[graylog2] [ANNOUNCE] Graylog v2.2.0-beta.3
Hi everyone, the Graylog v2.2.0-beta.3 release is now available for download. Announcement blog post: * https://www.graylog.org/blog/78-announcing-graylog-v2-2-0-beta-3 For a more complete overview of new features, please refer to the beta.2 blog post: https://www.graylog.org/blog/77-announcing-graylog-v2-2-0-beta-2 Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1n%3DgZnE6xtRQ7qZVtGozCjF1JanibR2gvtAn%3DQaEur9gRw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.1.0 has been released
Hi everyone, we just released the final version of Graylog v2.1.0. You can find all required information, download links, new features and changelog here: * https://www.graylog.org/blog/68-announcing-graylog-v-2-1-0-ga Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1n%3DTu8zx_uZTA6gaTYWK90Vu_zmYQDyqv61dWMQboXCgdA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.1.0-beta.4 has been released
Hi everyone, we just released Graylog v2.1.0-beta.4. Full announcement with new features and changes can be found here: * https://www.graylog.org/blog/66-announcing-graylog-2-1-0-beta-4 Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nnfH%2B7zpjGPcTzrs_2qOkENogTCUWTtbiow3omxnwtsRA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.1-beta.3 has been released
Hi everyone, we just released Graylog v2.1-beta.3. Changes, packages and new features all described and available here: * https://www.graylog.org/blog/65-announcing-graylog-2-1-0-beta-3 Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nnYOHMmDVMOHGbTkk1O1XYGb9_ndRPSTA-e9CJz-fCp1Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.1-beta.2 has been released
Hi everyone, we just released Graylog v2.1-beta.2. Important changes and full release announcement can be found here: * https://www.graylog.org/blog/63-announcing-graylog-v2-1-0-beta-2 Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nmqoBanmsLn8FUpf1yX62CT%2B0WgQoc7Q1rNMmek0Sr43g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.1-beta.1 has been released
Hi everyone, we just released the first beta of Graylog v2.1. It comes with many smaller fixes/improvements and also two new features: * https://www.graylog.org/blog/60-announcing-graylog-v2-1-0-beta-1 Please try it out and let us know about any issues you encounter. Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nmi0ywLcmi_NfkOX0DRkrR-qQNO%2BXb-E_9ib73q9j8gAQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.1-alpha.2 has been released
Hi everyone, we just released the first alpha of Graylog v2.1. This release comes with many improvements and new features. Announcement: * https://www.graylog.org/blog/59-announcing-graylog-v2-1-0-alpha-2 Please give it a try and report any bugs or issues you encounter. Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nk_PnBXseBAovxFg0SU3%2Bv_gLZq60BRG9H30x1s2t_Pog%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.0.3 has been released
Hi everyone, we just released Graylog v2.0.3, containing bugfixes and improvements: * https://www.graylog.org/blog/58-graylog-v2-0-3-released Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nm4ZVs5s_%3DLPFxcRBBmbXq1EDy-W%3Deu28HQ55pCF6quBA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.0.2 has been released
Hi everyone, we just released Graylog v2.0.2. You can find the release notes here: * https://www.graylog.org/blog/57-graylog-v2-0-2-released Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nmoMOuPYJ29K_OBsoV4ensq37nzQDSRviM_zMa2NbgFxw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.0 has been released
Everyone, I could not be more proud to announce that we just released Graylog v2.0: * https://www.graylog.org/blog/55-announcing-graylog-v2-0-ga I'd like to thank everyone on the Graylog team and the whole community for the great work that has been done in the last months. Looking forward to a great future of the project! Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nmjWvbSnsu7kP%3DtEo6HVXh%3DE-hoVYKJFttkoQFSj2oasw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.0.0-beta.3 has been released
Hi everyone, we just released Graylog v2.0.0-beta.3. Read more in the announcement: * https://www.graylog.org/blog/53-graylog-v2-0-beta-3-released Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nmRdZvqhEs4RcydhY03shd-rU%3DMWtWCRgW%3D6pu_ozp5jQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.0.0-beta.2 has been released
Hi everyone, we just released Graylog v2.0.0-beta.2. Read more in the announcement: * https://www.graylog.org/blog/52-announcing-graylog-v2-0-beta-2 Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nkcC8m-dqfOjnnfyn%3DQLzQzDGxa4UkFJjHRuZb_A%2B4qCQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.0-beta.1 has been released
Hi everyone, we just released the first beta of Graylog v2.0. This release is feature complete. Announcement here: https://www.graylog.org/blog/50-announcing-graylog-v2-0-beta-1 Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nmZiyjkGPvK23uTCyFsR7G3oUvNG%2Bux_61%3DmzWBRD7VOA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.3.4 has been released and contains an important security fix
Hi everyone, we just released Graylog v1.3.4, which contains an important security fix. Read more in the release notes and upgrade: * https://www.graylog.org/blog/49-graylog-1-3-4-is-now-available Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nkcRxVJUo-xes%3DzqBtbqGDndQTv1qoYN1tSAtFr3vDGeA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v2.0-alpha.5 has been released
Hi everyone, I am happy to announce that we have just released alpha.5 of Graylog v2.0 and it includes especially exciting new features. You can find the announcement blog post here: https://www.graylog.org/blog/48-fifth-alpha-of-graylog-v2-0-released-with-message-processor-pipeline-and-collector-sidecar Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nnWVdjH%3D4ehRC23DjPzf6RMKoGV1hVAOJSrQcfJ2XMhDA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] First alpha of Graylog v2.0 has been released
Hey everyone, we have just released the first alpha of Graylog v2.0. Please note that his alpha is by far not feature complete but the big architectural changes we made need early testing. Announcement: https://www.graylog.org/blog/42-announcing-v2-0-alpha-welcome-to-the-new-graylog Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nkkY3TiPzkJHAGmeszaKOgr0q_K9HXy6VpQ%2Bcmyeb-nRw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.3.1 has been released
Hey everybody, we have just released Graylog v1.3.1: * https://www.graylog.org/graylog-1-3-1-is-now-available/ This is a pure bugfix release. Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nkh2_k8Gvr1YCuauYqHhMMUwU3RA9adHO2EUdcUZ0yt%3DA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Syslog Logs from Linksys Accesspoint with DD-WRT not shown
That is not valid syslog. Try sending the messages to a raw/plaintext input instead and see if they appear. On Thu, Sep 24, 2015 at 9:31 PM,wrote: > I figured out that the DD-WRT syslog sends logs in UTC, despite setting the > timezone. > > However, the logs should still show up. > > Here is a sample. (wifi is the hostname) > > Sep 24 20:24:18 wifi user.info : snmpd : SNMP daemon successfully started > Sep 24 20:24:26 wifi user.info : NAS : NAS lan (wl0 interface) successfully > started > Sep 24 20:24:26 wifi user.info : NAS : NAS lan (wl1 interface) successfully > started > Sep 24 20:24:26 wifi user.info : klogd : kernel log daemon successfully > stopped > Sep 24 20:24:26 wifi kern.notice kernel: klogd: exiting > Sep 24 20:24:26 wifi user.info : resetbutton : resetbutton daemon > successfully stopped > Sep 24 20:24:26 wifi user.info : reset button : resetbutton daemon > successfully started > Sep 24 20:24:26 wifi user.info : syslogd : syslog daemon successfully > stopped > Sep 24 13:24:26 wifi syslog.info syslogd exiting > Sep 24 13:24:26 wifi syslog.info syslogd started: BusyBox v1.23.2 > Sep 24 20:24:26 wifi kern.notice kernel: klogd started: BusyBox v1.23.2 > (2015-09-11 04:59:36 CEST) > Sep 24 20:24:30 wifi kern.info kernel: br0: port 4(eth2) entered forwarding > state > Sep 24 20:24:30 wifi kern.info kernel: br0: port 3(eth1) entered forwarding > state > Sep 24 20:24:30 wifi kern.info kernel: br0: port 2(vlan2) entered forwarding > state > Sep 24 20:24:30 wifi kern.info kernel: br0: port 1(vlan1) entered forwarding > state > Sep 24 20:25:01 wifi kern.info kernel: nf_conntrack: automatic helper > assignment is deprecated and it will be removed soon. Use the iptables CT > target to attach helpers instead. > > On Thursday, September 24, 2015 at 2:20:12 PM UTC-7, Jochen Schalanda wrote: >> >> Hi, >> >> could you please provide some of those messages that DD-WRT is sending? >> >> Cheers, >> Jochen >> >> On Thursday, 24 September 2015 22:27:59 UTC+2, js.l...@gmail.com wrote: >>> >>> I'm having the exact same problem. >>> >>> Timestamps of the log messages in DD-WRT and Graylog are all correct. > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/f40692f6-49a3-4a13-a74e-48c40df731d8%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1n%3DOsO8zn66vQnHjj8hQvTAE-%2BFah65bwL2K%3D6%3DH-jhA6Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Graylog inputs stopped yet still receiving syslogs
Could it be that you have a message journal that is full of messages that Graylog keeps processing? You can see the journal size in the nodes overview and node details pages. It should be at 0. On Thu, Sep 24, 2015 at 7:41 PM, Mark Estridgewrote: > Graylog 1.2.1 setup and all inputs are stopped, yet I am continuing to see > current syslogs with a global search. It is as if the STOP feature doesn't > work. System Overview indicates that there are no running inputs...yet I'm > receiving on the order of ~12K messages per minute. > > Anyone else noting this behavior. > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/ba8dffc3-99b0-4957-9f1f-f5454394dea6%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nnPa_t__xd-m5evMsMAfWx4sWNwKD3y%3DSUa_bLODx29uA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.2 has been released
Hey everybody, we have just released the final version of Graylog v1.2. Find all information and release notes in the announcement blog post: * https://www.graylog.org/announcing-graylog-1-2-ga-release-includes-30-new-features/ Thanks, The Graylog team -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1n%3DAdEuWBcuRvOP2N1E6v_VxyH6EG3JSSxQCPGrO5E3KFQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.2-rc.4 has been released
Hey everybody, we just released Graylog v1.2-rc.4: https://www.graylog.org/announcing-graylog-1-2-rc-4/ Please try it out and post all feedback to this mailing list. Thanks, Lennart -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADRA1nm63BdbbDABhC8ss2GRyfZuMY4WqEPKvvccLuvsi9QHhw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.1.5 has been released
Hey everybody, we released a new bugfix release today: Graylog v1.1.5. You can find the release notes here: * https://www.graylog.org/graylog-1-1-5-released/ Cheers, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [SECURITY] Severe Elasticsearch security issues. Upgrade now!
