[graylog2] Re: Changing the query in a generated chart
Thanks, and understood on the chart part. I actually got Kibana working correctly by using version 4.5.2. It seems to be very touchy about the version of elasticsearch it is connecting to, so you need to use a version of kibana that matches your version of elasticsearch in graylog. On Thursday, October 13, 2016 at 7:42:44 AM UTC-5, Jochen Schalanda wrote: > > Hi David, > > > On Thursday, 13 October 2016 14:30:22 UTC+2, David Gerdeman wrote: >> >> Is there a way to change the query used to generate a chart after it is >> created? For example, if I want to change the source, or add to fields to >> a chart, can that be done without having to create a new chart, or combine >> multiple charts? >> > > That's currently not possible. You'll have to recreate the dashboard > widget. > > > Failing that, it used to be possible to get kibana to *mostly* work with >> graylog. I am running the latest version of graylog (2.1) and have tried >> Kibana 4.6.1 (which doesnt support graylog's version of elasticsearch), and >> Kibana 4.1.0 (which doesnt seem to want to talk to graylog on port 9200 or >> 9300). >> > > I don't see why Kibana 4.x wouldn't work with Elasticsearch 2.x, which is > being used by Graylog 2.x. > > Can you be more specific about the problems you've encountered? > > > Cheers, > Jochen > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/ed561498-af9d-460f-91cf-3fc6cfd99006%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Changing the query in a generated chart
Is there a way to change the query used to generate a chart after it is created? For example, if I want to change the source, or add to fields to a chart, can that be done without having to create a new chart, or combine multiple charts? Failing that, it used to be possible to get kibana to *mostly* work with graylog. I am running the latest version of graylog (2.1) and have tried Kibana 4.6.1 (which doesnt support graylog's version of elasticsearch), and Kibana 4.1.0 (which doesnt seem to want to talk to graylog on port 9200 or 9300). -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/fa68aabf-44d3-4818-8873-e02617af98f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Graylog Error Logging and Disk Space
Done, thank you. The github issue link is https://github.com/Graylog2/omnibus-graylog2/issues/29. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1807e8e5-368f-4ecb-87d0-f1e2db9b3757%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Graylog Error Logging and Disk Space
I had to wait for it to fail again. It looks like it failed on May 30th. In the /var/log/graylog/elasticsearch folder the graylog.log. files for May 25-29 are all about 400K. The log file for May 30th is 2.1GB and the disk of the virtual appliance is at 100% utilization. Also, the last index folder from before it stopped is 2.8GB in size (my indexes are set to roll over at 1GB). It seems that the "translog" folder in the index shard folders are about 700MB each, as opposed to about 12K for the previous indexes. Looks like there are two problems: the final log before failure gets bloated while the transaction log for the final index fills with unindexed messages(?). -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c96656d9-ab03-4491-8066-cc10cd4b4af8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Graylog Error Logging and Disk Space
Could you direct me to instructions for setting up this error log rotation? This would be for the logs that you can see by using the "sudo graylog-ctl tail" command, not things that are actually indexed by graylog. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1caedffa-7cf5-47e8-b2d5-c5acb4240600%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Graylog Error Logging and Disk Space
I am running the latest graylog virtual appliance. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/7752f428-15df-4c1e-bbe2-1ea4a529d90a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Graylog Error Logging and Disk Space
Is there any way to stop graylog error logging from filling up the disk? >From time to time the indexer hangs up for some reason and and each failed message writes a log entry. I've not been able to figure out what causes this. The only messages being sent into graylog are messages from Windows machines sending logs via NXlog. The graylog instance is using default settings. Whenever this happens I usually fix it by running sudo graylog-ctl cleanse and rebooting the VM. Any help would be appreciated. Thanks! -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/265e7f50-d2e9-4928-a050-c0def8096027%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Relative search queries are not updating
