> "packageName": "com.tcs.DemoApp",
>> "message": "testing null pointer exception",
>> "errorLog": "null pointer exception"
>> },
>> {
>> "appName": "DemoApp",
>> "appVersion": "1.1",
>> "deviceId": "1234567",
>> "deviceName": "moto e",
>> "deviceOSVersion": "5.1",
>> "packageName": "com.tcs.DemoApp",
>> "message": "testing illegal state exception",
>> "errorLog": "illegal state exception"
>> }
>> ]
>> }
>>
>>
>>
>>
>> my logstash config is :
>>
>> input {
>> http {
>> codec => "json"
>> }
>> }
>> filter{
>> json {
>>   source => "message"
>>  }
>>mutate { gsub => [ "message", "},\r\n\r\n{", "}shr{" ] }
>> split {
>>   terminator => "shr"
>>}
>> }
>> }
>>
>>
>> output {
>>  stdout { codec => "json" }
>> gelf{
>> host => localhost
>> facility => "%{type}"
>> level =>["%{SeverityLevel}", "INFO"]
>> codec => "json"
>> }
>>file{
>> path => "/chroot/result.log"
>> }
>> }
>>
>>
>>
>> Any help would be appreciated.
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/60c286d8-2fbd-4c38-8d39-3beed83291bf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

2017-02-06 Thread Jochen Schalanda 
Hi,

are you sure that these messages are ingested right now and don't simply 
have a timestamp "in the future" (e. g. because of timezone issues) and 
have been ingested some hours ago?

Cheers,
Jochen

On Monday, 6 February 2017 11:17:19 UTC+1, ql.w...@163.com wrote:
>
> Hi,
> This messages shows received by deleted input on  0de4fb00 / Unknown, as 
> shown in FIG:
>
>
> 
>
> But the normal messages shows received by netsyslog on  0de4fb00 / 
> Unknown,as shown in FIG:
>
>
> 
>
>
> 在 2017年2月6日星期一 UTC+8下午5:11:55,Jochen Schalanda写道:
>>
>> Hi,
>>
>> when you click on one of these messages, you can see on which input they 
>> were received next to the "Received by" field.
>>
>> Once you have identified the input, you can use tools like Wireshark, 
>> tcpdump, or simply lsof to identify where these messages come from.
>>
>> Cheers,
>> Jochen
>>
>>
>> On Monday, 6 February 2017 04:06:00 UTC+1, ql.w...@163.com wrote:
>>>
>>> Hi,
>>>
>>> I deleted the command that send logs to graylog server in the switch, 
>>> But, graylog can receive the logs of this switch as before. I don't know 
>>> where those logs received by the graylog server come from?  
>>>
>>>
>>> 
>>>
>>>
>>> The switch do not send logs to graylog,  But, graylog can receive the 
>>> logs of this switch as before. As shown in FIG. 
>>>
>>>
>>>
>>> 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道:

 Hi,

 please elaborate on your problem. I'm not sure what you're trying to 
 say.

 What did you expect to happen or retrieve? What did actually happen?
 As far as I see, the timestamps of the log messages are correct.

 Cheers,
 Jochen

 On Saturday, 4 February 2017 10:48:25 UTC+1, ql.w...@163.com wrote:
>
> My graylog server always collect expired logs, these logs are 
> generated long before , and now the switch has no such logs.
> [image: image] 
> 
>
> The current log's source is 2017, The log whose source is 
> G1-K115-ACC-SW-48 is very early, but the server is collecting now.
>
> This problem has troubled me for weeks. How to solve this problem?
>


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/93a66e9b-0d7a-4290-8883-7b945b660925%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

2017-02-06 Thread ql . wayne 
Hi,
This messages shows received by deleted input on  0de4fb00 / Unknown, as 
shown in FIG:



But the normal messages shows received by netsyslog on  0de4fb00 / 
Unknown,as shown in FIG:




在 2017年2月6日星期一 UTC+8下午5:11:55,Jochen Schalanda写道:
>
> Hi,
>
> when you click on one of these messages, you can see on which input they 
> were received next to the "Received by" field.
>
> Once you have identified the input, you can use tools like Wireshark, 
> tcpdump, or simply lsof to identify where these messages come from.
>
> Cheers,
> Jochen
>
>
> On Monday, 6 February 2017 04:06:00 UTC+1, ql.w...@163.com wrote:
>>
>> Hi,
>>
>> I deleted the command that send logs to graylog server in the switch, 
>> But, graylog can receive the logs of this switch as before. I don't know 
>> where those logs received by the graylog server come from?  
>>
>>
>> 
>>
>>
>> The switch do not send logs to graylog,  But, graylog can receive the 
>> logs of this switch as before. As shown in FIG. 
>>
>>
>>
>> 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道:
>>>
>>> Hi,
>>>
>>> please elaborate on your problem. I'm not sure what you're trying to say.
>>>
>>> What did you expect to happen or retrieve? What did actually happen?
>>> As far as I see, the timestamps of the log messages are correct.
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Saturday, 4 February 2017 10:48:25 UTC+1, ql.w...@163.com wrote:

 My graylog server always collect expired logs, these logs are generated 
 long before , and now the switch has no such logs.
 [image: image] 
 

 The current log's source is 2017, The log whose source is 
 G1-K115-ACC-SW-48 is very early, but the server is collecting now.

 This problem has troubled me for weeks. How to solve this problem?

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4f350e28-c425-48e0-ab78-5d14ed81ddaa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Problem Graylog upgrade from 2.1.2 to 2.1.3 - API

2017-02-06 Thread Jochen Schalanda 
Hi Yiannis,

please make sure to clear your browser cache.

On Monday, 6 February 2017 11:00:17 UTC+1, Yiannis wrote:
>
> Where can i find a list of compatible plugins with graylog 2.1.3 ?
>

To be quite frank, there is none. You'll have to check that for every 
plugin yourself (and maybe share your findings).

Plugins distributed with Graylog itself, such as the Beats plugin or the 
Map widget plugin, are of course compatible with the Graylog version 
they've been distributed with.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5d75931e-7e4d-49ff-a781-f79c2c73ed90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Problem Graylog upgrade from 2.1.2 to 2.1.3 - API

2017-02-06 Thread Yiannis 
Hi all
having the same problem with the following list of plugins

graylog-plugin-beats-1.1.5.jar
graylog-plugin-collector-1.1.3.jar
graylog-plugin-enterprise-integration-1.1.3.jar
graylog-plugin-map-widget-1.1.3.jar
graylog-plugin-pipeline-processor-1.1.3.jar
usage-statistics-2.1.3.jar

Where can i find a list of compatible plugins with graylog 2.1.3 ?

Regards
Yiannis


On Friday, February 3, 2017 at 8:47:14 PM UTC+2, CESAR Fabre wrote:
>
> Hummm,
>
>
> Maybe, that's the problem!
>
>
> Thank you Jochen.
>
>
>
>
> On Friday, February 3, 2017 at 4:18:55 PM UTC-2, Jochen Schalanda wrote:
>>
>> Hi César,
>>
>> make sure to use only plugins in a compatible version.
>>
>> For example the Threat Intelligence Plugin for Graylog is currently not 
>> compatible with Graylog 2.1.3.
>>
>> Cheers,
>> Jochen
>>
>> On Friday, 3 February 2017 18:08:43 UTC+1, CESAR Fabre wrote:
>>>
>>> Hi,
>>>
>>> I'm trying the upgrade from 2.1.2 to 2.1.3 on CentOS 7 but I had some 
>>> problems. Follows the popup that appears frequently after upgrade.
>>>
>>> Server currently unavailable
>>> We are experiencing problems connecting to the Graylog server running on 
>>> http://192.168.10.5:9000/api. Please verify that the server is healthy 
>>> and working correctly.
>>>
>>>
>>> PS: Graylog 2.1.2 is working very well. 
>>>
>>> My scenario is this:
>>>
>>> graylog-server-2.1.2-1.noarch
>>>
>>> elasticsearch-2.4.4-1.noarch
>>>
>>> mongodb-org-server-3.2.11-1.el7.x86_64
>>>
>>>
>>> I have some plugins as well:
>>>
>>> graylog-plugin-beats-1.1.3.jar
>>>
>>> graylog-plugin-collector-1.1.2.jar
>>>
>>> graylog-plugin-enterprise-integration-1.1.2.jar
>>>
>>> graylog-plugin-input-cef-1.1.1.jar
>>>
>>> graylog-plugin-map-widget-1.1.2.jar
>>>
>>> graylog-plugin-pipeline-processor-1.1.2.jar
>>>
>>> graylog-plugin-threatintel-0.9.0.jar
>>>
>>> usage-statistics-2.1.2.jar
>>>
>>>
>>> Can you help me?
>>>
>>>
>>> Thank you so much!!!
>>>
>>> César
>>>
>>>
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/4051f367-6245-4491-9881-7a7b344c0154%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Nodes with too long GC pauses

2017-02-06 Thread Jochen Schalanda 
Hi Nitzan,

you've configure a very high number of processbuffer_processors and 
outputbuffer_processors in your Graylog configuration which usually 
counterproductive.