Elasticsearch recently released v1.7.0 and v1.6.1, which addresses several severe security issues. We have tested Graylog v1.1.X with Elasticsearch v1.6.1 and strongly recommend upgrading to Elasticsearch v1.6.1.: https://www.graylog.org/elasticsearch-security-fixes-upgrade-now/ -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.1.3 has been released
Hey everybody, I am happy to announce that we just released Graylog v.1.1.3. This release is addressing several bugs and brings numerous improvements: * https://www.graylog.org/graylog-v1-1-3-is-now-available/ Thanks, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.1.2 has been released
Hey everybody, I am happy to announce that we just released Graylog v.1.1.2. This release is addressing several bugs and brings numerous improvements: * https://www.graylog.org/graylog-v1-1-2-is-now-available/ Thanks, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.1 GA has been released
Hey everybody, a quick heads up that we just released Graylog v1.1 GA: https://www.graylog.org/graylog-1-1-is-now-generally-available/ Hope you like it! Cheers, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.1-rc.3 has been released
Happy to announce that we released the release candidate 3 of Graylog v1.1: https://www.graylog.org/graylog-v1-1-rc3-is-now-available/ The final version of Graylog v1.1 is scheduled for Thursday at this point in time. Give rc.3 a spin! Cheers, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog v1.1.0-beta.2 is out
We just released Graylog v1.1.0-beta.2: https://www.graylog.org/graylog-1-1-beta-is-now-available/ It comes with huge UI/UX improvements and our own log shipper. Please try it out! Thanks, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANN] Graylog v1.0 has been released
We are very happy to announce that we released Graylog v1.0 today: https://www.graylog.org/announcing-graylog-v1-0-ga/ We'd like you all for the immense support we got over the last 5 1/2 years and look forward to build on top of this foundation now. Cheers, Lennart (In behalf of the whole Graylog, Inc team) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Documentation Contribution for Graylog2 setup
Thank you very much Brandon! On Wed, Feb 4, 2015 at 2:34 PM, BKeep bk...@alias454studios.com wrote: Hi, I am not sure if this is the right place for this I recently built a couple POC environments as a project for work trying to decide on a centralized logging stack and one of the things I ran into a lot of the time, was sparse documentation. One thing I noticed on the Installing Graylog2 on Linux page was mention of adding content for the prerequisite apps (Elasticsearch and MongoDB). I documented my elasticsearch/graylog2/rsyslog setup and would like to share. The setup is a complete start to finish walk-through of setting up a logging stack on NIX. I am putting this out there in hopes that it might be helpful to someone else. So far, it is ten parts and growing (overkill ...maybe). http://alias454.com/category/logging/. Please feel free to critique it and reuse anything you like on the Graylog site. Mostly the information is compiled from several different web sources and I plan on providing the links to some of the more valuable ones as I move forward. Regards, Brandon -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Input source override
What type of input? Syslog? Raw? UDP/TCP? Which Graylog version? Thanks! On Sat, Jan 31, 2015 at 3:30 PM, Rob Erix rob3...@gmail.com wrote: Hi. I would like to log syslog messages from my firewall. Messages are received just fine. Apparently because the first field in the message is date=x, Graylog defines the source as date=x. I set the option to override_source: Firewallname for my input in order to get a consistant name but it does not do anything. Did I got the idea wrong here? Thank you in advance for help. BR. Rob. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] AMQP support without gralog2-radio
Graylog v1.0 (beta releases available already) will support GELF via AMQP. The current stable releases require a custom msgpack format used by graylog-radio. I'm afraid that syslog via AMQP will not yet be supported though. On Tue, Jan 27, 2015 at 5:39 PM, Avdhoot Dendge avdho...@gmail.com wrote: I am tying to is send log messages from syslog-ng --- AMQP -- graylog2-server. But i am geeting below error. 2015-01-27T23:07:04.863Z WARN [MessageInput] Codec org.graylog2.inputs.codecs.RadioMessageCodec@3995525d threw exception org.msgpack.MessageTypeException: Expected array, but got integer value at org.msgpack.unpacker.Accept.acceptInteger(Accept.java:45) at org.msgpack.unpacker.MessagePackUnpacker.readOneWithoutStack(MessagePackUnpacker.java:91) at org.msgpack.unpacker.MessagePackUnpacker.readOne(MessagePackUnpacker.java:73) at org.msgpack.unpacker.MessagePackUnpacker.readArrayBegin(MessagePackUnpacker.java:508) at org.graylog2.plugin.RadioMessage_$$_Template_617312372_0.read(RadioMessage_$$_Template_617312372_0.java) at org.msgpack.template.AbstractTemplate.read(AbstractTemplate.java:31) at org.msgpack.MessagePack.read(MessagePack.java:388) at org.msgpack.MessagePack.read(MessagePack.java:371) at org.graylog2.inputs.codecs.RadioMessageCodec.decode(RadioMessageCodec.java:54) at org.graylog2.plugin.inputs.MessageInput.processRawMessageFailFast(MessageInput.java:360) at org.graylog2.inputs.transports.AmqpConsumer$2.handleDelivery(AmqpConsumer.java:103) at com.rabbitmq.client.impl.ConsumerDispatcher$5.run(ConsumerDispatcher.java:140) at com.rabbitmq.client.impl.ConsumerWorkService$WorkPoolRunnable.run(ConsumerWorkService.java:85) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I come across this issue. As per comment AMQP without graylog2 radio not supported yet. is it still stand? Note:- not using graylog2-radio bcz wanted to reduce moving component stack. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] https with web interface
Did you follow the section explanining how to set up HTTPs here? https://www.graylog2.org/resources/documentation/setup/webinterface On Mon, Jan 12, 2015 at 7:50 PM, Francois Desfosses supercris...@gmail.com wrote: Hi, i have several questions, but ill start with this one first! i'm new to graylog2, installed and configured all that thing to get logs from AWS cloudtrail. all that part is working fine now, but now im trying to get to graylog2 in HTTPS protocol, doesnt not work at all... with that startup config, there is one process listening on port 9001, but it doesnt not work in HTTPS, it only works in HTTP... so, i need help, there is what i changed. /etc/init.d/graylog2-web # Some default settings. GRAYLOG2_WEB_HTTP_ADDRESS=0.0.0.0 GRAYLOG2_WEB_HTTP_PORT=9000 GRAYLOG2_WEB_HTTPS_PORT=9001 GRAYLOG2_WEB_USER=graylog2-web start() { echo -n $Starting ${NAME}: daemon --user=$GRAYLOG2_WEB_USER --pidfile=${PID_FILE} \ nohup $GRAYLOG2_COMMAND_WRAPPER $CMD -Dconfig.file=${CONF_FILE} \ -Dlogger.file=/etc/graylog2/web/logback.xml \ -Dpidfile.path=$PID_FILE \ -Dhttp.address=$GRAYLOG2_WEB_HTTP_ADDRESS \ -Dhttp.port=$GRAYLOG2_WEB_HTTP_PORT \ -Dhttps.port=$GRAYLOG2_WEB_HTTPS_PORT \ -Dhttp.port=disabled \ $GRAYLOG2_WEB_JAVA_OPTS $GRAYLOG2_WEB_ARGS /var/log/graylog2-web/console.log 21 RETVAL=$? sleep 2 [ $RETVAL = 0 ] touch ${LOCKFILE} echo return $RETVAL } -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Buffer Timeouts, GC taking longer than 1 second, how to diagnose?
Hey, this message makes me suspect that the issue here is a too slow ES setup: 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. This will lead to messages queuing up in the graylog2-server heap, leading to long GC times. Can you check the IO load of your ES machine(s)? Also check your ES logs. Thanks, Lennart On Sun, Dec 14, 2014 at 7:12 PM, Pete GS starpoin...@gmail.com wrote: Hi all, we're implementing Graylog2 here at work for general log monitoring/analysis as our Splunk license is limited and a bit expensive for what we need. I've got Graylog2 working very well in our test lab but once I put all our Production workload onto it it just doesn't seem to cope at all. I've just upgraded this morning to 0.92.1 but am still seeing the same issues with output buffer processor timeouts and garbage collection taking longer than 1 second and is up to 30 - 40 seconds. The biggest issue I'm encountering is how to identify the cause of the issues. For example, how do I determine if Elasticsearch is the bottleneck? Or if it's simply not enough memory in the Graylog2 nodes? I've read a lot through the doco and I'm pretty sure I've done most if not all the right things, but this is all very new to me and noone else here knows anything about Elasticsearch etc. either. At the moment the two Graylog2 nodes are virtual machines on vSphere 5.5 but I'm running up a physical server to try replacing one of them just in case. Everything is running on CentOS 6.6 and is up to date and I'm using the provided openjdk 1.7. I did try Oracle Java 1.8 the other day on one node but it made no difference. Any tips I can get for troubleshooting and narrowing down the cause of the issue would be great. Here's a sample of what I constantly see in the Graylog2 logs: 2014-12-15T11:01:29.413+10:00 WARN [jvm] [bne3-0002las] [gc][old][1280][102] duration [25.2s], collections [1]/[25.3s], total [25.2s]/[1h], memory [14.8gb]-[14.7gb]/[15.3gb], all_pools {[young] [4.2gb]-[4.1gb]/[4.3gb]}{[survivor] [0b]-[0b]/[449mb]}{[old] [10.6gb]-[10.6gb]/[10.6gb]} 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. 2014-12-15T11:01:29.415+10:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering. 2014-12-15T11:01:53.696+10:00 WARN [jvm] [bne3-0002las] [gc][old][1281][103] duration [24s], collections [1]/[24.2s], total [24s]/[1h], memory [14.7gb]-[14.8gb]/[15.3gb], all_pools {[young] [4.1gb]-[4.1gb]/[4.3gb]}{[survivor] [0b]-[0b]/[449mb]}{[old] [10.6gb]-[10.6gb]/[10.6gb]} 2014-12-15T11:01:53.697+10:00 WARN [GarbageCollectionWarningThread] Last GC run with PS MarkSweep took longer than 1 second (last duration=24049 milliseconds) 2014-12-15T11:01:53.704+10:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering. 2014-12-15T11:02:17.135+10:00 WARN [jvm] [bne3-0002las] [gc][old][1282][104] duration [23.2s], collections [1]/[23.4s], total [23.2s]/[1.1h], memory [14.8gb]-[14.8gb]/[15.3gb], all_pools {[young] [4.1gb]-[4.2gb]/[4.3gb]}{[survivor] [0b]-[0b]/[449mb]}{[old] [10.6gb]-[10.6gb]/[10.6gb]} 2014-12-15T11:02:17.135+10:00 WARN [GarbageCollectionWarningThread] Last GC run with PS MarkSweep took longer than 1 second (last duration=23256 milliseconds) 2014-12-15T11:02:41.383+10:00 WARN [GarbageCollectionWarningThread] Last GC run with PS MarkSweep took longer than 1 second (last duration=24136 milliseconds) Here's the setup: 2 x Graylog2 nodes - 12 CPU, 32GB RAM each, heap size set to 16GB 3 x MongoDB nodes - 1 CPU, 2GB RAM, two are a replica set, one an arbiter 3 x Elasticsearch nodes - 2 x dual hex core Intels with 72GB RAM, 2TB of SAN attached disk for indices, and these are what we class as active nodes. Indices are moved after 7 days to our archive node which has 8 CPU, 32GB and SAN attached disk for indices. We don't keep a replica of archive indices as speed of searching isn't an issue. Heap size of active nodes is 32GB, archive node is 16GB 2 x Graylog2 web server nodes We have an F5 load balancer in front of the web servers and Graylog2 nodes and we have 5 inputs. Two are Syslog UDP inputs, the other three are GELF UDP inputs. We're seeing something like up to 8000 messages per second but sustained is probably 4000 - 6000. Here's our graylog2.conf for the master node (censored where necessary): is_master = true node_id_file = /etc/graylog2/server/node-id
Re: [graylog2] Buffer Timeouts, GC taking longer than 1 second, how to diagnose?