Thanks Edmundo, I appreciate your help; the steps you outlined correct the issue while the dev tools are up. On Tuesday, May 17, 2016 at 5:16:05 AM UTC-5, Edmundo Alvarez wrote: > > Hi David, > > I was able to reproduce this issue, and it seems to be a caching problem > in IE and Edge. Could you see if the problem still occurs when you > (temporary) disable caching? For doing that, open the developer tools, and > click the "Always refresh from server" button inside the network tab. Keep > the developer tools open while browsing, and see if that fixes the problem > you are experiencing. > > I have created an issue on Github to track this, please feel free to add > any more information into it: > https://github.com/Graylog2/graylog2-server/issues/2243 > > Regards, > > Edmundo > > > On 16 May 2016, at 15:13, David Gerdeman > wrote: > > > > Any ideas on this one? > > > > -- > > You received this message because you are subscribed to the Google > Groups "Graylog Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to graylog2+u...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/6263f9dd-bf35-44c0-b31f-43edfa5d9c8b%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c134997b-2d4b-413a-83c2-a25302da79e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Relative search queries are not updating
Any ideas on this one? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6263f9dd-bf35-44c0-b31f-43edfa5d9c8b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Relative search queries are not updating
What I mean by doing the same search is selecting "last x minutes" and hitting enter or the search button. I would expect this to give me the last x minutes worth of messages, but it gives me the x minutes worth of messages from the first time of the day that I ran the search. I am using the relative option, so instead of manually specifying a time range, I just used the drop down to select "last 5 minutes". For example, this morning I launched my browser and logged into graylog. I ran a "last 5 minutes" search at 7:42am and it retrieved the expected data. I just ran the ran the same "last 5 minutes" relative search at 12:19pm after refreshing the webpage. It gives me the same data as the 7:42am search over that 5 minute time frame. I would expect that every time you search using a relative time frame, it would update the query with the current time stamp to reflect it. This behavior did not exist as best as I can remember in version before 2.0.0. I also don't see any JS errors in the console, I am running IE11 (if it matters), and there are no proxies between the browser and graylog. This behavior continues until I close the browser window and reopen it. Thanks! On Friday, May 13, 2016 at 11:19:03 AM UTC-5, Jochen Schalanda wrote: > > Hi David, > > what do you mean with "do the same searches 2 hours later"? Are you > selecting the same time range in the web interface again? Are you simply > reloading the already loaded search results? Are there any (caching) > proxies or reverse proxies between you and the Graylog web interface? Or > maybe even your web browser is caching those pages? > > Cheers, > Jochen > > On Friday, 13 May 2016 15:31:37 UTC+2, David Gerdeman wrote: >> >> I might have found a bug...running graylog 2.0.0 virtual appliance >> recently upgraded to 2.0.1. >> >> On the search tab, using the "relative" search options, if I select >> "search in the last 5 minutes" at 7:30Am, and then I select "search in the >> last 15 minutes" at 7:45Am, both will return the correct time range of data >> the first time they are used as a search parameter. However, if I do the >> same searches 2 hours later, it will retrieve the same data (7:25-7:30 and >> 7:30-7:45). If I view the JSON query for these searches, the time frame it >> uses does not change. I am always able to retrieve the most recent data if >> I use a search time frame I have not used yet. >> >> This behavior is seen in both 2.0.0 and 2.0.1, and appears in both of my >> graylog servers. Both machines have almost identical configurations, but >> have different workloads. Time/timezone show correctly on both the VM and >> the web console. UTC timestamps on the incoming data are being correctly >> shifted to CST time zone. This behavior exists in a freshly configured >> virtual appliance as well. >> >> Any help or ideas would be appreciated. >> Thanks! >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1c27548b-f229-4647-a7d4-46056055bdf7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Relative search queries are not updating
I might have found a bug...running graylog 2.0.0 virtual appliance recently upgraded to 2.0.1. On the search tab, using the "relative" search options, if I select "search in the last 5 minutes" at 7:30Am, and then I select "search in the last 15 minutes" at 7:45Am, both will return the correct time range of data the first time they are used as a search parameter. However, if I do the same searches 2 hours later, it will retrieve the same data (7:25-7:30 and 7:30-7:45). If I view the JSON query for these searches, the time frame it uses does not change. I am always able to retrieve the most recent data if I use a search time frame I have not used yet. This behavior is seen in both 2.0.0 and 2.0.1, and appears in both of my graylog servers. Both machines have almost identical configurations, but have different workloads. Time/timezone show correctly on both the VM and the web console. UTC timestamps on the incoming data are being correctly shifted to CST time zone. This behavior exists in a freshly configured virtual appliance as well. Any help or ideas would be appreciated. Thanks! -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/d9db8bec-c034-4712-9505-5cf35a7f1bfa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Issue with new graylog 2.0 virtual appliance
