[graylog2] Re: No 'Beats Input' available to receive sidecar data.

2017-02-20 Thread Jochen Schalanda 
Hi Chris,

On Tuesday, 21 February 2017 00:46:35 UTC+1, Chris Thompson wrote:
>
> 2017-02-20_23:31:59.44325 INFO  [CmdLineTool] Loaded plugins: [Anonymous 
> Usage Statistics 1.2.1 
> [org.graylog.plugins.usagestatistics.UsageStatsPlugin]]
>

The Anonymous Usage Statistics plugin 1.2.1 was written for Graylog 1.3.x 
but the Beats plugin only works with Graylog 2.0.0 and higher.

If you're starting from scratch, I'd recommend using the latest stable 
version of 
Graylog: https://www.graylog.org/blog/89-announcing-graylog-v2-2-1

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/d058075b-274f-47fb-bf6b-3bb298954317%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: No 'Beats Input' available to receive sidecar data.

2017-02-20 Thread Jochen Schalanda 
Hi Chris,

how exactly did you install (and upgrade) Graylog? It looks like you're 
using an incompatible version of the Beats plugin.

The correct version of the Beats plugin is shipped with Graylog and can 
also be downloaded from 
https://marketplace.graylog.org/addons/22014b12-9358-4056-9402-d3eb69f9560e.

Cheers,
Jochen

On Tuesday, 21 February 2017 00:46:35 UTC+1, Chris Thompson wrote:
>
> I installed the plugin to my Graylog 2.2 appliance (I'm still testing) and 
> restarted the services.
> I keep getting pointed to this doc: 
> http://docs.graylog.org/en/2.1/pages/collector_sidecar.html#step-by-step-guide
> However, the first step in that doc is to make a 'Global Beats Input'. 
> 'Beats' is not an option in my inputs drop down menu:
>
>
> 
> I tried installing the beats plugin (some were saying it ships with 
> Graylog but, it is not in the /opt/graylog/plugin folder on my OVA in any 
> case. 
> Once I install it, when I restart graylog, it fails with this error 
> showing in a loop in /var/log/graylog/server/current:
> 2017-02-20_23:31:57.16373 Java HotSpot(TM) 64-Bit Server VM warning: 
> ignoring option MaxPermSize=256m; support was removed in 8.0
> 2017-02-20_23:31:57.78121 Exception in thread "main" 
> java.lang.NoSuchMethodError: 
> org.graylog2.plugin.Version.from(IIILjava/lang/String;)Lorg/graylog2/plugin/Version;
> 2017-02-20_23:31:57.78211   at 
> org.graylog.plugins.beats.BeatsInputPluginMetaData.getVersion(BeatsInputPluginMetaData.java:52)
> 2017-02-20_23:31:57.78429   at 
> org.graylog2.shared.plugins.PluginLoader$PluginComparator.compare(PluginLoader.java:112)
> 2017-02-20_23:31:57.78448   at 
> org.graylog2.shared.plugins.PluginLoader$PluginComparator.compare(PluginLoader.java:103)
> 2017-02-20_23:31:57.78667   at 
> java.util.TimSort.countRunAndMakeAscending(TimSort.java:355)
> 2017-02-20_23:31:57.78829   at java.util.TimSort.sort(TimSort.java:220)
> 2017-02-20_23:31:57.78948   at java.util.Arrays.sort(Arrays.java:1512)
> 2017-02-20_23:31:57.79100   at 
> com.google.common.collect.ImmutableSortedSet.construct(ImmutableSortedSet.java:428)
> 2017-02-20_23:31:57.79185   at 
> com.google.common.collect.ImmutableSortedSet$Builder.build(ImmutableSortedSet.java:562)
> 2017-02-20_23:31:57.79421   at 
> org.graylog2.shared.plugins.PluginLoader.loadPlugins(PluginLoader.java:56)
> 2017-02-20_23:31:57.79605   at 
> org.graylog2.bootstrap.CmdLineTool.loadPlugins(CmdLineTool.java:264)
> 2017-02-20_23:31:57.79609   at 
> org.graylog2.bootstrap.CmdLineTool.installPluginConfigAndBindings(CmdLineTool.java:229)
> 2017-02-20_23:31:57.79739   at 
> org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:151)
> 2017-02-20_23:31:57.79901   at 
> org.graylog2.bootstrap.Main.main(Main.java:44)
> 2017-02-20_23:31:58.82676 It looks like you are trying to access MongoDB 
> over HTTP on the native driver port.
> 2017-02-20_23:31:58.83689 Java HotSpot(TM) 64-Bit Server VM warning: 
> ignoring option PermSize=128m; support was removed in 8.0
> 2017-02-20_23:31:58.83691 Java HotSpot(TM) 64-Bit Server VM warning: 
> ignoring option MaxPermSize=256m; support was removed in 8.0
> 2017-02-20_23:31:59.44325 INFO  [CmdLineTool] Loaded plugins: [Anonymous 
> Usage Statistics 1.2.1 
> [org.graylog.plugins.usagestatistics.UsageStatsPlugin]]
> 2017-02-20_23:31:59.56571 INFO  [CmdLineTool] Running with JVM arguments: 
> -Xms1g -Xmx1500m -XX:NewRatio=1 -XX:PermSize=128m -XX:MaxPe
>
> Need to test getting some Windows IIS logs into this thing, help me out 
> please?
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/cf580ab1-6d28-4116-8b5b-cd8cc847e681%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] No 'Beats Input' available to receive sidecar data.