Check the CPU and memory usage first. If that looks okay, you can check IO usage on most Linux distributions using this command: iostat -x 1 Especially the iowait parameters are interesting. On Sun, Dec 14, 2014 at 9:07 PM, Pete GS starpoin...@gmail.com wrote: Thanks Lennart, and yes that's what I initially thought also as it doesn't seem to matter what I do but we constantly see the output buffer processor timeouts. I've played with the settings for the buffers and it doesn't seem to resolve it. I'm not real good at Linux performance monitoring, so what tools/metrics/etc. would you suggest I look into to analyse the Elasticsearch nodes more thoroughly? I don't see any issues in the Elasticsearch logs. I also neglected to mention the Elasticsearch version but it is 1.4.1. On Monday, December 15, 2014 12:54:34 PM UTC+10, lennart wrote: Hey, this message makes me suspect that the issue here is a too slow ES setup: 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. This will lead to messages queuing up in the graylog2-server heap, leading to long GC times. Can you check the IO load of your ES machine(s)? Also check your ES logs. Thanks, Lennart On Sun, Dec 14, 2014 at 7:12 PM, Pete GS starp...@gmail.com wrote: Hi all, we're implementing Graylog2 here at work for general log monitoring/analysis as our Splunk license is limited and a bit expensive for what we need. I've got Graylog2 working very well in our test lab but once I put all our Production workload onto it it just doesn't seem to cope at all. I've just upgraded this morning to 0.92.1 but am still seeing the same issues with output buffer processor timeouts and garbage collection taking longer than 1 second and is up to 30 - 40 seconds. The biggest issue I'm encountering is how to identify the cause of the issues. For example, how do I determine if Elasticsearch is the bottleneck? Or if it's simply not enough memory in the Graylog2 nodes? I've read a lot through the doco and I'm pretty sure I've done most if not all the right things, but this is all very new to me and noone else here knows anything about Elasticsearch etc. either. At the moment the two Graylog2 nodes are virtual machines on vSphere 5.5 but I'm running up a physical server to try replacing one of them just in case. Everything is running on CentOS 6.6 and is up to date and I'm using the provided openjdk 1.7. I did try Oracle Java 1.8 the other day on one node but it made no difference. Any tips I can get for troubleshooting and narrowing down the cause of the issue would be great. Here's a sample of what I constantly see in the Graylog2 logs: 2014-12-15T11:01:29.413+10:00 WARN [jvm] [bne3-0002las] [gc][old][1280][102] duration [25.2s], collections [1]/[25.3s], total [25.2s]/[1h], memory [14.8gb]-[14.7gb]/[15.3gb], all_pools {[young] [4.2gb]-[4.1gb]/[4.3gb]}{[survivor] [0b]-[0b]/[449mb]}{[old] [10.6gb]-[10.6gb]/[10.6gb]} 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. 2014-12-15T11:01:29.413+10:00 WARN [OutputBufferProcessor] Timeout reached. Not waiting any longer for writer threads to complete. 2014-12-15T11:01:29.415+10:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering. 2014-12-15T11:01:53.696+10:00 WARN [jvm] [bne3-0002las] [gc][old][1281][103] duration [24s], collections [1]/[24.2s], total [24s]/[1h], memory [14.7gb]-[14.8gb]/[15.3gb], all_pools {[young] [4.1gb]-[4.1gb]/[4.3gb]}{[survivor] [0b]-[0b]/[449mb]}{[old] [10.6gb]-[10.6gb]/[10.6gb]} 2014-12-15T11:01:53.697+10:00 WARN [GarbageCollectionWarningThread] Last GC run with PS MarkSweep took longer than 1 second (last duration=24049 milliseconds) 2014-12-15T11:01:53.704+10:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering. 2014-12-15T11:02:17.135+10:00 WARN [jvm] [bne3-0002las] [gc][old][1282][104] duration [23.2s], collections [1]/[23.4s], total [23.2s]/[1.1h], memory [14.8gb]-[14.8gb]/[15.3gb], all_pools {[young] [4.1gb]-[4.2gb]/[4.3gb]}{[survivor] [0b]-[0b]/[449mb]}{[old] [10.6gb]-[10.6gb]/[10.6gb]} 2014-12-15T11:02:17.135+10:00 WARN [GarbageCollectionWarningThread] Last GC run with PS MarkSweep took longer than 1 second (last duration=23256 milliseconds) 2014-12-15T11:02:41.383+10:00 WARN [GarbageCollectionWarningThread] Last GC run with PS MarkSweep took longer than 1 second (last duration=24136 milliseconds) Here's the setup: 2 x
Re: [graylog2] Support for Elasticsearch 1.40
Hey Josep, The first RC of v0.92 was release today and supports Elasticsearch v1.4.0. Cheers, Lennart On Thu, Nov 20, 2014 at 10:18 AM, Josep Maria Comas Serrano josepmariaco...@gmail.com wrote: Hi, we've configured Graylog2 successfully, I wonder if there will be soon support for Elasticsearch 1.4.0? Great job, Best, JM -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Suggestion: Stream Schedules
Hey Zi, thanks for the suggestion! Can you elaborate your use case for this? Thanks, Lennart On Fri, Nov 14, 2014 at 4:01 PM, Zi Dvbelju zidvbe...@gmail.com wrote: I have a quick suggestion for streams - implement optional schedules during which a stream can be active/paused. Would be an incredibly nice feature! Keep up the good work, absolutely loving Graylog2. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] New Graylog2 releases
Hey everybody, we just released Graylog2 v0.90.3, v0.91.3, v0.92.0-beta.1 and here are the announcement blog posts with important changes, bugfixes and new features: * http://www.graylog2.org/news/post/0007-graylog2-v0-90-3-and-v0-91-3-has-been-released * http://www.graylog2.org/news/post/0008-graylog2-v0-92-beta-1 Upgrade to v0.90.3 and v0.91.3 is recommended. If you are running the v0.91 series that supports Elasticsearch v1.3 you should make sure to go to v0.91.3 with ES 1.3.4 because v1.3.2 contains a bug that can cause index corruption. Thanks, Lennart (on behalf of the whole team) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Server fails to start
Hey Mark, can you post those Java errors/stacktraces? Thanks, Lennart On Thu, Oct 23, 2014 at 12:10 AM, Mark Moorcroft plak...@gmail.com wrote: I rebooted my graylog2 box today and now I get the following: [root@graylog ~]# service graylog2-server start Starting graylog2-server: [ OK ] [root@graylog ~]# Exception in thread main java.lang.AssertionError: data were read beyond record size, check your serializer Followed by 2 pages of java errors. Anybody have any ideas? -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Correct view of log coming from any Cisco device
Let your Cisco devices send to a Graylog2 Raw/Plaintext input and use the Graylog2 extractors to parse the message. On Wed, Oct 22, 2014 at 3:49 PM, mbal...@gmail.com wrote: Hello everybody, First of all thnaks for exist! I ''ve just installed and configured a GreyLog2 server with success. It would be awesome if it could manage correctly logs sent from any Cisco devices. So I have a question for you: Is it possible to receive in a correct way the logs from Cisco devices with a clean (without third party software) installation? I've tested several solution found on internet like this (that it's seems more relevant in my modest opinion): -- no service sequence-numbers no service timestamps log datetime msec no logging message-counter syslog logging origin-id hostname - but the result has no changed. Waitng for a kindly reply. Best Regards. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Situation with indices
989.8mb. That looks like your change to 8g did not take effect. Can you double check how you start the server and that the ENV variables are actually taken into account? On Wed, Sep 24, 2014 at 11:16 PM, Arie satyava...@gmail.com wrote: heap_max = 989.8mb On Wednesday, September 24, 2014 11:05:20 PM UTC+2, lennart wrote: Can you checkt that the change actually took effect by querying ES directly? curl -XGET http://localhost:9200/_nodes/stats/jvm?pretty=true ... heap_max : 990.7mb Thanks, Lennart On Wed, Sep 24, 2014 at 10:27 PM, Arie satya...@gmail.com wrote: Hi Lennart in the yml file there is 8192m configured for ES_HEAP_SIZE. at first i have foregotten the m, but now it is there and I can recalculated 4 out of 14 indices. Stil it goes out-of-memory tho. The server has 16GB, and no problem there. On Wednesday, September 24, 2014 9:53:36 PM UTC+2, lennart wrote: Hey Arie, loos like your ElasticSearch process is running out of memory. How much heap space did you allocate to it? Thanks, Lennart On Wed, Sep 24, 2014 at 9:34 PM, Arie satya...@gmail.com wrote: And ther is this error in ther server logfile for some indices: 2014-09-24T21:07:15.736+02:00 INFO [RebuildIndexRangesJob] Could not calculate range of index [graylog2_12]. Skipping. org.elasticsearch.action.search.SearchPhaseExecutionException: Failed to execute phase [query_fetch], all shards failed; shardFailures {[eUTBQqseT1mfR9rhU3OSRg][graylog2_12][0]: RemoteTransportException[[Graylog2-test][inet[/10.64.91.14:9300]][search/phase/query+fetch]]; nested: QueryPhaseExecutionException[[graylog2_12][0]: query[ConstantScore(*:*)],from[0],size[1],sort[custom:timestamp: org.elasticsearch.index.fielddata.fieldcomparator.LongValuesComparatorSource@46977d73!]: Query Failed [Failed to execute main query]]; nested: ElasticSearchException[java.lang.OutOfMemoryError: Java heap space]; nested: ExecutionError[java.lang.OutOfMemoryError: Java heap space]; nested: OutOfMemoryError[Java heap space]; } at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction.onFirstPhaseResult(TransportSearchTypeAction.java:272) at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction$3.onFailure(TransportSearchTypeAction.java:224) at org.elasticsearch.search.action.SearchServiceTransportAction$7.handleException(SearchServiceTransportAction.java:324) at org.elasticsearch.transport.netty.MessageChannelHandler.handleException(MessageChannelHandler.java:181) at org.elasticsearch.transport.netty.MessageChannelHandler.handlerResponseError(MessageChannelHandler.java:171) at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:123) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at