I guess it was just some lag in the update process...When I went back to the webpage to check for JS errors and the like, every input I created was in the list, with most of them in the failed state because the port was taken by the first instance to start. Looks like it fixed itself. Thanks On Thursday, April 28, 2016 at 8:59:46 AM UTC-5, Edmundo Alvarez wrote: > > Hi David, > > The issue sounds quite odd. Were there errors in your Graylog server logs > or browser's JS console when creating the input? Also, did you try > restarting your Graylog server to see if the input appears in the list? > > Regards, > Edmundo > > > On 28 Apr 2016, at 15:42, David Gerdeman > wrote: > > > > I'm having an issue on a fresh virtual appliance of graylog v2. When > launching a new input (gelf udp on port 7), I get a message saying that > adding the new input was successful, but the input never shows up on the > inputs page of the web portal, or in the list of inputs returned in the API > browser. Only the default inputs exist at this point. Oddly enough, it > seems to be receiving messages sent to port 7 and processing them > correctly. Any thoughts on this issue and how it might be fixed? > > > > Thanks! > > > > -- > > You received this message because you are subscribed to the Google > Groups "Graylog Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to graylog2+u...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/0df00bc3-865f-47ed-8e28-f6db9e7c4325%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5d372313-a3e1-4d4a-b558-9098519edcff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Issue with new graylog 2.0 virtual appliance
I'm having an issue on a fresh virtual appliance of graylog v2. When launching a new input (gelf udp on port 7), I get a message saying that adding the new input was successful, but the input never shows up on the inputs page of the web portal, or in the list of inputs returned in the API browser. Only the default inputs exist at this point. Oddly enough, it seems to be receiving messages sent to port 7 and processing them correctly. Any thoughts on this issue and how it might be fixed? Thanks! -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/0df00bc3-865f-47ed-8e28-f6db9e7c4325%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Internal Graylog logging
Thank you for the guidance! On Thursday, October 8, 2015 at 12:56:29 AM UTC-5, Jochen Schalanda wrote: > > Hi David, > > Graylog is using log4j 1.2 for its own logging needs. You can download and > configure one of the existing log4j GELF appenders (see > https://marketplace.graylog.org/addons?search=log4j) to write Graylog's > log messages into Graylog itself. This being said, there is the possibility > of feedback loops (something going wrong while indexing, producing lots of > log messages, which in turn make things worse because there are lots of > messages about the things going wrong), so I'd recommend sending only > specific loggers back into Graylog. > > There's also a recent pull request ( > https://github.com/Graylog2/graylog2-server/pull/1452) which enables > accessing the internal log messages via the Graylog REST API. This will be > included in Graylog 1.2.2 and later. > > Cheers, > Jochen > > On Wednesday, 7 October 2015 20:13:46 UTC+2, David Gerdeman wrote: >> >> Is there any way to have graylog send it's own internal logs to itself >> for indexing? I see my log messages increasing but the only way to look at >> them seems to be from the command line. >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/fd25c6f2-398c-4094-886c-cc691ae9d18d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Internal Graylog logging
Is there any way to have graylog send it's own internal logs to itself for indexing? I see my log messages increasing but the only way to look at them seems to be from the command line. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2f170002-412b-43a1-900a-673d1b46964a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Alert when there are Indexer Failures
Thank you everyone for the replies. These look very helpful. On Friday, July 10, 2015 at 7:20:59 AM UTC-5, David Gerdeman wrote: > > Is it possible to set up an alert or notification of some kind that will > trigger when there are indexer failures? I seem to randomly have indexing > issues and I would like to be able to catch them faster. > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Alert when there are Indexer Failures