2017-02-20 Thread Chris Thompson 
I installed the plugin to my Graylog 2.2 appliance (I'm still testing) and 
restarted the services.
I keep getting pointed to this 
doc: 
http://docs.graylog.org/en/2.1/pages/collector_sidecar.html#step-by-step-guide
However, the first step in that doc is to make a 'Global Beats Input'. 
'Beats' is not an option in my inputs drop down menu:


I tried installing the beats plugin (some were saying it ships with Graylog 
but, it is not in the /opt/graylog/plugin folder on my OVA in any case. 
Once I install it, when I restart graylog, it fails with this error showing 
in a loop in /var/log/graylog/server/current:
2017-02-20_23:31:57.16373 Java HotSpot(TM) 64-Bit Server VM warning: 
ignoring option MaxPermSize=256m; support was removed in 8.0
2017-02-20_23:31:57.78121 Exception in thread "main" 
java.lang.NoSuchMethodError: 
org.graylog2.plugin.Version.from(IIILjava/lang/String;)Lorg/graylog2/plugin/Version;
2017-02-20_23:31:57.78211   at 
org.graylog.plugins.beats.BeatsInputPluginMetaData.getVersion(BeatsInputPluginMetaData.java:52)
2017-02-20_23:31:57.78429   at 
org.graylog2.shared.plugins.PluginLoader$PluginComparator.compare(PluginLoader.java:112)
2017-02-20_23:31:57.78448   at 
org.graylog2.shared.plugins.PluginLoader$PluginComparator.compare(PluginLoader.java:103)
2017-02-20_23:31:57.78667   at 
java.util.TimSort.countRunAndMakeAscending(TimSort.java:355)
2017-02-20_23:31:57.78829   at java.util.TimSort.sort(TimSort.java:220)
2017-02-20_23:31:57.78948   at java.util.Arrays.sort(Arrays.java:1512)
2017-02-20_23:31:57.79100   at 
com.google.common.collect.ImmutableSortedSet.construct(ImmutableSortedSet.java:428)
2017-02-20_23:31:57.79185   at 
com.google.common.collect.ImmutableSortedSet$Builder.build(ImmutableSortedSet.java:562)
2017-02-20_23:31:57.79421   at 
org.graylog2.shared.plugins.PluginLoader.loadPlugins(PluginLoader.java:56)
2017-02-20_23:31:57.79605   at 
org.graylog2.bootstrap.CmdLineTool.loadPlugins(CmdLineTool.java:264)
2017-02-20_23:31:57.79609   at 
org.graylog2.bootstrap.CmdLineTool.installPluginConfigAndBindings(CmdLineTool.java:229)
2017-02-20_23:31:57.79739   at 
org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:151)
2017-02-20_23:31:57.79901   at 
org.graylog2.bootstrap.Main.main(Main.java:44)
2017-02-20_23:31:58.82676 It looks like you are trying to access MongoDB 
over HTTP on the native driver port.
2017-02-20_23:31:58.83689 Java HotSpot(TM) 64-Bit Server VM warning: 
ignoring option PermSize=128m; support was removed in 8.0
2017-02-20_23:31:58.83691 Java HotSpot(TM) 64-Bit Server VM warning: 
ignoring option MaxPermSize=256m; support was removed in 8.0
2017-02-20_23:31:59.44325 INFO  [CmdLineTool] Loaded plugins: [Anonymous 
Usage Statistics 1.2.1 
[org.graylog.plugins.usagestatistics.UsageStatsPlugin]]
2017-02-20_23:31:59.56571 INFO  [CmdLineTool] Running with JVM arguments: 
-Xms1g -Xmx1500m -XX:NewRatio=1 -XX:PermSize=128m -XX:MaxPe