Re: [graylog2] Re: Situation with indices
Hey Arie, loos like your ElasticSearch process is running out of memory. How much heap space did you allocate to it? Thanks, Lennart On Wed, Sep 24, 2014 at 9:34 PM, Arie satyava...@gmail.com wrote: And ther is this error in ther server logfile for some indices: 2014-09-24T21:07:15.736+02:00 INFO [RebuildIndexRangesJob] Could not calculate range of index [graylog2_12]. Skipping. org.elasticsearch.action.search.SearchPhaseExecutionException: Failed to execute phase [query_fetch], all shards failed; shardFailures {[eUTBQqseT1mfR9rhU3OSRg][graylog2_12][0]: RemoteTransportException[[Graylog2-test][inet[/10.64.91.14:9300]][search/phase/query+fetch]]; nested: QueryPhaseExecutionException[[graylog2_12][0]: query[ConstantScore(*:*)],from[0],size[1],sort[custom:timestamp: org.elasticsearch.index.fielddata.fieldcomparator.LongValuesComparatorSource@46977d73!]: Query Failed [Failed to execute main query]]; nested: ElasticSearchException[java.lang.OutOfMemoryError: Java heap space]; nested: ExecutionError[java.lang.OutOfMemoryError: Java heap space]; nested: OutOfMemoryError[Java heap space]; } at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction.onFirstPhaseResult(TransportSearchTypeAction.java:272) at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction$3.onFailure(TransportSearchTypeAction.java:224) at org.elasticsearch.search.action.SearchServiceTransportAction$7.handleException(SearchServiceTransportAction.java:324) at org.elasticsearch.transport.netty.MessageChannelHandler.handleException(MessageChannelHandler.java:181) at org.elasticsearch.transport.netty.MessageChannelHandler.handlerResponseError(MessageChannelHandler.java:171) at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:123) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 2014-09-24T21:07:15.739+02:00 INFO [RebuildIndexRangesJob] Done calculating index ranges for 15 indices. Took 132244ms. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit
Re: [graylog2] Re: Situation with indices
Can you checkt that the change actually took effect by querying ES directly? curl -XGET http://localhost:9200/_nodes/stats/jvm?pretty=true ... heap_max : 990.7mb Thanks, Lennart On Wed, Sep 24, 2014 at 10:27 PM, Arie satyava...@gmail.com wrote: Hi Lennart in the yml file there is 8192m configured for ES_HEAP_SIZE. at first i have foregotten the m, but now it is there and I can recalculated 4 out of 14 indices. Stil it goes out-of-memory tho. The server has 16GB, and no problem there. On Wednesday, September 24, 2014 9:53:36 PM UTC+2, lennart wrote: Hey Arie, loos like your ElasticSearch process is running out of memory. How much heap space did you allocate to it? Thanks, Lennart On Wed, Sep 24, 2014 at 9:34 PM, Arie satya...@gmail.com wrote: And ther is this error in ther server logfile for some indices: 2014-09-24T21:07:15.736+02:00 INFO [RebuildIndexRangesJob] Could not calculate range of index [graylog2_12]. Skipping. org.elasticsearch.action.search.SearchPhaseExecutionException: Failed to execute phase [query_fetch], all shards failed; shardFailures {[eUTBQqseT1mfR9rhU3OSRg][graylog2_12][0]: RemoteTransportException[[Graylog2-test][inet[/10.64.91.14:9300]][search/phase/query+fetch]]; nested: QueryPhaseExecutionException[[graylog2_12][0]: query[ConstantScore(*:*)],from[0],size[1],sort[custom:timestamp: org.elasticsearch.index.fielddata.fieldcomparator.LongValuesComparatorSource@46977d73!]: Query Failed [Failed to execute main query]]; nested: ElasticSearchException[java.lang.OutOfMemoryError: Java heap space]; nested: ExecutionError[java.lang.OutOfMemoryError: Java heap space]; nested: OutOfMemoryError[Java heap space]; } at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction.onFirstPhaseResult(TransportSearchTypeAction.java:272) at org.elasticsearch.action.search.type.TransportSearchTypeAction$BaseAsyncAction$3.onFailure(TransportSearchTypeAction.java:224) at org.elasticsearch.search.action.SearchServiceTransportAction$7.handleException(SearchServiceTransportAction.java:324) at org.elasticsearch.transport.netty.MessageChannelHandler.handleException(MessageChannelHandler.java:181) at org.elasticsearch.transport.netty.MessageChannelHandler.handlerResponseError(MessageChannelHandler.java:171) at org.elasticsearch.transport.netty.MessageChannelHandler.messageReceived(MessageChannelHandler.java:123) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at
Re: [graylog2] 443 as non-root?
Another think to look at when on Ubuntu: http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html On Tue, Aug 26, 2014 at 8:02 PM, Mark Moorcroft plak...@gmail.com wrote: I have read various strategies here to run the web interface with 443 access as non-root, such as iptables redirects etc. Apache and postfix both manage to run as non-root on low ports. So I was wondering if it's on the radar to allow this with GL2? I realize apache and postfix manage this trick through various hoops jumped through. But at the end of the day I wonder if you will eventually be able to install GL2 web with 443 enabled and it just works? privileged low port access discussion -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Can Graylog 2 show top 10 ip address
On Fri, Jul 11, 2014 at 11:11 PM, Kay Röpke kroe...@gmail.com wrote: Unfortunately this is not possible on a dashboard yet, but we are looking to improve it for a future version. Small correction: This is possible on dashboards. You can add any quickvalue results to a dashboard with the little dashboard icon on the top of the modal that pops up. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Can't get statistics for a more or less numeric field
Hey Niklas, you are right with your observations. The statistical analysis requires the value to be stored as an integer (or another numeric type) in the index to work. If the used GELF library is not able to send numeric type you'll have to use a fallback method: Extractors. You can use an extractor (Type: Copy Input) to copy the whole input of the field count and apply a numeric converter on it. This will store it as an integer in your case. Note that you might have to manually cycle the deflector (System - Indices - Maintenance dropdown menu) to enforce a new mapping or ElasticSearch will try to be smart and convert the integer back to a string because it has the field count mapped as a string. The field line is indeed handled specifically but is deprecated in the current GELF specs. Greetings from the other side of Hafencity, Lennart On Tue, Jun 3, 2014 at 3:42 PM, Niklas Grebe niklas.gr...@innogames.com wrote: Hey folks, first of all thanks - you’re doing a great job with Graylog2! We’re sending messages via gelfj to a gl2 udp input stream for gelf messages. A raw message looks like this: {host:my.host,_customField1:it,full_message: (test:it) 31,short_message: (test:it) 31,line:53,version:1.0,_customField2:test,timestamp:1401796573.67,_type:stats,_thread:main,level:6,facility:test_facility,file:Logger.java,_count:31,_timestampMs:1401796573670”} _count is a custom field which has a aggregated count in it. The web interface says to this field ”Statistical analysis is only available for numeric field types.” which seems to be right because we can see in the tcp dump that there are quotes around this field. In gelfj there is a method for extended fields which casts them toString: https://github.com/t0xa/gelfj/blob/8ca278c0ea0f2ac9cd6db03e55f27631f4571002/src/main/java/org/graylog2/log/GelfConsoleAppender.java#L100 So there is no proper way to extend fields to gelf which are numeric with this library, or did i missed something? I know that this is more or less a problem with gelfj but it’s in the first place in the library list for gelf logger on the graylog webpage: http://graylog2.org/gelf#libraries and i also found something interesting: The normal field line (which is also sended via double quotes like a string) is interpreted as a integer and we can do statistics with this field. Is this a special exception in the graylog2 webui just for the line field in gelf messages? Greetings, Niklas -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog2 v0.20.2 has been released
Hey everybody, the final release of Graylog2 v0.20.2 has arrived: http://blog.graylog2.org/graylog2-v0-20-2-has-been-released/ A big thank you to the TORCH team. We put a lot of effort into this release and will follow up with a v0.21.0 that brings ElasticSearch v1.x support. Thank you very much, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] The Graylog2 extractor directory
Hey everybody, we are happy to announce that we released the Graylog2 extractor directory today. With the most recent release of Graylog2 allowing importing/exporting of extractor configurations this directory is a first big step forward to supporting all common vendor log formats out there. Read the intro blog post here: http://blog.graylog2.org/the-graylog2-extractor-directory-parsing-vendor-logs-solved/ Do you have any extractor configs that you'd like to share? Thanks, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] [ANNOUNCE] Graylog2 v0.20.2-rc.1 has been released
Hey everybody, I am happy to announce that we released the first RC version of Graylog2 v0.20.2: http://blog.torch.sh/graylog2-v0-20-2-rc-1-has-been-released/ Thanks, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Hi , I installed Graylog2 and configure a cisco switch to send the log to graylog, after that start strange behaivor. HELP!!!
