[graylog2] HipChat message template

2016-11-11 Thread Joshua Walderbach 
Would anyone be willing to share their message template for HipChat 
callbacks?  I'm struggling with putting together a meaningful message with 
relevant data and a link to what triggered the callback.  What I have so 
far is this, 

" 
At ${check_result.triggeredAt} a log entry triggered the 
${alertCondition.title} that is monitoring the ${stream.description}."

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/dfd16c0f-0568-4c13-902b-0f00182c2e07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Active Directory Settings

2016-08-02 Thread Joshua Walderbach 
Removing cn=people and cn=Graylog did not trick!  Thank you!!  I want to
understand everything that is happening, I hope you don't mind me tapping
your brain some more.

The Search Base DN is telling GL to search, in my example, the
domainname.corp for users.  The search pattern specifically looks for an
object class called user followed by their account name.  Display Name
Attribute tells GL how to display the name.  Group Search then looks for
groups listed under the OU of Roles and again in the domain.  Then an
object class of group followed by a name of Graylog*.  So putting too much
search criteria can cause an issue because you're looking to definitively,
but broadening the scope allowed it to work.  Is that correct?

Thank you again for your help!  This community has been very quick and
eager to assist.

-Joshua

On Tue, Aug 2, 2016 at 5:49 PM, Pete GS <starpoin...@gmail.com> wrote:

> Ah! I would remove the "cn=people" from your search base and the
> "cn=Graylog*" from your Group search base and Group search pattern to start
> with.
>
> If the number of groups returned is too large, you can try adding the
> "cn=Graylog*" back to just the search pattern entry.
>
> If all your accounts are in an OU called "people" and you want to restrict
> user searches to this OU, the correct syntax would be
> "ou=people,dc=domainname,dc=corp".
>
> Cheers, Pete
>
> On Wednesday, 3 August 2016 09:36:18 UTC+10, Joshua Walderbach wrote:
>>
>> So while I can log in as a domain user, the test and user login work in
>> the LDAP settings page, under LDAP Group Mapping it says:
>>
>> "No LDAP/Active Directory groups found. Please verify that your LDAP
>> group mapping <https://graylog.influence-technologies.com/system/ldap> 
>> settings
>> are correct."
>>
>> If I click on that link, it takes me to my LDAP Settings page.  Here is
>> my settings now:
>>
>>
>> ​
>>
>> On Tue, Aug 2, 2016 at 5:24 PM, Pete GS <starp...@gmail.com> wrote:
>>
>>> Glad to hear it!
>>>
>>> If your company uses AD for authentication, then using AD groups will
>>> make it nice and easy to automatically assign roles to users via AD group
>>> membership.
>>>
>>> The second part of my email was about that topic.
>>>
>>> Once LDAP is configured, navigate to the LDAP Group Mapping tab where
>>> you should see a list of all your AD groups. Simply use the pull down
>>> beside the appropriate groups to assign the Graylog role to the group.
>>>
>>> One point to note is make sure your users are members of only one
>>> Graylog related group. Some applications/systems don't work well when a
>>> user is mapped to multiple groups that it uses for authentication and this
>>> can cause unexpected results. I'm not sure if Graylog has issues with this
>>> or not but it's safer just to ensure each user is a member of one group
>>> only that's used for Graylog LDAP group mapping.
>>>
>>> Hope that answers your question.
>>>
>>> Cheers, Pete
>>>
>>> On Wednesday, 3 August 2016 08:57:24 UTC+10, Joshua Walderbach wrote:
>>>>
>>>> Ok I got it to work, I can log in as a domain user.  However editing my
>>>> user to be Admin doesn't stick.  I see it wants me to bind AD Groups to
>>>> Graylog Roles.  Can you point me in the right direction there?
>>>>
>>>> On Tue, Aug 2, 2016 at 4:11 PM, Pete GS <starp...@gmail.com> wrote:
>>>>
>>>>> H seems my updates to my fields didn't get saved for some reason.
>>>>>
>>>>> Simply substitute the distinguished name "dc=company,dc=corp" for
>>>>> "dc=lab,dc=melbourneit,dc=com".
>>>>>
>>>>> All else should stay the same.
>>>>>
>>>>> Cheers, Pete
>>>>>
>>>>> On Wednesday, 3 August 2016 06:08:11 UTC+10, Joshua Walderbach wrote:
>>>>>>
>>>>>> I need help getting the correct Search Base DN, User Search Pattern,
>>>>>> and Group Mapping variables in Graylog 2.x.  I'm using Active Directory 
>>>>>> and
>>>>>> after entering information into step 1., Test Server Connection is OK.  
>>>>>> In
>>>>>> my domain, company.corp,  there is a OU called Roles and in that a Group
>>>>>> called Graylog.  I've assigned users to the Group.  I've tried several
>>>>>> different combinations and unable to get any

Re: [graylog2] Re: Active Directory Settings

2016-08-02 Thread Joshua Walderbach 
Ok I got it to work, I can log in as a domain user.  However editing my
user to be Admin doesn't stick.  I see it wants me to bind AD Groups to
Graylog Roles.  Can you point me in the right direction there?