Need to test getting some Windows IIS logs into this thing, help me out 
please?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/88796f19-cccb-4e8a-83ab-78bd5cc014f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: use 1 minute Timerange not working

2017-02-20 Thread vadimv Vatlin 
For example I made an alert. 
My stream had some messages, I created an alert 
*Configuration:* Alert is triggered when there are more than 2 messages in 
the last minute. Grace period: 1 minute. Including last message in alert 
notification.

But this alert has never been triggered. 

Another example:
I searched a string using query:

{
  "from": 0,
  "size": 150,
  "query": {
"bool": {
  "must": {
"query_string": {
  "query": "message:\"USER WITH LOGIN\"",
  "allow_leading_wildcard": false
}
  },
  "filter": {
"bool": {
  "must": {
"range": {
  "timestamp": {
"from": "2017-02-20 16:30:08.806",
"to": "2017-02-20 16:31:08.806",
"include_lower": true,
"include_upper": true
  }
}
  }
}
  }
}
  },

1 minute range.


This query showed me 4 messages, then I created Count widged - "Add count 
widget to dashboard" and this widget always shows me 0, although I see messages 
using such search query.


When I try to use 2 (and so on) minute  time range - everything is ok. 


On Monday, February 20, 2017 at 5:56:31 PM UTC+2, Jochen Schalanda wrote:
>
> Hi,
>
> what exactly do you mean with "both of them don't work"?
>
> How did you configure the alert conditions?
> What did you expect to happen?
> What did actually happen?
>
> Cheers,
> Jochen
>
> On Monday, 20 February 2017 16:20:43 UTC+1, vadimv Vatlin wrote:
>>
>> Hello. 
>>
>> I have some strange problem. 
>>
>> I try to use 1 minute time range in alerts and dashboard count widget, 
>> and both of them don't work. 
>>
>> Timerange:{ "type": "relative", "range": 60 }
>> server.conf:alert_check_interval = 30 
>>
>> what is the problem?  
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7e280363-4317-4034-961c-ac5604230652%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: use 1 minute Timerange not working

2017-02-20 Thread Jochen Schalanda 
Hi,

what exactly do you mean with "both of them don't work"?

How did you configure the alert conditions?
What did you expect to happen?
What did actually happen?

Cheers,
Jochen

On Monday, 20 February 2017 16:20:43 UTC+1, vadimv Vatlin wrote:
>
> Hello. 
>
> I have some strange problem. 
>
> I try to use 1 minute time range in alerts and dashboard count widget, and 
> both of them don't work. 
>
> Timerange:{ "type": "relative", "range": 60 }
> server.conf:alert_check_interval = 30 
>
> what is the problem?  
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e251d1a9-f1de-4974-8b4c-089e583c01bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: bytes can be at most 32766 in length

2017-02-20 Thread Paul Pretorius 
Raised in Community Forum Instead :   
https://community.graylog.org/t/beats-input-bytes-can-be-at-most-32766-in-length/147
 





On Monday, 20 February 2017 12:57:38 UTC, Paul Pretorius wrote:

> Hi Guys 
>
> I've deployed Graylog to use for a syslog solution.  Currently using 
> Sidecar to do the collections of winlogs only.  
>
> Been running a week and started loading some more hosts ... Then 
> Pooof, graylog fell over.  Initially I was clueless as to whats going 
> on.  
>
> After a bit of digging, I found the dreaded elasticsearch error which 
> seems to be quite common   ( bytes can be at most 32766 in length)  
>
> I have found a few articles where people say update the analyser, some 
> others that mention setting index to not_analyzed or Index No.  Another 
> post mentioned to set ignore_above => 256. 
>  
> Thing is ... I have no clue where to even try setting these things ?   Can 
> anybody shed some light please?  
>
>
> I have managed to find the actual message that is too large on the 
> originating server which is causing the failure.  Turns out to be a HP WBEM 
> Dump Event (Id 1001). 
>
> If anyone knows how I can prevent this from happening, or define some sort 
> of "exclude" for this message that would be a great help.  
>
>
> Perhaps, I could instruct sidecar collector to ignore this message ?  Is 
> that possible ?   Would any know?  
>
>
> PS - I have tried this with Graylog 2.1  and just tried with 2.2 as 
> well.   Both doing the same thing... 
>
> Appreciate your help guys  :) 
>
> Thanks 
>
> Paul. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/41cc9585-89bf-4d34-a508-725cb602cde2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] use 1 minute Timerange not working

2017-02-20 Thread vadimv Vatlin 
Hello. 