Cisco is usually not sending valid RFC syslog and the parsing fails. What device is sending this? Can you post (full, non-parsed) example messages? On Wed, May 7, 2014 at 1:57 PM, Washington Gomez washingtongo...@gmail.comwrote: https://lh6.googleusercontent.com/-sMBx3Id-Yc4/U2ofgBLPJII/TH8/pgn1EgGbctI/s1600/Dibujo.PNG -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] MasterCache filling up
Thanks for the update Tyler! On Wed, May 7, 2014 at 12:04 AM, Tyler Bell ty...@appliedtrust.com wrote: I think I just found the issue. I thought we had a box big enough to run the Graylog2 server, plus Web Interface, but we had a bunch of Steams enabled recently. We disabled them to see what would happen and we came back to full processing capacity (~1750 msg/s). I'm suggesting that we get a separate box for the web interface now. On Tuesday, May 6, 2014 12:53:44 PM UTC-6, Tyler Bell wrote: There are no ES errors. Cluster Health is Green. I see data being added to my /data partition. Is there a way to see what else ES could be doing that would force Graylog to only process 1/3 of the logs it was processing a week ago? { cluster_name : X, status : green, timed_out : false, number_of_nodes : 3, number_of_data_nodes : 2, active_primary_shards : 320, active_shards : 320, relocating_shards : 0, initializing_shards : 0, unassigned_shards : 0 } On Tuesday, May 6, 2014 12:29:53 PM UTC-6, lennart wrote: Can you check your ElasticSearch logs for errors? I am pretty sure it is the reason. On Tue, May 6, 2014 at 5:57 PM, Tyler Bell ty...@appliedtrust.com wrote: I'm having an issue with Graylog continuously falling behind with log processing, and the MasterCache filling up til the 10G of Heap Space maxes out and crashes. The really weird thing is that a week ago, everything was processing fine and I was taking between 1500-2000 msg/s. Now I barely get over 500-750 msg/s. I don't think ElasticSearch is the issue because none of the OutputCache or Buffer is increasing. I'm wondering if it has something to do with this: Number of indices (80) higher than limit (20). Running retention for 60 indices. It doesn't look like Graylog is properly rotating indexes and running this retention instead. After restarting graylog2 and emptying cache... [util][caches][2014-05-06T08:46:04.850-07:00] InputCache size: 5758 [util][caches][2014-05-06T08:46:04.850-07:00] OutputCache size: 0 [util][buffers][2014-05-06T08:46:04.850-07:00] OutputBuffer is at 0.0%. [0/2048] [util][buffers][2014-05-06T08:46:04.850-07:00] ProcessBuffer is at 33.251953%. [681/2048] [util][heap][2014-05-06T08:46:04.850-07:00] Used memory (MB): 1465 [util][heap][2014-05-06T08:46:04.850-07:00] Free memory (MB): 8330 [util][heap][2014-05-06T08:46:04.850-07:00] Total memory (MB): 9814 [util][heap][2014-05-06T08:46:04.850-07:00] Max memory (MB): 9814 [util][written][2014-05-06T08:46:04.850-07:00] Messages written to all outputs: 1561 After MasterCache fills up a bit [util][caches][2014-05-06T08:42:18.109-07:00] InputCache size: 2487587 [util][caches][2014-05-06T08:42:18.109-07:00] OutputCache size: 0 [util][buffers][2014-05-06T08:42:18.109-07:00] OutputBuffer is at 0.0%. [0/2048] [util][buffers][2014-05-06T08:42:18.109-07:00] ProcessBuffer is at 40.429688%. [828/2048] [util][heap][2014-05-06T08:42:18.109-07:00] Used memory (MB): 6392 [util][heap][2014-05-06T08:42:18.109-07:00] Free memory (MB): 3736 [util][heap][2014-05-06T08:42:18.109-07:00] Total memory (MB): 10129 [util][heap][2014-05-06T08:42:18.109-07:00] Max memory (MB): 10129 [util][written][2014-05-06T08:42:18.109-07:00] Messages written to all outputs: 3100 ES Node config: (GLNode0 is the Graylog server). I know mlockall is false, and is configured to be true, but these are virtualized servers and there are some issues there. { ok : true, cluster_name : Graylog2, nodes : { X.X.X.X : { name : GLNode1, transport_address : inet[/X.X.X.X:9300], hostname : X.X.X.X, version : 0.90.10, http_address : inet[/X.X.X.X:9200], attributes : { master : true }, process : { refresh_interval : 1000, id : 1611, max_file_descriptors : 32000, mlockall : false } }, X.X.X.X : { name : GLNode0, transport_address : inet[/X.X.X.X:9350], hostname : X.X.X.X, version : 0.90.10, attributes : { client : true, data : false, master : false }, process : { refresh_interval : 1000, id : 28382, max_file_descriptors : 4096, mlockall : false } }, X.X.X.X : { name : GLNode2, transport_address : inet[/X.X.X.X:9300], hostname : X.X.X.X, version : 0.90.10, http_address : inet[/X.X.X.X:9200], attributes : { master : false }, process : { refresh_interval : 1000, id : 4508, max_file_descriptors : 32000, mlockall : false } } } } -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group
Re: [graylog2] Zookeeper client timeout
Looks like your systems are just overloaded and you need faster hardware or a scale out on more machines. On Tue, May 6, 2014 at 4:13 PM, Yossi Nachum nachum...@gmail.com wrote: Hi, I am trying to run the following graylog2 system: server1: graylog2-server-v0.21 + graylog2-radio-v0.20 + kafka + graylog2-web server2: elasticsearch when I am sending a lot of log messages (~20K per second) the lag in the kafka server start to increase and then I get the following messages in zookeeper log: [2014-05-05 17:27:13,144] INFO Accepted socket connection from /127.0.0.1:38581(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,144] INFO Accepted socket connection from /127.0.0.1:38582(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,144] INFO Client attempting to renew session 0x145ccf8c9a00174 at /127.0.0.1:38582(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,145] INFO Invalid session 0x145ccf8c9a00174 for client /127.0.0.1:38582, probably expired (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,145] INFO Closed socket connection for client /127.0.0.1:38582 which had sessionid 0x145ccf8c9a00174 (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,148] INFO Client attempting to renew session 0x145ccf8c9a00175 at /127.0.0.1:38581(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,148] INFO Invalid session 0x145ccf8c9a00175 for client /127.0.0.1:38581, probably expired (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,148] INFO Closed socket connection for client /127.0.0.1:38581 which had sessionid 0x145ccf8c9a00175 (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,161] INFO Accepted socket connection from /127.0.0.1:38586(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,172] INFO Client attempting to establish new session at /127.0.0.1:38586(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,173] INFO Accepted socket connection from /127.0.0.1:38588(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,174] INFO Client attempting to establish new session at /127.0.0.1:38588(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,183] INFO Established session 0x145ccf8c9a00176 with negotiated timeout 6000 for client /127.0.0.1:38586 (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:13,184] INFO Established session 0x145ccf8c9a00177 with negotiated timeout 6000 for client /127.0.0.1:38588 (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:21,000] INFO Expiring session 0x145ccf8c9a00176, timeout of 6000ms exceeded (org.apache.zookeeper.server.ZooKeeperServer) [2014-05-05 17:27:21,000] INFO Expiring session 0x145ccf8c9a00177, timeout of 6000ms exceeded (org.apache.zookeeper.server.ZooKeeperServer) [2014-05-05 17:27:21,001] INFO Processed session termination for sessionid: 0x145ccf8c9a00176 (org.apache.zookeeper.server.PrepRequestProcessor) [2014-05-05 17:27:21,001] INFO Processed session termination for sessionid: 0x145ccf8c9a00177 (org.apache.zookeeper.server.PrepRequestProcessor) [2014-05-05 17:27:21,002] INFO Closed socket connection for client /127.0.0.1:38586 which had sessionid 0x145ccf8c9a00176 (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:21,004] INFO Closed socket connection for client /127.0.0.1:38588 which had sessionid 0x145ccf8c9a00177 (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,146] INFO Accepted socket connection from /127.0.0.1:38760(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,146] INFO Accepted socket connection from /127.0.0.1:38761(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,146] INFO Client attempting to renew session 0x145ccf8c9a00176 at /127.0.0.1:38760(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,147] INFO Invalid session 0x145ccf8c9a00176 for client /127.0.0.1:38760, probably expired (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,147] INFO Client attempting to renew session 0x145ccf8c9a00177 at /127.0.0.1:38761(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,147] INFO Invalid session 0x145ccf8c9a00177 for client /127.0.0.1:38761, probably expired (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,148] INFO Closed socket connection for client /127.0.0.1:38760 which had sessionid 0x145ccf8c9a00176 (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,148] INFO Closed socket connection for client /127.0.0.1:38761 which had sessionid 0x145ccf8c9a00177 (org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,151] INFO Accepted socket connection from /127.0.0.1:38762(org.apache.zookeeper.server.NIOServerCnxn) [2014-05-05 17:27:56,173] INFO Client attempting to establish new session at /127.0.0.1:38762(org.apache.zookeeper.server.NIOServerCnxn)
Re: [graylog2] No search bar for non admin users
A better user group model will be included in future versions. You actually don't have to patch anything to make this work for your setup. Take a look at the permission related API calls to solve this programatically. Note however that this is not documented and not really supported by us until we have the the new user group model implemented. On Mon, Apr 28, 2014 at 5:12 PM, Kapil Nimje kapil.ni...@gmail.com wrote: Hi, I am using Graylog2 for our project for Log management. We are using graylog2-server-0.20.1 and graylog2-web-interface-0.20.1. I have added the patch in the code RestPemission.java class for reading the additional permissions i.e. SEARCHES_ABSOLUTE, SEARCHES_KEYWORD, SEARCHES_RELATIVE. With this change I am able to see the search bar for non admin users in the graylog web interface. Now, I wanted to confirm that, does this accepted in the mainline Graylog2 code base? otherwise we need to maintain this patch relative to upstream on an ongoing basis. Do we have any ETA for adding this feature in the newer version? Also, I have gone through the issue mentioned for #620. https://github.com/Graylog2/graylog2-web-interface/issues/620 Thanks Kapil -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Graylogweb no_proxy
Seems like you have enabled SSL for the email transport but port 25 doesn't sound like you actually want to use SSL. Set transport_email_use_ssl to false in your graylog2.conf On Wed, Apr 23, 2014 at 7:21 PM, Miguel Cruz toky.c...@gmail.com wrote: Here is output from graylog2.log file: [root@awslxgrayuted01 log]# tailf graylog2.log at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:484) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199) at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549) at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:354) at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:211) at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1927) ... 58 more 2014-04-23 13:16:07,468 ERROR: org.graylog2.rest.resources.streams.alerts.StreamAlertResource - Sending dummy alert failed: {} org.apache.commons.mail.EmailException: Sending the email to the following server failed : localhost:25 at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1410) at org.apache.commons.mail.Email.send(Email.java:1437) at org.graylog2.alerts.AlertSender.sendEmail(AlertSender.java:106) at org.graylog2.alerts.AlertSender.sendEmails(AlertSender.java:64) at org.graylog2.rest.resources.streams.alerts.StreamAlertResource.sendDummyAlert(StreamAlertResource.java:355) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:151) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:171) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:152) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:104) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:402) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:349) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:106) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:259) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) at org.glassfish.jersey.internal.Errors.process(Errors.java:315) at org.glassfish.jersey.internal.Errors.process(Errors.java:297) at org.glassfish.jersey.internal.Errors.process(Errors.java:267) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:318) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:236) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1010) at org.graylog2.jersey.container.netty.NettyContainer.messageReceived(NettyContainer.java:275) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.handler.stream.ChunkedWriteHandler.handleUpstream(ChunkedWriteHandler.java:142) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459) at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536) at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at
Re: [graylog2] Decoding a GELF packet payload with Wireshark?