Thanks, I'll try that On Friday, July 10, 2015 at 9:50:50 AM UTC-5, Alberto Frosi wrote: > > Hi David, > I don't know if this is possible by Graylog's alerts. > however it's possible query indices status in eleasticsearch, catch the > error and send a mail. > Ciao > Alberto > > > On Friday, July 10, 2015 at 2:20:59 PM UTC+2, David Gerdeman wrote: >> >> Is it possible to set up an alert or notification of some kind that will >> trigger when there are indexer failures? I seem to randomly have indexing >> issues and I would like to be able to catch them faster. >> > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Alert when there are Indexer Failures
Is it possible to set up an alert or notification of some kind that will trigger when there are indexer failures? I seem to randomly have indexing issues and I would like to be able to catch them faster. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Indexer Failures
Is it possible to tell from which source is generating messages that are causing indexer failures? I am getting absolutely slammed with indexer failures all of the sudden and the error message just tells me that a date parsing failed. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Variable Length Key=Value pairs
In the uri-query field of my IIS logs I have a website that generates values for this field that is key=value pairs delimited by "&". Sometimes this field might have one or two key=value pairs, and sometimes it has as many as six or seven. I would like to extract those key=value pairs and bring them into graylog as separate fields, but haven't had much luck. Is there a good way to extract these fields? -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Graylog collector and iis logs
For your file try "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*". I have
been using this pattern successfully. It grabs the new logs added to the
currently used log file. The relevant parts of my conf file are below:
Enter code here...
Module xm_csv
Fields $date, $time, $s-host, $cs-method, $cs-uri-stem, $cs-
uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $sc-status, $sc-
substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string,
integer, string, string, string, integer, integer, integer, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
Moduleim_file
File"C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
SavePos TRUE
Execif $raw_event =~ /^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
$Message = to_json();\
}
On Friday, June 19, 2015 at 3:00:33 AM UTC-5, Alberto Hontoria wrote:
>
> Hi friends
>
> We are trying to get iis logs by graylog collector.
>
> We have this config
>
> iis-access {
> type = "file"
> path = "E:\\Logs IIS\\W3SVC1\\?.log"
> poll-interval = 5s
> }
>
>
> Iis log name changes each day hour, the real format of the log is
> u_exDDMMHH.log
>
> If we test it with the complete path of a file, it works.
>
> But how to retrieve all logs in a directory? We have tested with
> u_ex*.log, or the directory path without sucess
>
> Any clue?
>
> Regards
>
>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: hyper-v virtual appliance
I've been running the virtual appliance in hyper-v for a while now. Use some extraction program to open the OVA file. Take the vmdk file out and use virtualbox or some other application to convert it to a VHD. You can either use that VHD directly with Hyper-V or you can use Hyper-V to convert it again to a VHDX file and use that. Either way works great. I don't know about your other question. I would like to know how to upgrade the virtual appliances as well. On Tuesday, June 16, 2015 at 5:51:50 PM UTC-5, Gabor.Technology wrote: > > Hi guys, > > Few questions please: > > 1. With version 1.1.2 out, what is the recommended way to run Graylog in > production under Hyper-V? Convert Workstation image to vhdx? Chef / Puppet > / Ansible? > 2. What is the best way to upgrade from 1.0 to 1.1.2 or is it just better > to create new VMs by using converted virtual appliances? Can data from > existing elastic cluster be imported? > > Cheers, > Gabor > > > > > > > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Beta 3 Question
I have been testing beta3 and I have a few questions. 1. The blog post about the beta release shows a picture of a pie chart...how does one add a pie chart to a dashboard? 2. When I look at the "inputs" page, the throughput/metrics fields never populate. This has been an issue for me in all of the betas I've tested so far. The browser I am running is IE11 and the message in the browser console is "SCRIPT12008: WebSocket Error: Incorrect HTTP response. Status code 400, Bad Request". I am running the virtual appliance. 3. Speaking of virtual appliances, is there any way to upgrade the version of Graylog on the appliances when a new appliance is released? Or would one just install the new binaries when they are released? Thanks in advance! -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