I have some strange problem. 

I try to use 1 minute time range in alerts and dashboard count widget, and 
both of them don't work. 

Timerange:{ "type": "relative", "range": 60 }
server.conf:alert_check_interval = 30 

what is the problem?  

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/046a705b-a654-4c23-8ab3-59d306cc58ff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] list-unsubscribe

2017-02-20 Thread STARNES, CURTIS 
list-unsubscribe

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/DM5PR08MB2395CDD2B2EC12AD7C61F9939E5E0%40DM5PR08MB2395.namprd08.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: [UpdateRegistration] Failed to report collector status to server:

2017-02-20 Thread NeefRoel 
Thanks for the quick response.
But as I said, the service is running behind a reverse proxy, which proxies 
the tcp 80 to tcp 9000.

Even so.. Because this is the 'first' server I've also used a direct link 
to this server over port 9000, which results in the same messages being 
logged.

Cheers,
NeefRoel

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/550504e4-f628-4002-8cac-027cc83eef4d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] [UpdateRegistration] Failed to report collector status to server:

2017-02-20 Thread NeefRoel 
Thanks for the quick response.
But as I said, the service is running behind a reverse proxy, which proxies 
the tcp 80 to tcp 9000.

Even so.. Because this is the 'first' server I've also used a direct link 
to this server over port 9000, which results in the same messages being 
logged.

Cheers,
NeefRoel

On Monday, February 20, 2017 at 2:32:00 PM UTC+1, Marius Sturm wrote:
>
> Hi, 
> the Graylog api is typically listening on port 9000, so the server_url 
> is most likely: http://my.fqdn.hostname:9000/api/ 
>
> Cheers, 
> Marius 
>
> On 20 February 2017 at 14:18, NeefRoel  
> wrote: 
> > Hi, 
> > 
> > I've installed the graylog server version 2.2.0-11 on one server and the 
> > collector-sidecar v0.0.9-1 on another. 
> > I have succesfully send log events to the graylog server and am able to 
> see 
> > them. 
> > 
> > I was now finetuning the client and I noticed that the client is telling 
> me 
> > that it is unable to report its status to the server, eg; 
> > 
> > ERRO[0010] [UpdateRegistration] Failed to report collector status to 
> server: 
> >  
> > 
> > 
> > When running manually from the commandline; 
> > INFO[] Using collector-id: 8e3deae7-4312-498e-aa42-0d5d2dd521e9 
> > INFO[] Fetching configurations tagged by: [linux apache] 
> > INFO[] Starting collector supervisor 
> > INFO[] [filebeat] Starting 
> > INFO[0010] [filebeat] Configuration change detected, rewriting 
> configuration 
> > file. 
> > ERRO[0010] [UpdateRegistration] Failed to report collector status to 
> server: 
> >  
> > INFO[0010] [filebeat] Stopping 
> > INFO[0014] [filebeat] Starting 
> > ERRO[0020] [UpdateRegistration] Failed to report collector status to 
> server: 
> >  
> > ^CINFO[0029] [filebeat] Stopping 
> > ERRO[0030] [UpdateRegistration] Failed to report collector status to 
> server: 
> >  
> > 
> > 
> > I noticed in other topics that this would be the server_url variable. 
> But 
> > when I change this to an incorrect value I get a 404 response..e.g. 
> > ERRO[0010] [RequestConfiguration] Bad response status from Graylog 
> server: 
> > 404 Not Found 
> > 
> > The URL i've configured is; 
> > server_url: http://my.fqdn.hostname/api/ 
> > 
> > I've used tcpdump to see what is going on, and I can see it is posting 
> (HTTP 
> > PUT) data; 
> > PUT 
> > 
> /api/plugins/org.graylog.plugins.collector/collectors/8e3deae7-4312-498e-aa42-0d5d2dd521e9
>  
>
> > HTTP/1.1 
> > Host: my.fqdn.hostname 
> > User-Agent: Graylog Collector v0.0.9 
> > Content-Length: 312 
> > Accept: application/json 
> > Content-Type: application/json 
> > X-Graylog-Collector-Version: 0.0.9 
> > 
> > 
> > 
> {"node_id":"graylog-collector-sidecar","node_details":{"operating_system":"Linux","tags":["linux","apache"],"ip":"My.Ip.Add.ress","metrics":{"disks_75":[],"cpu_idle":97.61,"load_1":0.07},"status":{"backends":{"filebeat":{"status":0,"message":"Running"}},"status":0,"message":"1
>  
>
> > collectors running"}}} 
> > 
> > 
> > I'm also receiving a response; 
> > HTTP/1.1 202 Accepted 
> > Date: Mon, 20 Feb 2017 10:54:00 GMT 
> > Server: Apache 
> > X-Graylog-Node-ID: 178b5821-23e3-493c-9c21-13d6414d4193 
> > X-Runtime-Microseconds: 7341 
> > Content-Type: application/json 
> > Content-Length: 105 
> > 
> > 
> {"configuration":{"update_interval":30,"send_status":true},"configuration_override":false,"actions":
>  
>
> > 
> > I'm using Debian Jessie on both servers.. Anyone got an idea why I'm 
> > receiving these messages and what I can to fix that? 
> > 
> > (ps. the graylog server is running behind a reverse proxy, but even when 
> > accessing it directly I get this message..) 
> > 
> > Cheers, 
> > NeefRoel 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to graylog2+u...@googlegroups.com . 
> > To view this discussion on the web visit 
> > 
> https://groups.google.com/d/msgid/graylog2/8ca05052-451c-485f-a54b-675efb009c53%40googlegroups.com.
>  
>
> > For more options, visit https://groups.google.com/d/optout. 
>
>
>
> -- 
> Developer 
>
> Tel.: +49 (0)40 609 452 077 
> Fax.: +49 (0)40 609 452 078 
>
> TORCH GmbH - A Graylog Company 
> Poolstraße 21 
> 20335 Hamburg 
> Germany 
>
> https://www.graylog.com 
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 
> Geschäftsführer: Lennart Koopmann (CEO) 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0cc62a4b-5bcd-4760-b8d3-0f2886587d5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] [UpdateRegistration] Failed to report collector status to server:

2017-02-20 Thread Marius Sturm 
Hi,
the Graylog api is typically listening on port 9000, so the server_url
is most likely: http://my.fqdn.hostname:9000/api/

Cheers,
Marius

On 20 February 2017 at 14:18, NeefRoel  wrote:
> Hi,
>
> I've installed the graylog server version 2.2.0-11 on one server and the
> collector-sidecar v0.0.9-1 on another.
> I have succesfully send log events to the graylog server and am able to see
> them.
>
> I was now finetuning the client and I noticed that the client is telling me
> that it is unable to report its status to the server, eg;
>
> ERRO[0010] [UpdateRegistration] Failed to report collector status to server:
> 
>
>
> When running manually from the commandline;
> INFO[] Using collector-id: 8e3deae7-4312-498e-aa42-0d5d2dd521e9
> INFO[] Fetching configurations tagged by: [linux apache]
> INFO[] Starting collector supervisor
> INFO[] [filebeat] Starting
> INFO[0010] [filebeat] Configuration change detected, rewriting configuration
> file.
> ERRO[0010] [UpdateRegistration] Failed to report collector status to server:
> 
> INFO[0010] [filebeat] Stopping
> INFO[0014] [filebeat] Starting
> ERRO[0020] [UpdateRegistration] Failed to report collector status to server:
> 
> ^CINFO[0029] [filebeat] Stopping
> ERRO[0030] [UpdateRegistration] Failed to report collector status to server:
> 
>
>
> I noticed in other topics that this would be the server_url variable. But
> when I change this to an incorrect value I get a 404 response..e.g.
> ERRO[0010] [RequestConfiguration] Bad response status from Graylog server:
> 404 Not Found
>
> The URL i've configured is;
> server_url: http://my.fqdn.hostname/api/
>
> I've used tcpdump to see what is going on, and I can see it is posting (HTTP
> PUT) data;
> PUT
> /api/plugins/org.graylog.plugins.collector/collectors/8e3deae7-4312-498e-aa42-0d5d2dd521e9
> HTTP/1.1
> Host: my.fqdn.hostname
> User-Agent: Graylog Collector v0.0.9
> Content-Length: 312
> Accept: application/json
> Content-Type: application/json
> X-Graylog-Collector-Version: 0.0.9
>
>
> {"node_id":"graylog-collector-sidecar","node_details":{"operating_system":"Linux","tags":["linux","apache"],"ip":"My.Ip.Add.ress","metrics":{"disks_75":[],"cpu_idle":97.61,"load_1":0.07},"status":{"backends":{"filebeat":{"status":0,"message":"Running"}},"status":0,"message":"1
> collectors running"}}}
>
>
> I'm also receiving a response;
> HTTP/1.1 202 Accepted
> Date: Mon, 20 Feb 2017 10:54:00 GMT
> Server: Apache
> X-Graylog-Node-ID: 178b5821-23e3-493c-9c21-13d6414d4193
> X-Runtime-Microseconds: 7341
> Content-Type: application/json
> Content-Length: 105
>
> {"configuration":{"update_interval":30,"send_status":true},"configuration_override":false,"actions":
>
> I'm using Debian Jessie on both servers.. Anyone got an idea why I'm
> receiving these messages and what I can to fix that?
>
> (ps. the graylog server is running behind a reverse proxy, but even when
> accessing it directly I get this message..)
>
> Cheers,
> NeefRoel
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/8ca05052-451c-485f-a54b-675efb009c53%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Developer

Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog Company
Poolstraße 21
20335 Hamburg
Germany

https://www.graylog.com

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAMqbBbJUxx%3DeMGbPMmUjM%3DFqPj3FmNBc3_VN_qYCnQwNy_ORxg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [UpdateRegistration] Failed to report collector status to server:

2017-02-20 Thread NeefRoel 
Hi,

I've installed the graylog server version 2.2.0-11 on one server and the 
collector-sidecar v0.0.9-1 on another.
I have succesfully send log events to the graylog server and am able to see 
them.

I was now finetuning the client and I noticed that the client is telling me 
that it is unable to report its status to the server, eg;

ERRO[0010] [UpdateRegistration] Failed to report collector status to server: 



When running manually from the commandline;
INFO[] Using collector-id: 8e3deae7-4312-498e-aa42-0d5d2dd521e9
INFO[] Fetching configurations tagged by: [linux apache]
INFO[] Starting collector supervisor
INFO[] [filebeat] Starting
INFO[0010] [filebeat] Configuration change detected, rewriting 
configuration file.
ERRO[0010] [UpdateRegistration] Failed to report collector status to 
server: 
INFO[0010] [filebeat] Stopping
INFO[0014] [filebeat] Starting
ERRO[0020] [UpdateRegistration] Failed to report collector status to 
server: 
^CINFO[0029] [filebeat] Stopping
ERRO[0030] [UpdateRegistration] Failed to report collector status to 
server: 


I noticed in other topics that this would be the server_url variable. But 
when I change this to an incorrect value I get a 404 response..e.g.
ERRO[0010] [RequestConfiguration] Bad response status from Graylog server: 
404 Not Found

The URL i've configured is;
server_url: http://my.fqdn.hostname/api/

I've used tcpdump to see what is going on, and I can see it is posting 
(HTTP PUT) data;
PUT /api/plugins/org.graylog.plugins.collector/collectors/8e3deae7-4312-498e
-aa42-0d5d2dd521e9 HTTP/1.1
Host: my.fqdn.hostname
User-Agent: Graylog Collector v0.0.9
Content-Length: 312
Accept: application/json
Content-Type: application/json
X-Graylog-Collector-Version: 0.0.9


{"node_id":"graylog-collector-sidecar","node_details":{"operating_system":
"Linux","tags":["linux","apache"],"ip":"My.Ip.Add.ress","metrics":{
"disks_75":[],"cpu_idle":97.61,"load_1":0.07},"status":{
"backends":{"filebeat":{"status":0,"message":"Running"}},"status":0,
"message":"1 collectors running"}}}


I'm also receiving a response;
HTTP/1.1 202 Accepted
Date: Mon, 20 Feb 2017 10:54:00 GMT
Server: Apache
X-Graylog-Node-ID: 178b5821-23e3-493c-9c21-13d6414d4193
X-Runtime-Microseconds: 7341
Content-Type: application/json
Content-Length: 105

{"configuration":{"update_interval":30,"send_status":true},"configuration_override":false,"actions":

I'm using Debian Jessie on both servers.. Anyone got an idea why I'm 
receiving these messages and what I can to fix that?

(ps. the graylog server is running behind a reverse proxy, but even when 
accessing it directly I get this message..)