Hey Wiley, the GELF payload is either GZIP or ZLIB compressed or even completely uncompressed. Maybe that helps? Chunked GELF packages need to be decoded and re-assembled to read all the information in them of course. You can learn more about that here: http://graylog2.org/gelf (However you can configure your GELF sending clients to never chunk and avoid this decoding problem) Cheers, Lennart On Wed, Apr 23, 2014 at 10:18 PM, Wiley Sanders wsand...@gmail.com wrote: Howdy, Has anybody done this? The GELF payload is not human readable. The root problem is that I don't see a way to blacklist a host that suddenly decides to send me 5000 GELF packets per second (100x normal traffic), except by blocking it by IP address using iptables. I can capture packets into a PCAP file and look at them with wireshark. From that I canget the probable IP address of the host, but te IP address is not in DNS and calls itself by a fake name in the GELF payload anyway. Once I can map the host name in GELF to an IP address, I can then block it with IP tables. Thanks, -w -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Graylog2 wipes data after restart
haha, thanks for those nice words :) It looks like your setup is completely overloaded. Can you check the IO, CPU and RAM usage? On Wed, Apr 16, 2014 at 11:40 AM, Robson Eisinger papil...@gmail.com wrote: Hi guys, my first post here and yeah, I need some help, but first I want to say something positive about Graylog2: this piece of shit is amazing, is fast and reliable to find and cross information on our logs. =) In our installation, we are using the latest release of Graylog2 (v0.20.1), without graylog2-radio, just elasticsearch, the web interface and the graylog2-server (with mongo db). That said, we are having problem when we are forced to restart graylog, after a burst of information from one of our log sources (an email server). Basically, when one of our user account is compromised, the spammer sent a huge amount of messages and that generate a equally huge amount of logs entries and the graylog2 can't handle all the incoming data: 2014-03-31 00:00:04,177 ERROR: org.graylog2.indexer.Indexer - Failed to index [1] messages. Please check the index error log in your web interface for the reason. 2014-03-31 00:00:04,179 ERROR: org.graylog2.indexer.Indexer - Failed to index [1] messages. Please check the index error log in your web interface for the reason. 2014-03-31 00:00:04,202 ERROR: org.graylog2.indexer.Indexer - Failed to index [1] messages. Please check the index error log in your web interface for the reason. 2014-03-31 00:00:04,210 ERROR: org.graylog2.indexer.Indexer - Failed to index [1] messages. Please check the index error log in your web interface for the reason. 2014-03-31 00:00:04,217 ERROR: org.graylog2.indexer.Indexer - Failed to index [1] messages. Please check the index error log in your web interface for the reason. 2014-03-31 00:00:04,217 ERROR: org.graylog2.indexer.Indexer - Failed to index [2] messages. Please check the index error log in your web interface for the reason. 2014-03-31 00:00:04,222 ERROR: org.graylog2.indexer.Indexer - Failed to index [1] messages. Please check the index error log in your web interface for the reason. 2014-03-31 00:00:04,224 INFO : org.graylog2.periodical.DeflectorManagerThread - Number of messages in logstash_7 (5003723) is higher than the limit (500). Pointing deflector to new index now! 2014-03-31 00:00:04,224 INFO : org.graylog2.indexer.Deflector - Cycling deflector to next index now. 2014-03-31 00:00:04,224 INFO : org.graylog2.indexer.Deflector - Cycling from logstash_7 to logstash_8 2014-03-31 00:00:04,224 INFO : org.graylog2.indexer.Deflector - Creating index target logstash_8... 2014-03-31 00:00:04,229 ERROR: org.graylog2.indexer.Indexer - Failed to index [1] messages. Please check the index error log in your web interface for the reason. 2014-03-31 00:00:04,233 ERROR: org.graylog2.periodical.DeflectorManagerThread - Couldn't point deflector to a new index Those log lines above goes until the next day when we restarted the server. Following the logs entries after we restarted. Notice that: Index [logstash_3] is empty. Not calculating ranges. And GL2 consider only the logstash_8, to be honest, I'm kinda of lost here, for some reason GL2 lost the indexes from logstash 3 to 7, disk space wasn't the problem, my best guess is related to IO load, but we restarted after we mitigated the data burst. So thats why I'm here, how can I avoid the data wipe or what I'm missing? The rest of the log, a few lines before we restart until the restart process is over. 2014-04-01 09:42:04,230 ERROR: org.graylog2.periodical.DeflectorManagerThread - Couldn't point deflector to a new index 2014-04-01 09:42:05,438 ERROR: org.graylog2.rest.resources.system.ClusterResource - Node undefined not found. 2014-04-01 09:42:06,476 ERROR: org.graylog2.rest.resources.system.ClusterResource - Node undefined not found. 2014-04-01 09:42:07,515 ERROR: org.graylog2.rest.resources.system.ClusterResource - Node undefined not found. 2014-04-01 09:42:08,552 ERROR: org.graylog2.rest.resources.system.ClusterResource - Node undefined not found. 2014-04-01 09:42:09,586 ERROR: org.graylog2.rest.resources.system.ClusterResource - Node undefined not found. 2014-04-01 09:42:14,223 INFO : org.graylog2.periodical.DeflectorManagerThread - Number of messages in logstash_7 (5003723) is higher tha n the limit (500). Pointing deflector to new index now! 2014-04-01 09:42:14,223 INFO : org.graylog2.indexer.Deflector - Cycling deflector to next index now. 2014-04-01 09:42:14,224 INFO : org.graylog2.indexer.Deflector - Cycling from logstash_7 to logstash_8 2014-04-01 09:42:14,224 INFO : org.graylog2.indexer.Deflector - Creating index target logstash_8... 2014-04-01 09:42:14,229 ERROR: org.graylog2.periodical.DeflectorManagerThread - Couldn't point deflector to a new index 2014-04-01 09:42:24,224 INFO : org.graylog2.periodical.DeflectorManagerThread - Number of messages in logstash_7 (5003723) is
Re: [graylog2] trouble with search, getting strange results
Please try searching for this: 1311-10013* The other messages that are not found have a _ not a - after the 10013. I guess this is not being split automatically by the tokenizer. On Tue, Apr 8, 2014 at 10:39 AM, Denny Gebel nomoresecr...@gmail.com wrote: Hi all, we have some serious problem with the search - maybe someone can give me a hint or solution. Currently we see this problem with vsftpd logs. Example: I am searching for a specific client IP (10.20.1.163). Result is like 100+ messages. Resultset looks fine. See the most recent five messages below. Mon Apr 7 23:00:48 2014 [pid 26077] [username] OK UPLOAD: Client 10.20.1.163, /somedir/OPC-1311-10013-20140407_230001-system.info, 26196 bytes, 0.72Kbyte/sec Mon Apr 7 23:00:11 2014 [pid 26077] [username] OK UPLOAD: Client 10.20.1.163, /somedir/1311-10013_something_20140407_22.xml, 1042 bytes, 0.72Kbyte/sec Mon Apr 7 23:00:06 2014 [pid 25919] [username] OK LOGIN: Client 10.20.1.163 Mon Apr 7 23:00:05 2014 [pid 25920] CONNECT: Client 10.20.1.163 Mon Apr 7 22:01:14 2014 [pid 27601] [username] OK UPLOAD: Client 10.20.1.163, /somedir/1311-10013_something_20140407_21.xml, 1047 bytes, 0.02Kbyte/sec Now I want to search for 1311-10013, which should me give at least(!) the three results from my search above. In fact, I'm getting ONLY one message as result. Mon Apr 7 23:00:48 2014 [pid 26077] [username] OK UPLOAD: Client 10.20.1.163, /somedir/OPC-1311-10013-20140407_230001-system.info, 26196 bytes, 0.72Kbyte/sec Logs are transferred with logstash from the ftp server. input = file, output = gelf. No filter etc. Graylog/Graylog-Web: 0.20.1 Any suggestions? What am I doing wrong? Thanks, Denny -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Is it possible to do error tracking with graylog2?
Sure, that's no problem! i suggest you take a look at GELF and send structured log messages from your applications directly: http://graylog2.org/gelf On Tue, Mar 18, 2014 at 12:08 PM, Hannes123 eugen.f...@gmail.com wrote: Dear community, I am looking for a flexible solution to store user actions (specific clicks on UI elements) which can be tracked if an error occurs. So basically I need a sink for messages like (user_id:1, data:{...}), and errors (user_id:1, info:{...}) which can be related to eachother in the web gui. would be great if this can be done with graylo2. Thank as log for any hint! -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] 13 minutes of latency for syslog input
Hey Raphaël, the date is parsed from the syslog message. The local time of graylog2-server is used if that fails for some reason. Please double check that the hosts that run graylog2-server and graylog2-web-interface have the correct local time or are actually NTP synced. Take a look at the timestamp in the syslog message. Is that one correct? Thanks, ÖLennart On Mon, Mar 17, 2014 at 11:39 AM, Raphaël Berlamont raphael.berlam...@raphux.com wrote: Hi list, I'm encountering a strange behavior : - messages that come into the syslog listener are only available 13-14 minutes later in the search result (with a 13-14 minutes old dates). - messages that come into the GELF (UDP) listener are available right away. For example, for our firewalls stream, when I select Search in the last five minutes, the stream is always empty. If I search for The last 15 minutes, I have plenty of results, but the newest is at best 13 minutes old. Every hosts are NTP synced. And to check that messages come correctly (I mean, on time), I launched a tshark that confirms that messages are received in real time on the graylog2 host : no lag between the sender and graylog2 (and the dates in the syslog messages are correct, no lag). What can explain this huge latency ? Regards, -- Raph -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] connection to graylog2-server
Can you post your graylog2-web-interface and graylog2-server configs? Thanks. On Tue, Mar 18, 2014 at 5:41 PM, Florian Gilson gils...@gmail.com wrote: Hi all I installed elasticsearch 0.90 and graylog2-server 0.20.1. But when i start the web interface i have a big problem : during 5 seconds it's write that there is one node connected and i can fill in my identifiant and the during 5 seconds it's write that there is 0 node connected and i can't fill in my identifiant and it always alternate like this. And even if i try to connect during the 5 second one node is connected i can't. In my graylog2-server.log there are nothing it wrote that graylog2 is up and running. Someone know how fix it? Thanks, Florian -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Can't add an alert receiver via API
Looks to me like type and entity must be query parameters, not part of the JSON body. You should however not get a NPE on that. Just fixed that. The API docs are completely missing indeed and that is something we are working on. Good that you got started with it anyways. Thanks! :) On Tue, Mar 18, 2014 at 6:33 PM, Reuben Gow geuben...@gmail.com wrote: The following: url -s -XPOST -u admin:admin_password -H Content-Type: application/json -d '{type:users,entity:valid_username}' http://graylog2 IP:12900/streams/532852ede4b0c2a33cc6b7c7/alerts/receivers where that is a valid stream ID, causes a 500 error. java.lang.NullPointerException at org.graylog2.rest.resources.streams.alerts.StreamAlertResource.addReceiver(StreamAlertResource.java:274) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:151) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:171) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:152) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:104) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:402) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:349) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:106) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:259) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) at org.glassfish.jersey.internal.Errors.process(Errors.java:315) at org.glassfish.jersey.internal.Errors.process(Errors.java:297) at org.glassfish.jersey.internal.Errors.process(Errors.java:267) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:318) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:236) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1010) at org.graylog2.jersey.container.netty.NettyContainer.messageReceived(NettyContainer.java:275) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.handler.stream.ChunkedWriteHandler.handleUpstream(ChunkedWriteHandler.java:142) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459) at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536) at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at
Re: [graylog2] Weird things with logs. Sometimes more, sometimes less.