On Tue, Aug 2, 2016 at 4:11 PM, Pete GS <starpoin...@gmail.com> wrote:

> H seems my updates to my fields didn't get saved for some reason.
>
> Simply substitute the distinguished name "dc=company,dc=corp" for
> "dc=lab,dc=melbourneit,dc=com".
>
> All else should stay the same.
>
> Cheers, Pete
>
> On Wednesday, 3 August 2016 06:08:11 UTC+10, Joshua Walderbach wrote:
>>
>> I need help getting the correct Search Base DN, User Search Pattern, and
>> Group Mapping variables in Graylog 2.x.  I'm using Active Directory and
>> after entering information into step 1., Test Server Connection is OK.  In
>> my domain, company.corp,  there is a OU called Roles and in that a Group
>> called Graylog.  I've assigned users to the Group.  I've tried several
>> different combinations and unable to get anything to work when I run a
>> Login test.  Fails to connect or find user.
>>
>> Would anyone be so kind to explain what I need to do here?  AD is a major
>> weak spot for me.  Working on that.
>>
>>
>>
>>
>> <https://lh3.googleusercontent.com/-dtCxwuC6JA0/V6D9QFpfAWI/ARo/KxXlH6cFqlIc6urPaQJXGeTtfhCuLPKvgCLcB/s1600/Screenshot%2Bfrom%2B2016-08-02%2B14-06-10.png>
>>
>> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/5LG1b_2a5AU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/22fa0696-13fb-4e17-8470-52e00912ad78%40googlegroups.com
> <https://groups.google.com/d/msgid/graylog2/22fa0696-13fb-4e17-8470-52e00912ad78%40googlegroups.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 



joshua walderbach  | OPERATIONS ENGINEER |  303.495.6980 x732




<http://influence.tv/>

3457 RINGSBY CT, #111 | DENVER, CO 80216
WWW.INFLUENCE.TV <http://www.influence.tv/> | EMAIL PRIVACY POLICY
<http://influence.tv/cdn/disclaimers/email-privacy.html>

<http://www.facebook.com/wedeliverwow>  <https://twitter.com/wedeliverwow>
<http://wow-u.tv/185dZdn>  <http://wow-u.tv/16UFXrM>
<http://pinterest.com/wedeliverwow>

WE ARE A TRIBE
We believe we can significantly impact the quality of life and aliveness on
the planet with technology.
As such, we will be relentless in delivering “WOW” technology solutions to
the world that are elegantly
simple, game-changing to entire industries, *and* impactful to the quality
of millions of people’s lives.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CADR58eRqX5o5B3jOzCXn4YdRegUyb8FAtjTcrMQQUFTPaVOzLQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Active Directory Settings

2016-08-02 Thread Joshua Walderbach 
I need help getting the correct Search Base DN, User Search Pattern, and 
Group Mapping variables in Graylog 2.x.  I'm using Active Directory and 
after entering information into step 1., Test Server Connection is OK.  In 
my domain, company.corp,  there is a OU called Roles and in that a Group 
called Graylog.  I've assigned users to the Group.  I've tried several 
different combinations and unable to get anything to work when I run a 
Login test.  Fails to connect or find user.

Would anyone be so kind to explain what I need to do here?  AD is a major 
weak spot for me.  Working on that.





-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/18c636ec-c2cc-46e5-b1ff-87c03d0d7871%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Incoming logs incorrectly formatted

2016-07-29 Thread Joshua Walderbach 
Thank you for the assistance and advise!

On Fri, Jul 29, 2016 at 1:09 AM, Jochen Schalanda <joc...@graylog.com>
wrote:

> Hi Joshua,
>
> you can use a JSON extractor for expanding the message field.
>
> Seeing that it's a Java application, I'd recommend using one of the many
> existing GELF appenders for Java logging frameworks on the Graylog
> Marketplace <https://marketplace.graylog.org/addons?search=java> to let
> your applications log directly into Graylog. That way, the information is
> already structured and doesn't need to be post-processed by Graylog.
>
> Cheers,
> Jochen
>
> On Thursday, 28 July 2016 22:39:51 UTC+2, Joshua Walderbach wrote:
>>
>> Thank you!  I added the ShortMessageLength 256 to my extension bracket
>> and that allowed the full raw message.  Now I want to tell it to take this:
>>
>> {"datetime":"2016-07-28T20:37:00.0143129Z","level":"Debug","name":"Quartz.Core.QuartzSchedulerThread","message":"Batch
>> acquisition of 1 triggers", "requesterIp":"","threadid":"18"}
>>
>> dateTime: 
>> level: Debug
>> name: 
>> message: x
>> requesterIp: x
>> threadid: 
>>
>> Instead of the entire above string listed under "message".
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/SX1F8ZSvf3s/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/cc2247a1-fb6c-4352-aea8-1d1cf93e2603%40googlegroups.com
> <https://groups.google.com/d/msgid/graylog2/cc2247a1-fb6c-4352-aea8-1d1cf93e2603%40googlegroups.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 



joshua walderbach  | OPERATIONS ENGINEER |  303.495.6980 x732




<http://influence.tv/>

3457 RINGSBY CT, #111 | DENVER, CO 80216
WWW.INFLUENCE.TV <http://www.influence.tv/> | EMAIL PRIVACY POLICY
<http://influence.tv/cdn/disclaimers/email-privacy.html>

<http://www.facebook.com/wedeliverwow>  <https://twitter.com/wedeliverwow>
<http://wow-u.tv/185dZdn>  <http://wow-u.tv/16UFXrM>
<http://pinterest.com/wedeliverwow>

WE ARE A TRIBE
We believe we can significantly impact the quality of life and aliveness on
the planet with technology.
As such, we will be relentless in delivering “WOW” technology solutions to
the world that are elegantly
simple, game-changing to entire industries, *and* impactful to the quality
of millions of people’s lives.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CADR58eQZczO_fwJkoc%2Be0%3DMaeBjmJvRisaj5KL%2Bcn_tS0ORPTQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Incoming logs incorrectly formatted

2016-07-28 Thread Joshua Walderbach 
Thank you!  I added the ShortMessageLength 256 to my extension bracket and
that allowed the full raw message.  Now I want to tell it to take this:

{"datetime":"2016-07-28T20:37:00.0143129Z","level":"Debug","name":"Quartz.Core.QuartzSchedulerThread","message":"Batch
acquisition of 1 triggers", "requesterIp":"","threadid":"18"}

dateTime: 
level: Debug
name: 
message: x
requesterIp: x
threadid: 

Instead of the entire above string listed under "message".

On Thu, Jul 28, 2016 at 2:12 AM, Jochen Schalanda <joc...@graylog.com>
wrote:

> Hi Joshua,
>
> On Thursday, 28 July 2016 00:00:36 UTC+2, Joshua Walderbach wrote:
>>
>> I did that and reformatted my nxlog.conf.  But messages are truncated for
>> my platform logs, windows events look great.
>
>
> This problem is most likely caused by the default value of the
> ShortMessageLength setting for the nxlog xm_gelf module (see
> https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#xm_gelf for
> details), which will truncate the "short_message" field (which will become
> the "message" field in Graylog) of GELF messages to 64 characters.
>
> Cheers,
> Jochen
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/SX1F8ZSvf3s/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/a964be52-e6b9-4bdc-887f-02792731c927%40googlegroups.com
> <https://groups.google.com/d/msgid/graylog2/a964be52-e6b9-4bdc-887f-02792731c927%40googlegroups.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 



joshua walderbach  | OPERATIONS ENGINEER |  303.495.6980 x732




<http://influence.tv/>

3457 RINGSBY CT, #111 | DENVER, CO 80216
WWW.INFLUENCE.TV <http://www.influence.tv/> | EMAIL PRIVACY POLICY
<http://influence.tv/cdn/disclaimers/email-privacy.html>

<http://www.facebook.com/wedeliverwow>  <https://twitter.com/wedeliverwow>
<http://wow-u.tv/185dZdn>  <http://wow-u.tv/16UFXrM>
<http://pinterest.com/wedeliverwow>

WE ARE A TRIBE
We believe we can significantly impact the quality of life and aliveness on
the planet with technology.
As such, we will be relentless in delivering “WOW” technology solutions to
the world that are elegantly
simple, game-changing to entire industries, *and* impactful to the quality
of millions of people’s lives.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CADR58eR8GHDe%2B1JmDawEQdNkLr6qq%2Bk-3jAV78Fv0TUbLD5Ycg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Incoming logs incorrectly formatted

2016-07-27 Thread Joshua Walderbach 
I did that and reformatted my nxlog.conf.  But messages are truncated for 
my platform logs, windows events look great.