Please revert to the default values and only increase these values very 
conservatively.

Cheers,
Jochen

On Sunday, 5 February 2017 07:55:25 UTC+1, Nitzan Haimovich wrote:
>
> Hi Jochen,
>
> Thanks for you help. I attached one file of the configuration - The 
> configuration is the same in all 3 Graylog machines in our cluster (except 
> is_master parameter and the IP parameter).
> I also attached one file of the logs, again - same logs are all around the 
> cluster (except the master periodical duties).
>
> Our cluster:
> 3 Amazon instances, each one sized as m4.2xlarge - 8 cores and 32GB mem. 
> With Disks of 2.5TB.
>
> Let me know if you need anything else!
>
> Nitzan
>
> On Thursday, February 2, 2017 at 6:38:57 PM UTC+2, Jochen Schalanda wrote:
>>
>> Hi Nitzan,
>>
>> please post the configuration and logs of all Graylog nodes and a 
>> description of your hardware.
>>
>> Cheers,
>> Jochen
>>
>> On Thursday, 2 February 2017 17:18:12 UTC+1, Nitzan Haimovich wrote:
>>>
>>> Hi all,
>>>
>>> I'm getting this message (*Nodes with too long GC pauses*) on my 
>>> Graylog cluster. I saw many people were posting about it but not a single 
>>> thread with solutions for how to solve/fix/approach it.
>>> I would be glad for any help.
>>>
>>> My cluster - 3 Graylog instances, each one with 8 cores and 16GB memory 
>>> (heap size is configured to be : Xms - 1GB , Xmx - 8GB).
>>> If you need any more details please let me know.
>>>
>>> Thanks!!
>>>
>>> Nitzan
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/276bc8b7-10be-4388-9a5b-c2ae2cef7f99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Field histogram query failed. Make sure that field [HTTP_CODE_V2] is a numeric type.

2017-02-06 Thread Jochen Schalanda 
Hi Vojtech,

how exactly did you configure Graylog to extract the data you want from 
these messages?

Also make sure that there are no old messages in your query time range 
which have a non-numeric value in the relevant fields.

Cheers,
Jochen

On Sunday, 5 February 2017 16:40:19 UTC+1, Vojtech Vavra wrote:
>
> Hi All
>
> After couple of hours without success I am writing you about question with 
> error message about.
> I have created extractor for HTTP code from message:
> "|HTTP:200|Size:98|-|X-Forward:192.168.1.1.|X-Backend:web194|pass"
>
> output is allways number. But I have not created Generate chart with erro 
> message about numeric type.
> So I have modify extractor and added convert to number but still without 
> success :(
>
> Could you pls help me?
>
> Thank you
>
> Vojtech
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/5f86ec0b-65a5-44d2-b4e4-2a31be318693%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: json array parsing issue with logstash

2017-02-06 Thread Jochen Schalanda 
Hi Akshay,

you can use the Logstash split filter to split your message into individual 
events by splitting by the "data" field.

See https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html 
for details.

If you need more help with Logstash, please post 
to https://discuss.elastic.co/c/logstash