Can you check your ElasticSearch logs for errors? On Mon, Mar 17, 2014 at 1:38 PM, Dmitri Stoljarov dmitri.stolja...@gmail.com wrote: Any news/ideas about issue with missing logs? On Thursday, March 13, 2014 10:16:03 AM UTC+2, Dmitri Stoljarov wrote: Hi, I don't have any drools or extractors configured. Here's debug output (http://dimka.ee/foo/gl2-0.20.1_debug_output.txt). Hope it helps somehow. I sent 5 events to graylog2 Gelf UDP input, but only 3 events were written to ES. regards, -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Hosts Reported 652
Yes: Send RFC compatible syslog. :) What device or daemon is sending your data? Take a look at this guide from our docs if you are sending with rsyslog: http://support.torch.sh/help/kb/getting-your-logs-into-graylog2/sending-with-rsyslog On Sun, Mar 16, 2014 at 2:20 PM, Ahmad ahmad.sa...@gmail.com wrote: Hi, I am using graylog2 0.20.1 now and facing the problem in the source name. Is there any workaround to fix this? On Tuesday, November 12, 2013 4:48:26 PM UTC+3, lennart wrote: The soon to be released v0.20.0 is able to parse any plain text format using extractors. For earlier versions you need to use syslog messages that are strictly following the RFC. Do you have an example message for us? How are you sending the messages? From rSyslog for example? Thanks, Lennart On Tue, Nov 12, 2013 at 10:29 AM, Kay Röpke kro...@gmail.com wrote: Hi! This is a common problem when sending slightly different formats of syslog messages, where the syslog parser library would expect the host. syslog4j unfortunately has many of these problems :( On Tuesday, November 12, 2013 1:02:37 AM UTC+1, Clementous Clement wrote: Hello Fellow Gray's, I'm noticing an issue w/ the number of Hosts registered within the graylog2 web-interface. Looking that the objects. they appear to be session based, hosts. e.g. sshd {28932} or sudo {5467}. Is there a configuration item, I missed? i've attached a few screenshot for your viewing.. Thanks in Advance, =-Clem! -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Exception occurs when performing a search
You need to start with a clean MongoDB and ElasticSearch when migrating from Graylog2 v0.1x to v0.2x. Sorry about that - There are migration paths for any future version but the step to v0.20 was just too big. On Fri, Mar 14, 2014 at 4:07 PM, Terron Williams mrterronwilli...@gmail.com wrote: Salutations Lennart, Thanks for your reply! I believe you are correct partner. I had an older installation on my system. Should I install the 0.20.1 fresh, or can I recover what I have? Cheers! Terron On Thursday, March 13, 2014 6:14:41 PM UTC-4, lennart wrote: Hey Terron, before we dig deeper into the issue: Could it be that you upgraded an old Graylog2 installation to the 0.20 series? Thanks, Lennart On Wed, Mar 12, 2014 at 4:45 PM, Terron Williams mrterron...@gmail.com wrote: Friends, I just installed graylog2-server-0.20.1 graylog2-web-interface-0.20.1, and when I perform a search from the Graylog web interface, I receive an exception. Please see below. Any ideas? Please forgive if this issue is previously known. Thanks much in advance! Terron Load line Up *graylog2-server-0.20.1 *graylog2-web-interface-0.20.1 *Linux version 2.6.32-431.5.1.el6.x86_64 (mock...@c6b10.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Wed Feb 12 00:41:43 UTC 2014 *java version 1.7.0_51 *rpm -qpil elasticsearch-0.90.10.noarch.rpm *MongoDB version: 2.4.9 //graylog2-server-0.20.1 config grep -v # /etc/graylog2.conf | egrep -v ^[[:space:]]*$ *is_master = true *node_id_file = /etc/graylog2-server-node-id *password_secret = VrjK7vEqdABVMk93mDrW1WxcNzitWXOHzjJ3Mgzs6a3YnPqO5chfdn5xm7vtBAtxVl6jCilBXKLeIoV3rVNpNq7ZwTW0qjiY *root_password_sha2 = d2c3c5a9fa646162d110cda388a251171d65b4ddb1d74443c62fa7da6b56d31b * plugin_dir = plugin *rest_listen_uri = http://127.0.0.1:12900/ *elasticsearch_max_docs_per_index = 2000 *elasticsearch_max_number_of_indices = 20 *retention_strategy = delete *elasticsearch_shards = 1 *elasticsearch_replicas = 0 *elasticsearch_index_prefix = graylog2 *allow_leading_wildcard_searches = false *elasticsearch_cluster_name = elasticsearch *elasticsearch_analyzer = standard *output_batch_size = 5000 *processbuffer_processors = 5 *outputbuffer_processors = 5 *processor_wait_strategy = blocking *ring_size = 1024 *dead_letters_enabled = false *mongodb_useauth = false *mongodb_host = 127.0.0.1 *mongodb_database = graylog2 *mongodb_port = 27017 *mongodb_max_connections = 100 *mongodb_threads_allowed_to_block_multiplier = 5 *transport_email_enabled = false *transport_email_hostname = mail.example.com *transport_email_port = 587 *transport_email_use_auth = true *transport_email_use_tls = true *transport_email_use_ssl = true *transport_email_auth_username = y...@example.com *transport_email_auth_password = secret *transport_email_subject_prefix = [graylog2] *transport_email_from_email = gray...@example.com //graylog2-web-interface-0.20.1 config # grep -v # /root/Downloads/graylog2-web-interface-0.20.1/conf/graylog2-web-interface.conf | egrep -v ^[[:space:]]*$ *graylog2-server.uris=http://127.0.0.1:12900/; *application.secret=gnBBVpVKWMoS2NlWBlQhcwPdeB3qJyK9f1axCLkYCOPAlDVV2ztkeNuOmfLxH2hziyBLwQbvLetZMM5LKTWhFRFM7CSzjNQE *field_list_limit=0 *application.global=lib.Global //Starting graylog server tail -f graylog2-server.log at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) 2014-03-11 14:21:54,191 INFO : org.graylog2.Main - Graylog2 0.20.1 starting up. (JRE: Oracle Corporation 1.7.0_51 on Linux 2.6.32-431.5.1.el6.x86_64) 2014-03-11 14:21:54,662 INFO : org.graylog2.plugin.system.NodeId - Node ID: bcfdcd43-addc-451f-bca4-2d88852ccb09 2014-03-11 14:21:54,664 INFO : org.graylog2.Core - No rest_transport_uri set. Falling back to [http://172.17.23.157:12900]. 2014-03-11 14:21:56,208 INFO : org.graylog2.buffers.ProcessBuffer - Initialized ProcessBuffer with ring size 1024 and wait strategy BlockingWaitStrategy. 2014-03-11 14:21:56,228 INFO : org.graylog2.buffers.OutputBuffer - Initialized OutputBuffer with ring size 1024 and wait strategy BlockingWaitStrategy. 2014-03-11 14:21:58,700 INFO : org.elasticsearch.node - [graylog2-server] version[0.90.10], pid[3171], build[0a5781f/2014-01-10T10:18:37Z] 2014-03-11 14:21:58,700 INFO : org.elasticsearch.node - [graylog2-server] initializing ... 2014-03-11 14:21:58,853 INFO : org.elasticsearch.plugins - [graylog2-server] loaded [], sites [] 2014-03-11 14:22:09,571 INFO : org.elasticsearch.node - [graylog2-server] initialized 2014-03-11 14:22:09,571 INFO : org.elasticsearch.node - [graylog2-server] starting ... 2014-03-11 14:22:09,711 INFO : org.elasticsearch.transport - [graylog2-server] bound_address
[graylog2] Guide for proper rsyslog Graylog2 configuration
Just a quick heads up that we improved the documentation for rsyslog Graylog2 configuration: http://support.torch.sh/help/kb/getting-your-logs-into-graylog2/sending-with-rsyslog This enforces RFC 5424 compliant messages, fixes problems with timestamps and even brings you millisecond resolution. Hope that is useful for somebody! We recommend using it for all your rsyslog configurations and are happy to include your documentation for other syslog daemons. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Permission denied to input on syslog port 514
Address already in use - Something is already listening on that port. On Thu, Mar 6, 2014 at 5:02 PM, Suresh Prajapati er.sureshprajap...@gmail.com wrote: Hi , I've started rsyslog on 12500 port . Its still saying it can not bind to that port for input An input has failed to start. a few seconds ago Input 53189bb60cf201071467bacd has failed to start on node aaa96817-0fc9-4759-a806-30cea824a926 for this reason: Could not bind syslog TCP input to address /0.0.0.0:12500, Failed to bind to: /0.0.0.0:12500, Address already in use. This means that you are unable to receive any messages from this input. This is mostly an indication for a misconfiguration or an error. You can click here to solve this On Thursday, 13 February 2014 18:48:29 UTC+5:30, lennart wrote: Great! Thanks for posting your solution. On Thu, Feb 13, 2014 at 1:48 PM, André Coelho coe...@gmail.com wrote: I'm configuring a switch that does not have the option to set other port for the destination log server, it only sends to port 514. I have tried authbind but it does not work with port 514 I have tried setcap 'cap_net_bind_service=+ep' /usr/bin/java but it does not work Then finally using IPTABLES worked: iptables -A PREROUTING -t nat -i eth0 -p udp --dport 514 -j REDIRECT --to-port 10515 Thanks for you help Em quarta-feira, 12 de fevereiro de 2014 17h14min51s UTC-2, lennart escreveu: You need to be root to bind sockets on ports =1024 on most *NIX systems. Either run graylog2-server as root (not recommended) or use a port higher than 1024. You could also try to give the local user than runs graylog2-server permission to bind to those restricted ports, but usually just choosing a higher port is the easiest solution. On Wed, Feb 12, 2014 at 7:19 PM, André Coelho coe...@gmail.com wrote: Hi All I have this version of graylog installed on ubuntu 12.04: Graylog2-server (Current: 0.20-rc.1-1) Graylog2-web (Current: 0.20-rc.2) Graylog2-radio Current: 0.20-rc.2) When I try to add a global Syslog Input to listen on port 514 TCP or UDP (bind address: 0.0.0.0) the server gives this error: Input 52fbb0d5e4b0a4cfa9f30f88 has failed to start on node f728fbee-73f5-4a3a-a0f1-c10511eed089 for this reason: Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Permission denied. This means that you are unable to receive any messages from this input. This is mostly an indication for a misconfiguration or an error. You can click here to solve this And the log looks like this: 2014-02-12 16:16:39,732 ERROR: org.graylog2.inputs.InputRegistry - The [org.graylog2.inputs.syslog.udp.SyslogUDPInput] input with ID 52fbba87e4b0f89aaac73a29 misfired. Reason: Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Permission denied This looks like the user that graylog runs does not have permission to bind port 514. Someone knows how to fix this? Thanks -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Graylog2: mongodb_replica_set
Try it out. :) Shutdown the master and see what happens. Graylog2 should handle that transparently and will be notified about the new master. On Thu, Mar 6, 2014 at 3:56 PM, Robert robertbeu...@gmail.com wrote: There are a lot of hits on Google for creating a three node replica set with MongoDB and using it for Graylog2. For more information: http://docs.mongodb.org/manual/core/replica-set-architecture-three-members/. I understand I can add the following line to graylog2.conf: mongodb_replica_set = host1:27017,host2:27017,host3:27017 What I don't understand is how I should use this setting if I want to have a failover solution. Lets say the master host in the MongoDB replica set fails, a election starts between the two hosts that are left and a new master will be elected. How should Graylog2 know which node will become the master? This is of importance because the master is the only host that will accept write actions, or am I wrong here? Regards, Robert -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Stream alert with log messages?