Cheers,
NeefRoel

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/8ca05052-451c-485f-a54b-675efb009c53%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] bytes can be at most 32766 in length

2017-02-20 Thread Paul Pretorius 
Hi Guys 

I've deployed Graylog to use for a syslog solution.  Currently using 
Sidecar to do the collections of winlogs only.  

Been running a week and started loading some more hosts ... Then Pooof, 
graylog fell over.  Initially I was clueless as to whats going on.  

After a bit of digging, I found the dreaded elasticsearch error which seems 
to be quite common   ( bytes can be at most 32766 in length)  

I have found a few articles where people say update the analyser, some 
others that mention setting index to not_analyzed or Index No.  Another 
post mentioned to set ignore_above => 256. 
 
Thing is ... I have no clue where to even try setting these things ?   Can 
anybody shed some light please?  


I have managed to find the actual message that is too large on the 
originating server which is causing the failure.  Turns out to be a HP WBEM 
Dump Event (Id 1001). 

If anyone knows how I can prevent this from happening, or define some sort 
of "exclude" for this message that would be a great help.  


Perhaps, I could instruct sidecar collector to ignore this message ?  Is 
that possible ?   Would any know?  


PS - I have tried this with Graylog 2.1  and just tried with 2.2 as well.   
Both doing the same thing... 

Appreciate your help guys  :) 

Thanks 

Paul. 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/efbdfc18-f1e1-4084-be9a-0297da880de6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog V2.1.2 - getting GELF HTTP working with simple HTTP POST/JSON body

2017-02-20 Thread Lisa Deng 

A year or so late, but I was using this helpful thread to get graylog 
working in docker.
For future readers:
I ended up publishing the ports in the docker-compose file, and it worked, 
no problem. It was correctly published. I am on ubuntu and I did NOT have 
to download kitematic. 
After publishing ports in the docker-compose file it showed up as 
0.0.0.0:(number) => number/tcp, and ended up working.

On Thursday, December 15, 2016 at 5:21:30 PM UTC+2, Mike Norris wrote:
>
> I finally got this to work, here are my tips
>
> NB: MY CHALLENGE WAS THAT I AM WORKING WITH GRAYLOG IN A DOCKER CONTAINER
>
> 1. Download and install and use Kitematic, rather than trying to use 
> docker run -p to faffa about with port nos
> 2. User Kitematic to map the ports allocated within the docker container 
> to be usable to the outside world
>
> I found it much easier to use kitematic to expose ports like 12201 which 
> is used by GELF; rather than using the docker command line
>
> So having exposed port 12201 in the docker container via Kitematic to 
> localhost, now I can run some programs that log messages to Graylog via GELF
> - in this screenshot there are 3 x containers running, in reverse order we 
> have mongo db, elastic search and top of the list graylog
> - graylog has been changed to allow requests sent to localhost:12202 to be 
> processed, without this mod, graylog will not listen on port 12201 for your 
> request  
>
> [image: pasted1]
>
>
> On Wed, Dec 7, 2016 at 5:21 PM Mike Norris  > wrote:
>
>> Jochen
>>
>> Interesting tip but still not working ;-(
>>
>> I have tried to allow http://10.0.75.1 to respond to client request 
>> running on my machine
>>
>> I want to achive the following
>>
>> send GELF HHTP requests from my windows machine running Powershell into 
>> Graylog running inside a Docker environment
>>
>> 10.0.75.1 is the IP address of the docker system as we know from ipconfig 
>> /all
>>
>> I've tried my best to add OR expose ports 12201 and 12202 
>>
>> a. I want to run HTTP GELF on port 12201 and allow the outside world (i.e 
>> my laptop which is running docker and the container) to send GELF POSTS to 
>> 10.0.51.1:12202 .. or .. 127.0.0.1:12201
>> b. I want to also try TCP GELF on port 12202
>>
>> nb: I did this by entering ... docker run -p 
>> 127.0.0.1:12201:12201 graylog2/server
>>
>> The docker run -p produces a shed load of messages on the console, tons !!
>> - which made me think it had failed 
>> - but docker ps shows the following
>>
>> CONTAINER IDIMAGE   COMMAND  CREATED 
>> STATUS  PORTS   
>>   NAMES
>> 7d81b1f47a9dgraylog2/server "/docker-entrypoint.s"   6 seconds 
>> ago   Up 4 seconds9000/tcp, 12900/tcp, 0.0.0.0:12201->12001/tcp 
>>   small_curie
>> a3492b1cf60agraylog2/server "/docker-entrypoint.s"   18 minutes 
>> ago  Up 18 minutes   9000/tcp, 12900/tcp, 0.0.0.0:12202->12002/tcp 
>>   peaceful_einstein
>> ebdef3e02b89graylog2/server "/docker-entrypoint.s"   31 minutes 
>> ago  Up 31 minutes   0.0.0.0:9000->9000/tcp, 12900/tcp 
>>   gigantic_jennings
>> dd421c87f1f5elasticsearch:2 "/docker-entrypoint.s"   5 days ago   
>>Up 7 hours  9200/tcp, 9300/tcp 
>>  some-elasticsearch
>> 2a466a04134cmongo:3 "/entrypoint.sh mongo"   5 days ago   
>>Up 7 hours  27017/tcp   
>> some-mongo
>>
>> It looks like I have port 12201 accessible ??
>>
>> BUT ... I still can''t get a successful send of a single message via GELF 
>> HTTP or GELF TCP
>>
>> I get The underlying connection was closed: The connection was closed 
>> unexpectedly.
>>
>> I've tried every variation of docker run --expose and docker run -p I can 
>> think of
>>
>> It's so frustrating but I cannot get GELF HTTP or TCP to work
>>
>> Publish or expose port (-p, –expose)¶ 
>> 
>>
>> $ docker run -p 127.0.0.1:80:8080 ubuntu bash
>>
>> This binds port 8080 of the container to port 80 on 127.0.0.1 of the 
>> host machine. The Docker User Guide 
>> 
>>  explains in detail how to manipulate ports in Docker.
>>
>> $ docker run --expose 80 ubuntu bash
>>
>> This exposes port 80 of the container without publishing the port to the 
>> host system’s interfaces.
>>
>> On Wed, Dec 7, 2016 at 8:21 AM Jochen Schalanda > > wrote:
>>
>>> Hi Mike,
>>>
>>> keep in mind that you need to expose each port explicitly in Docker, see 
>>> https://docs.docker.com/engine/reference/commandline/port/ and 
>>> https://docs.docker.com/engine/reference/commandline/run/#/publish-or-expose-port--p---expose
>>> .
>>>