Cheers,
Jochen

On Monday, 6 February 2017 07:27:45 UTC+1, Akshay Agarwal wrote:
>
> Hi All,
>
> Want to implement service request trace using http plugin of logstash in 
> JSON Array format.
>
> Getting the following error when trying to parse the JSON array:
>
> error: 
>
> :message=>"gsub mutation is only applicable for Strings, skipping", 
> :field=>"message", :value=>nil, :level=>:debug, 
> :file=>"logstash/filters/mutate.rb", :line=>"322", :method=>"gsub"}
> :message=>"Exception in filterworker", 
> "exception"=># are splittable. field:message is of type = NilClass>
>
>
>
> My json array is :
>
> {
> "data": [
> {
> "appName": "DemoApp",
> "appVersion": "1.1",
> "deviceId": "1234567",
> "deviceName": "moto e",
> "deviceOSVersion": "5.1",
> "packageName": "com.tcs.DemoApp",
> "message": "testing null pointer exception",
> "errorLog": "null pointer exception"
> },
> {
> "appName": "DemoApp",
> "appVersion": "1.1",
> "deviceId": "1234567",
> "deviceName": "moto e",
> "deviceOSVersion": "5.1",
> "packageName": "com.tcs.DemoApp",
> "message": "testing illegal state exception",
> "errorLog": "illegal state exception"
> }
> ]
> }
>
>
>
>
> my logstash config is :
>
> input {
> http {
> codec => "json"
> }
> }
> filter{
> json {
>   source => "message"
>  }
>mutate { gsub => [ "message", "},\r\n\r\n{", "}shr{" ] }
> split {
>   terminator => "shr"
>}
> }
> }
>
>
> output {
>  stdout { codec => "json" }
> gelf{
> host => localhost
> facility => "%{type}"
> level =>["%{SeverityLevel}", "INFO"]
> codec => "json"
> }
>file{
> path => "/chroot/result.log"
> }
> }
>
>
>
> Any help would be appreciated.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/59120b27-c002-4737-813f-5a6bec979c9e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: SysLog-udp traffic ignored from tomcat

2017-02-06 Thread Jochen Schalanda 
Hi Alaa,


On Sunday, 5 February 2017 17:50:04 UTC+1, alaa barqawi wrote:
>
> i added SYSLOG appender in *logback.xml *
>

Just FYI, there are also GELF appenders for Logback which can be used to 
send messages directly to 
Graylog: https://marketplace.graylog.org/addons?tag=logback

 

> also if tested simple message send using syslog from any source machine 
> its working fine and appear in the search 
> like : nc -w0 -u 10.102.1.227 514 <<< "Test"
>
 
This is not a valid syslog message according to RFC 3164 
 or RFC 5424 
.
 
 

> is there any restriction on the graylog server to ignore the traffic?
>

Yes, messages have to conform to the syslog protocol, if you want to use a 
syslog input.


Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/895f850f-7eb3-4405-911f-87a16fcbada0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

2017-02-06 Thread Jochen Schalanda 
Hi,

when you click on one of these messages, you can see on which input they 
were received next to the "Received by" field.

Once you have identified the input, you can use tools like Wireshark, 
tcpdump, or simply lsof to identify where these messages come from.

Cheers,
Jochen


On Monday, 6 February 2017 04:06:00 UTC+1, ql.w...@163.com wrote:
>
> Hi,
>
> I deleted the command that send logs to graylog server in the switch, But, 
> graylog can receive the logs of this switch as before. I don't know where 
> those logs received by the graylog server come from?  
>
>
> 
>
>
> The switch do not send logs to graylog,  But, graylog can receive the logs 
> of this switch as before. As shown in FIG. 
>
>
>
> 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道:
>>
>> Hi,
>>
>> please elaborate on your problem. I'm not sure what you're trying to say.
>>
>> What did you expect to happen or retrieve? What did actually happen?
>> As far as I see, the timestamps of the log messages are correct.
>>
>> Cheers,
>> Jochen
>>
>> On Saturday, 4 February 2017 10:48:25 UTC+1, ql.w...@163.com wrote:
>>>
>>> My graylog server always collect expired logs, these logs are generated 
>>> long before , and now the switch has no such logs.
>>> [image: image] 
>>> 
>>>
>>> The current log's source is 2017, The log whose source is 
>>> G1-K115-ACC-SW-48 is very early, but the server is collecting now.
>>>
>>> This problem has troubled me for weeks. How to solve this problem?
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/56bc1f50-1b9f-4e52-ada3-c9dc92430280%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: RDBMS plugin on marketplace

2017-02-06 Thread Jochen Schalanda 
Hi Richard,

from looking at the plugin source code, it seems like it was written for 
Graylog 1.3.x, so it's not given that it will work with Graylog 2.x.

Have you considered opening a bug report at 
https://github.com/wizecore/graylog2-output-jdbc/issues?

