[graylog2] Re: Graylog Email Callbacks - which fields/variables can I use?
Thanks Jochen,
After a lot of trial and error I've learned you have to involve "the
backlog object" or you can't access your fields. My callback eventually
looked something like this:
ACCOUNT LOCKED OUT
${if backlog}
${foreach backlog message}
Username: ${message.fields.ad_username}
Server: ${message.fields.source}
Client: ${message.fields.machine_name}
Time: ${message.fields.EventReceivedTime}
${end}${else} ${end}
On Tuesday, 31 May 2016 12:19:56 UTC-4, Jochen Schalanda wrote:
>
> Hi Dennis,
>
> you can only reference fields listed in
> http://docs.graylog.org/en/1.3/pages/streams.html#alert-callbacks-types-explained
>
> in your email template (scroll down a little bit).
>
> In your case, you would access the ad_username field of the message with
> ${message.fields.ad_username}.
>
> Cheers,
> Jochen
>
> On Tuesday, 31 May 2016 17:58:33 UTC+2, Dennis Seaton wrote:
>>
>> I have an extractor that pulls the username whenever someone is locked
>> out of my Windows domain. It puts the username into a field called
>> *ad_username*. I now want to use that custom field that I made inside an
>> email callback so I can send extremely simplified email alerts like this:
>>
>> *A user was locked out of the domain at ${check_result.triggeredAt} *
>> *The user was: ${ad_username}*
>>
>> I've seen the Callback documentation here
>> <http://docs.graylog.org/en/1.3/pages/streams.html#alert-callbacks-types-explained>
>> but
>> it is lacking detail on how to do this.
>>
>> Can anyone tell me if it's possible? How can I use my own fields in the
>> callbacks?
>>
>>
>>
>> Thanks in advance
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/e1fef9de-cf9c-4518-b48d-6b2e0bbb8b6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Graylog Email Callbacks - which fields/variables can I use?
I have an extractor that pulls the username whenever someone is locked out
of my Windows domain. It puts the username into a field called *ad_username*.
I now want to use that custom field that I made inside an email callback so
I can send extremely simplified email alerts like this:
*A user was locked out of the domain at ${check_result.triggeredAt} *
*The user was: ${ad_username}*
I've seen the Callback documentation here
but
it is lacking detail on how to do this.
Can anyone tell me if it's possible? How can I use my own fields in the
callbacks?
Thanks in advance
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/d50cea64-877f-4a3e-8cac-0c3cc8be1890%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] "Empty" messages received from Graylog Collector
We are using Graylog2 v1.3.4 with Graylog Collector 0.4.1 to grab logs from
our Windows machines. I have noticed an issue where some log entries are
being replaced with the word "Empty" in the message field (all the other
fields are correct). These are valid log entries which are not empty;
valuable information is being lost.
I am looking to upgrade our collectors to NXLog as that seems to be the way
things are headed. But in the meantime I am curious if anyone knows of this
issue, or can spot a problem with my collector.conf which is posted below:
server-url = "http://logs.MYSITE.com:12900/";
> inputs {
> win-eventlog-application {
> type = "windows-eventlog"
> source-name = "Application"
> poll-interval = "1s"
> }
> win-eventlog-system {
> type = "windows-eventlog"
> source-name = "System"
> poll-interval = "1s"
> }
> win-eventlog-security {
> type = "windows-eventlog"
> source-name = "Security"
> poll-interval = "1s"
> }
> }
> outputs {
> gelf-tcp {
> type = "gelf"
> host = "logs.MYSITE.com"
> port = 12201
> }
> }
Any suggestions are appreciated - why are valid Event Logs showing up in
Graylog replaced with the word "Empty"?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/b8249566-4190-499d-85d2-f50bf7ec7293%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] "Empty" log entries from Windows Event Logs
We are using Graylog2 v1.3.4 with GrayLog collector v0.4.1 on our Windows
boxes to collect Windows Event Logs. I notice that on all of these Windows
machines we are often (1 in 20) receiving log entries where the message
field contains the text "Empty" instead of the proper entry. Valuable
information is being replaced with the word "Empty".
I am looking into upgrading to NXLog for Windows log collection, but in the
meantime I am curious if anyone knows why we are getting these "Empty"
messages. Below is a copy of our collector.conf:
server-url = "http://logs.dpptoronto.com:12900/";
>
>
>> inputs {
>
> win-eventlog-application {
>
> type = "windows-eventlog"
>
> source-name = "Application"
>
> poll-interval = "1s"
>
> }
>
> win-eventlog-system {
>
> type = "windows-eventlog"
>
> source-name = "System"
>
> poll-interval = "1s"
>
> }
>
> win-eventlog-security {
>
> type = "windows-eventlog"
>
> source-name = "Security"
>
> poll-interval = "1s"
>
> }
>
> }
>
>
>> outputs {
>
> gelf-tcp {
>
> type = "gelf"
>
> host = "logs.dpptoronto.com"
>
> port = 12201
>
> }
>
> }
>
>
Anyone know if there a problem with the above conf file, or have any ideas
about these "Empty" messages?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/61c091f6-8598-4534-8641-4d75487c3880%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] The Graylog Collector is Depreciated?