[graylog2] graylog collector sidecar and winloigbeat language issue

2017-02-20 Thread Daniel Kamiński 
Hi
I'm collecting logs from Windows Serwer 2012 R2 using graylog collector 
sidecar with winlogbeat, and I have issues with logs language. The system 
was installed as Polish (my language) but later we changed language to 
English, now everything is in English except messages sent by winlogbeat 
run by collector (which is run as a service), those are in Polish. *BUT *if 
I run winlogbeat *manually from the cmd* shell with the same config 
messages I collect *are in English*.

*TL;DR: *winlogbeat run by collector sends event log messages in Polish, 
winlogbeats run by hand sends messages in English (*desired*)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/950928d6-dd3b-4596-912b-afa64f1c213d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Global kafka input doesn't work.

2017-02-20 Thread Jochen Schalanda 
Hi Art,

are there any error messages in the logs of your Graylog nodes?

Cheers,
Jochen

On Friday, 17 February 2017 00:30:39 UTC+1, Art Star wrote:
>
> Hey guys, 
>
> I'm trying to configure two graylog servers to read from the same topic in 
> kafka. But when I choose global input, only one of my servers can read from 
> kafka. 
> I'm wondering if it is something that I'm doing wrong or it's not possible 
> as of now. 
>
> Thanks
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ec61f2c8-c077-4745-9850-0ce0483e133d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Remove field using extractos

2017-02-20 Thread Jochen Schalanda 
Hi Rui,

On Tuesday, 14 February 2017 16:24:55 UTC+1, Rui Goncalves wrote:
>
> What am I missing? I think there must be something that I'm missing, 
> because we can route the same message to multiple streams.
>

This sounds like an incorrect message processor order. Check the order of 
your message processors on the System / Configurations page.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6934a62f-2494-46c1-ac6d-1f2a9770bedb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] [INFO] Google Group shutdown on Feb 21, 2017

2017-02-20 Thread Jochen Schalanda 
Hi everyone,

just a timely reminder that this Google Group will be set to read-only on 
Feb 21, 2017 and will be replaced by the official Graylog Community Forums 
.

If you have any open threads on this mailing list, please create a 
corresponding topic on the Graylog Community Forums.


Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/bcc18234-2656-425e-85c2-0f4501103bf9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.