 ##
## EXTENSIONS   ##
##



 Module xm_json




 Module xm_gelf



##
##INPUTS##
##



 Module im_msvistalog
 Query \
 \
 *\
 *\
 *\
 \
 
 Exec $EventReceivedTime = integer($EventReceivedTime) / 100; to_json();




 Module im_file
 File 'c:\\Logs\\*.log'
 SavePos TRUE
 ReadFromLast TRUE



##
##OUTPUTS   ##
##


 
 Module om_udp
 Host 192.168.1.18
 Port 12201
 OutputType GELF




 Path eventlog, platform => out


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/412afe70-5eda-429e-a0ce-247b7886b713%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Logs do not format correctly in Graylog

2016-07-27 Thread Joshua Walderbach 
I am struggling with formatting my platform logs in Graylog.  Here is my 
nxlog.cong:


##
##CONFIG##
##


define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


##
## EXTENSIONS   ##
##



 Module xm_json




 Module xm_gelf



##
##INPUTS##
##



 Module im_msvistalog
 Query \
 \
 *\
 *\
 *\
 \
 
 Exec $EventReceivedTime = integer($EventReceivedTime) / 100; to_json();




 Module im_file
 File 'c:\\Logs\\*.log'
 SavePos TRUE
 ReadFromLast TRUE
 PollInterval 1



##
##OUTPUTS   ##
##


 
 Module om_udp
 Host XXX.XXX.XXX.XXX
 Port 12201
 OutputType GELF



 Path eventlog, platform => out




And here is how it currently appears in Graylog:





The message is missing most of the actual line found in the log file. 
 While not the exact same entry, it should look like this. 
 
"{"datetime":"2016-07-21T19:45:07.0516700Z","level":"Debug","name":"IEasyNetQLogger","message":"Trying
 
to connect", "requesterIp":"","threadid":"6"}"   With fields like 'level', 
'name', 'message', 'requeserip' and 'threeadedid'.  Instead in truncates 
the full message as message, pulls 6 down into level.  Can someone help me 
with the conf file to make this parse correctly?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0c6ac58b-6d5b-44b1-becb-e02e4e7cd70d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Logs aren't not formatting correctly

2016-07-27 Thread Joshua Walderbach 
I am struggling with formatting my platform logs in Graylog.  Here is my 
nxlog.cong:


##
##CONFIG##
##


define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


##
## EXTENSIONS   ##
##



 Module xm_json




 Module xm_gelf



##
##INPUTS##
##



 Module im_msvistalog
 Query \
 \
 *\
 *\
 *\
 \
 
 Exec $EventReceivedTime = integer($EventReceivedTime) / 100; to_json();




 Module im_file
 File 'c:\\Logs\\*.log'
 SavePos TRUE
 ReadFromLast TRUE
 PollInterval 1



##
##OUTPUTS   ##
##


 
 Module om_udp
 Host XXX.XXX.XXX.XXX
 Port 12201
 OutputType GELF



 Path eventlog, platform => out




And here is how it currently appears in Graylog:





The message is missing most of the actual line found in the log file. 
 While not the exact same entry, it should look like this. 
 
"{"datetime":"2016-07-21T19:45:07.0516700Z","level":"Debug","name":"IEasyNetQLogger","message":"Trying
 
to connect", "requesterIp":"","threadid":"6"}"   With fields like 'level', 
'name', 'message', 'requeserip' and 'threeadedid'.  Instead in truncates 
the full message as message, pulls 6 down into level.  Can someone help me 
with the conf file to make this parse correctly?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3964d3b0-7b8f-4d2a-9a68-a54822b45b1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Incoming logs incorrectly formatted

2016-07-26 Thread Joshua Walderbach 
I have a Log directory at C:\Logs and in that directory are say 5 different 
logs, per day, by application.  ex. app1-07262016.log, app2-07262016.log, 
etc...  I want to watch these logs and send them over to Graylog.

I have nxlog installed on the Windows server along with sidecar.  I've 
setup a Syslog/UDP input and it's collecting info from these logs.  However 
the formatting isn't allowing for accurate searching.  For example, 
everything is in the message:


In this example I'm unable to search for instances where the "level" = 
something.  This one shows Debug but I'd want to eventually setup alerts 
for "level=Fatal".  I assume that this is a result of how I've setup the 
nxlog.conf or created the input.  The raw logs, as they are now, are pumped 
into Splunk and I can easily search for host=something level=Fatal and 
create an alert on that query.


nxlog.conf which I cobbled together from various online sources:

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log



 Module xm_syslog




 Module im_file
 File 'c:\\Logs\\*.log'
 SavePos TRUE
 ReadFromLast TRUE
 Recursive TRUE
 PollInterval 1




 Module om_udp
 Host XXX.XXX.XXX.XXX
 Port 
 Exec to_syslog_bsd();

 

 Path ivx => out
 


Any tips or ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f0acb92f-3175-42a9-973e-bfd1685e0faf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.