Cheers,
Jochen

On Monday, 6 February 2017 07:01:07 UTC+1, Richard S. Westmoreland wrote:
>
> Hello,
>
> I'm trying to use this plugin on the graylog marketplace:
>
> https://marketplace.graylog.org/addons/9699f645-0d53-4654-864a-fbb08fb6d7ae
>
> I'm doing something wrong.  Here is my config:
>
> JDBC URL: jdbc:mysql://myhost.local:3306/graylog
> Driver to use:  mariadb-java-client-1.5.7.jar
>
> Originally I used jdbc:mariadb:// but didn't work, and driver was the full 
> path, also didn't work.  Based on some other non-graylog mysql driver 
> questions I tried setting my CLASSPATH variable to include the full path to 
> the driver as well.  Still no good.
>
> I had setup a Stream that used this Output and I can see msg/s trickling 
> through.  But nothing ends up in my mariadb table, and a tcpdump shows no 
> packets hitting the port.  Yes mariadb is set to listen on 0.0.0.0 and the 
> user was updated to accept remote connections (as well as local).
>
> There is one step in the instructions that doesn't make any sense to me:
>
> Add following line to graylog2-output-jdbc.jar/META-INF/MANIFEST.MF
>
> What does this mean?
>
> thanks
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/80f06347-8060-47de-b252-566af2d887fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: OutOfMemoryError for Beats plugin

2017-02-06 Thread Jochen Schalanda 
Hi Richard,

Which version of the Graylog Beats plugin are you using?
Which version of Graylog are you using?
What are the hardware specs of the machine(s) running Graylog?

Cheers,
Jochen

On Monday, 6 February 2017 09:03:09 UTC+1, Richard S. Westmoreland wrote:
>
> I'm getting this error in my server.log:
>
> 2017-02-06T07:55:17.016Z ERROR [NettyTransport] Error in Input 
> [Beats/58785c6a57fe51420e73e1ea] (channel [id: 0x8183ee45, /
> 127.0.0.1:52554 :> /127.0.0.1:5051])
> *java.lang.OutOfMemoryError: Java heap space*
> at 
> org.graylog.plugins.beats.BeatsFrameDecoder.processCompressedFrame(BeatsFrameDecoder.java:201)
>  
> ~[?:?]
> at 
> org.graylog.plugins.beats.BeatsFrameDecoder.decode(BeatsFrameDecoder.java:120)
>  
> ~[?:?]
> at 
> org.graylog.plugins.beats.BeatsFrameDecoder.decode(BeatsFrameDecoder.java:49) 
> ~[?:?]
> at 
> org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:500)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.handler.codec.replay.ReplayingDecoder.cleanup(ReplayingDecoder.java:554)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.handler.codec.frame.FrameDecoder.channelDisconnected(FrameDecoder.java:365)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
>  
> ~[graylog.ja
> r:?]
> ...etc...
>
> The thing is, my heap is fine when this happens.  I can watch it on the 
> Nodes page, and with a min and slightly higher max set, I never see it grow 
> beyond the original min.  Why would this happen?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d3e8440d-5ec0-4ea6-b937-589856664a57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] OutOfMemoryError for Beats plugin

2017-02-06 Thread Richard S. Westmoreland 
I'm getting this error in my server.log:

2017-02-06T07:55:17.016Z ERROR [NettyTransport] Error in Input 
[Beats/58785c6a57fe51420e73e1ea] (channel [id: 0x8183ee45, /127.0.0.1:52554 
:> /127.0.0.1:5051])
*java.lang.OutOfMemoryError: Java heap space*
at 
org.graylog.plugins.beats.BeatsFrameDecoder.processCompressedFrame(BeatsFrameDecoder.java:201)
 
~[?:?]
at 
org.graylog.plugins.beats.BeatsFrameDecoder.decode(BeatsFrameDecoder.java:120) 
~[?:?]
at 
org.graylog.plugins.beats.BeatsFrameDecoder.decode(BeatsFrameDecoder.java:49) 
~[?:?]
at 
org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:500)
 
~[graylog.jar:?]
at 
org.jboss.netty.handler.codec.replay.ReplayingDecoder.cleanup(ReplayingDecoder.java:554)
 
~[graylog.jar:?]
at 
org.jboss.netty.handler.codec.frame.FrameDecoder.channelDisconnected(FrameDecoder.java:365)
 
~[graylog.jar:?]
at 
org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
 
~[graylog.jar:?]
at 
org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
 
~[graylog.jar:?]
at 
org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
 
~[graylog.ja
r:?]
...etc...

The thing is, my heap is fine when this happens.  I can watch it on the 
Nodes page, and with a min and slightly higher max set, I never see it grow 
beyond the original min.  Why would this happen?


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/272b524f-b73f-4b5a-8946-ff6edf00a4bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.