Silly question: I notice the Graylog documentation has been updated and that the Graylog Collector is now depreciated with v2.0 GA. Looks like NXLog is recommended for Windows clients. so I want to go ahead and start switching over to NXLog, but the official docs also mention installing Sidecar to manage it. I'm not ready to upgrade to 2.0 GA... is sidecar compatible with my old Graylog2 v1.3.4? Is there any point using it before I upgrade to 2.0 GA? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/92c612ce-e777-41f4-bc4d-596bc296a7b9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Preventing Flooding
We have concerns that any one of our machines could have an issue and suddenly start flooding Graylog with a million messages per second (as an example) and filling up all our indexes and disk space 1000x faster than anticipated while we were away for the weekend; we have fears of coming in on Monday to find that Graylog has died from a massive flood. So, we are looking to put in safeguards to prevent something like this and are curious if anyone else has thought about it, and if so, how you've dealt with it? Two specific questions: (1) Is there a way to limit Graylog collectors to only be able to send a certain number of messages per second? or (2) Is there a way to limit what is received on the server side of things? Any suggestions would be appreciated, Thanks guys. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2bebdfb6-2c6f-44d9-a54c-06182a7b32ed%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] "Collectors" page vs "Sources" page
In Graylog if I click "System" on the menu, then "Collectors", I only see about 10 Collectors listed - even if I hit the "Include Inactive Collectors" button. However, if I click "Sources" from the menu it shows me that we in fact have at least 50 collectors up and running perfectly. So... Does anyone know why the "Collectors" page is inaccurate? Anyone else have the same problem? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/003d4c29-e012-4767-9e82-bcf933496888%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Dashboard doesn't stay "locked"
We've been experimenting with dozens of dashboards and notice that regardless of if the dashboard is "locked" or not it frequently re-arranges the widgets graphs and other items we have placed. It seems to want to adjust them based on the browser resolution you are using, or something like that. When you have a dozen dashboards that you have to constantly re-arrange it is a big pain. Is there anyway to permanently lock items on a dashboard and/or disable the auto-arranging it is trying to do? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/3a5496f3-0c8f-43a0-9ea1-eba390be2389%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Graylog DNS resolution
On our DNS server one of my machines has two A records, and two corresponding PTR records. ie: server1 = 10.10.10.1 server001 = 10.10.10.1 This causes Graylog to treat this server as two different sources, it splits all input from that collector 50/50, some log entries show as source "server1" some show source "server001". Apparently these double entries are required for one of our apps. Without making any DNS changes, is there a way I can tell Graylog that anything gl2_remote_ip=10.10.10.1 should show as source "server1" ? Is there some kind of "hosts file" I can use to override DNS lookups? Thanks in advance, Dennis -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/420e6e5a-76bf-4468-8ec0-325259a257e7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Collecting logs from OSX 10.11 El Capitan
Thanks again guys, I had the port number but had left out the @, it is working now. On Thursday, 18 February 2016 04:56:00 UTC-5, Jochen Schalanda wrote: > > Hi Dennis, > > please see the Graylog documentation about configuring the syslogd in Mac > OS X: > http://docs.graylog.org/en/1.3/pages/sending_data.html#sending-syslog-from-macos-x-hosts > > > Cheers, > Jochen > > On Wednesday, 17 February 2016 20:12:01 UTC+1, Dennis Seaton wrote: >> >> Has anyone had success collecting logs from OSX? What about El Capitan >> (v10.11.3)? >> >> From what I find on Google it USED to be as simple as adding a line to >> your syslog.conf file in OSX: >> **.* mygraylog.server.com <http://mygraylog.server.com>* >> >> But that doesn't appear to work anymore, and if you look at the >> syslog.conf file now it states: >> >> *# Note that flat file logs are now configured in /etc/asl.conf* >> >> When you look at asl.conf it is a completely different format, adding the >> simple line of text used with syslog.conf doesn't work. >> >> Any tried this recently? Any suggestions? >> >> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2bf33109-9261-4af9-8588-7eb6f94d22d3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Collecting logs from OSX 10.11 El Capitan
Has anyone had success collecting logs from OSX? What about El Capitan (v10.11.3)? >From what I find on Google it USED to be as simple as adding a line to your syslog.conf file in OSX: **.* mygraylog.server.com* But that doesn't appear to work anymore, and if you look at the syslog.conf file now it states: *# Note that flat file logs are now configured in /etc/asl.conf* When you look at asl.conf it is a completely different format, adding the simple line of text used with syslog.conf doesn't work. Any tried this recently? Any suggestions? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/daf30f7d-aaf9-4f51-855c-9cfed122ecbc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Dealing with rotating log files
Good info, thanks Jochen -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/979161c9-1d40-44ea-bc43-84c2ec2d1ad1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Dealing with rotating log files
Hello,
I am new to Graylog and looking for suggestions on how to get rotating log
files (text files) into Graylog2. I have several apps that use rotating log
files, these apps are not syslog capable, and the format of their log files
cannot be altered. Here's an example of how they are named:
ftp-02-08-2016.log
ftp-02-09-2016.log
ftp-02-10-2016.log
Every night at approximately midnight (it could be a few seconds
afterwards), the app starts a new log file with the date in it. This makes
it difficult to send the file through to Graylog2 using rsyslog. Originally
I considered having a script on a cron job run every night at the same time:
OUTPUT="$(date +'%d'_'%m'_'%Y')"
ln -sf /var/log/ftp-"${OUTPUT}".log /var/log/ftp-symlink.log
This would allow me to easily add ftp-symlink.log in my rsyslog.conf
instead of using the file name with a date in it, but it is a messy
solution - if the cron job runs a few seconds after the file rotates then
log entries are lost. Before I try to proceed any further I thought I would
check in with the community - surely someone else has encountered this
problem? How can you reliably deal with rotating text log files?
Any suggestions are welcomed.
Thanks in advance!
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/cba6379b-071a-43f1-9702-ad9ca78e2479%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Dealing with rotating log files
Hello, I am looking for suggestions -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/891c65fc-edc3-4029-bc7a-eaa4510ca6e1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