The alert functionality will be extended in the future and come with a template based system. Thanks! On Thu, Mar 6, 2014 at 4:34 PM, Marek Beneš ben...@gmail.com wrote: Hi, is there a way to configure Graylog2 v0.20.1 to send log messages that triggered alert? Currently I only get metadata such as Stream had 10 messages in the last 5 minutes with trigger condition more than 0 messages. (Current grace time: 5 minutes) ## Date: 2014-03-06T15:20:25.025Z Stream ID: 53188e2345ce1faac5398069 Stream title: AppServer errors Stream rules: [StreamRuleImpl: {_id=53188ece45ce1faac539811d, field=facility, value=AppServer, stream_id=53188e2345ce1faac5398069, inverted=false, type=1}, StreamRuleImpl: {_id=53188edd45ce1faac539812e, field=level, value=4, stream_id=53188e2345ce1faac5398069, inverted=false, type=4}] Alert triggered at: 2014-03-06T15:20:25.024Z but what I really like is to get the list of log messages ;-) Thanks a lot, Marek -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: We expected HTTP 200, but got a HTTP 404
Looks like your Graylog2 setup is completely overloaded or misconfigured. Your graylog2-server log is full of errors that need to be fixed. Start by checking the ElasticSearch logs for errors. Another error makes it look like you have not NTP synchronised your host. Please check that all system times of Graylog2 related hosts are in sync. On Thu, Mar 6, 2014 at 10:58 PM, Ryan Jones rjo...@aereo.com wrote: Anyone? On Wednesday, March 5, 2014 2:18:01 PM UTC-5, Ryan Jones wrote: Everything was working just fine. I haven't made any changes. now when I click on system or even sources I get this messsage. Here is a GIST of the full trace. https://gist.github.com/wolfman2g1/9372391 As far as I can tell GL server is still processing logs. I can also telnet to the GL server and it connects. Not sure what is going on here -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Graylog2 0.20.0 preview 2 Syslog UDP configuration
Yes, you can just use the REST APIs to spawn new inputs programatically. The Vagrant box is getting new inputs spawned automatically on spin up already: https://github.com/hggh/graylog2-vagrant/blob/master/modules/graylog2/files/create_graylog2_inputs_gelf On Thu, Mar 6, 2014 at 6:17 PM, Robert Logan rlo...@qmetric.co.uk wrote: Thats fairly useless when you are using graylog in an automated setup. If I need to set it up with (the old) syslog_listen_port on 8140 then it was a simple config entry that could be added on build. Its not practical to build 10 environments with graylog and then have to log into 10 web interfaces to reconfigure. is there a rest endpoint that i can use to do this on? On Sunday, 13 October 2013 19:17:18 UTC+1, Kay Röpke wrote: Hi! We should have removed the configuration entries, sorry for that! You set up the inputs from within the web interface now. Once you are logged in, go to the System menu, choose Nodes from the right submenu. There on the graylog2 server node, go to the Action menu and choose Inputs. From there you can launch as many inputs as you want, on any port you want. For the privileged ports 1024 you have to the graylog2-server process as root, of course. Sorry for the confusion, Kay On Friday, October 11, 2013 7:45:08 PM UTC+2, Deepak Jagannath wrote: It looks like I have everything setup correctly. However I can't figure out what port, how to configure, or turn on the syslog udp port. I tried 514, 9099, etc. I get connection refused from netcat so I think it's not listening. I'm trying from localhost. echo Hello Graylog2, let's be friends. | nc -w 1 -u 127.0.0.1 9099 Here's my setup: Elastic Search 0.90.5-1 installed via RPM (RHEL) elasticsearch.yml cluster.name: graylog2 node.master: true node.data: true Graylog2 Server 0.20.0 preview 2 installed via zip from Github. graylog2.conf is_master = true elasticsearch_index_prefix = graylog2 elasticsearch_cluster_name = graylog2 elasticsearch_node_name = graylog2-server elasticsearch_node_master = false elasticsearch_node_data = false Graylog2 Web 0.20.0 preview 2 installed via zip from Github Systems status System messages: Started up. ElasticSearch Cluster is green Elasticsearch logs graylog2.log [2013-10-11 17:35:32,034][INFO ][cluster.service ] [Thundra] added {[graylog2-server][PLpmGkraTO6oCJjCHGbIOw][inet[/10.54.10.10:9350]]{client=true, data=false, master=false},}, reason: zen-disco-receive(join from node[[graylog2-server][PLpmGkraTO6oCJjCHGbIOw][inet[/10.54.10.10:9350]]{client=true, data=false, master=false}]) Thanks, Deepak -- The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Policy Expert is a trading name of QMetric Group Limited who is authorised and regulated by the Financial Conduct Authority. The registered company address of QMetric Group Limited is: 32-38 Dukes Place, London, EC3A 7LP and its company registration number is 07151701. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Permission denied to input on syslog port 514
You are listening on port 12500 with both rsyslog and graylog2-server on the same machine. That does not work and the error is telling you that. Use different ports and you should be fine. On Fri, Mar 7, 2014 at 2:30 PM, Suresh Prajapati er.sureshprajap...@gmail.com wrote: Thanks Lennart for reply :) So this is what I've done 1. Started rsyslog on machine on 12500. 2. While configuring the graylog2 input mentioned the ip: 0.0.0.0 port: 12500 3. then the error came. Another problem I got, I was trying to send my logs from my mac to graylog2 but could not. Iv'e followed this guide http://support.torch.sh/help/kb/getting-your-logs-into-graylog2/sending-with-osx-syslogd Any help would be appreciated :) -suresh On Fri, Mar 7, 2014 at 6:51 PM, Lennart Koopmann lenn...@torch.sh wrote: Address already in use - Something is already listening on that port. On Thu, Mar 6, 2014 at 5:02 PM, Suresh Prajapati er.sureshprajap...@gmail.com wrote: Hi , I've started rsyslog on 12500 port . Its still saying it can not bind to that port for input An input has failed to start. a few seconds ago Input 53189bb60cf201071467bacd has failed to start on node aaa96817-0fc9-4759-a806-30cea824a926 for this reason: Could not bind syslog TCP input to address /0.0.0.0:12500, Failed to bind to: /0.0.0.0:12500, Address already in use. This means that you are unable to receive any messages from this input. This is mostly an indication for a misconfiguration or an error. You can click here to solve this On Thursday, 13 February 2014 18:48:29 UTC+5:30, lennart wrote: Great! Thanks for posting your solution. On Thu, Feb 13, 2014 at 1:48 PM, André Coelho coe...@gmail.com wrote: I'm configuring a switch that does not have the option to set other port for the destination log server, it only sends to port 514. I have tried authbind but it does not work with port 514 I have tried setcap 'cap_net_bind_service=+ep' /usr/bin/java but it does not work Then finally using IPTABLES worked: iptables -A PREROUTING -t nat -i eth0 -p udp --dport 514 -j REDIRECT --to-port 10515 Thanks for you help Em quarta-feira, 12 de fevereiro de 2014 17h14min51s UTC-2, lennart escreveu: You need to be root to bind sockets on ports =1024 on most *NIX systems. Either run graylog2-server as root (not recommended) or use a port higher than 1024. You could also try to give the local user than runs graylog2-server permission to bind to those restricted ports, but usually just choosing a higher port is the easiest solution. On Wed, Feb 12, 2014 at 7:19 PM, André Coelho coe...@gmail.com wrote: Hi All I have this version of graylog installed on ubuntu 12.04: Graylog2-server (Current: 0.20-rc.1-1) Graylog2-web (Current: 0.20-rc.2) Graylog2-radio Current: 0.20-rc.2) When I try to add a global Syslog Input to listen on port 514 TCP or UDP (bind address: 0.0.0.0) the server gives this error: Input 52fbb0d5e4b0a4cfa9f30f88 has failed to start on node f728fbee-73f5-4a3a-a0f1-c10511eed089 for this reason: Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Permission denied. This means that you are unable to receive any messages from this input. This is mostly an indication for a misconfiguration or an error. You can click here to solve this And the log looks like this: 2014-02-12 16:16:39,732 ERROR: org.graylog2.inputs.InputRegistry - The [org.graylog2.inputs.syslog.udp.SyslogUDPInput] input with ID 52fbba87e4b0f89aaac73a29 misfired. Reason: Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Permission denied This looks like the user that graylog runs does not have permission to bind port 514. Someone knows how to fix this? Thanks -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message
Re: [graylog2] Re: Graylog2 0.20.0 preview 2 Syslog UDP configuration
Let me know if you need anything else! :) On Fri, Mar 7, 2014 at 2:33 PM, Robert Logan rlo...@qmetric.co.uk wrote: Thanks Lennart ... on a Friday - demo on Monday ... I can automate it :) Woop. On 7 March 2014 13:31, Lennart Koopmann lenn...@torch.sh wrote: Yes, you can just use the REST APIs to spawn new inputs programatically. The Vagrant box is getting new inputs spawned automatically on spin up already: https://github.com/hggh/graylog2-vagrant/blob/master/modules/graylog2/files/create_graylog2_inputs_gelf On Thu, Mar 6, 2014 at 6:17 PM, Robert Logan rlo...@qmetric.co.uk wrote: Thats fairly useless when you are using graylog in an automated setup. If I need to set it up with (the old) syslog_listen_port on 8140 then it was a simple config entry that could be added on build. Its not practical to build 10 environments with graylog and then have to log into 10 web interfaces to reconfigure. is there a rest endpoint that i can use to do this on? On Sunday, 13 October 2013 19:17:18 UTC+1, Kay Röpke wrote: Hi! We should have removed the configuration entries, sorry for that! You set up the inputs from within the web interface now. Once you are logged in, go to the System menu, choose Nodes from the right submenu. There on the graylog2 server node, go to the Action menu and choose Inputs. From there you can launch as many inputs as you want, on any port you want. For the privileged ports 1024 you have to the graylog2-server process as root, of course. Sorry for the confusion, Kay On Friday, October 11, 2013 7:45:08 PM UTC+2, Deepak Jagannath wrote: It looks like I have everything setup correctly. However I can't figure out what port, how to configure, or turn on the syslog udp port. I tried 514, 9099, etc. I get connection refused from netcat so I think it's not listening. I'm trying from localhost. echo Hello Graylog2, let's be friends. | nc -w 1 -u 127.0.0.1 9099 Here's my setup: Elastic Search 0.90.5-1 installed via RPM (RHEL) elasticsearch.yml cluster.name: graylog2 node.master: true node.data: true Graylog2 Server 0.20.0 preview 2 installed via zip from Github. graylog2.conf is_master = true elasticsearch_index_prefix = graylog2 elasticsearch_cluster_name = graylog2 elasticsearch_node_name = graylog2-server elasticsearch_node_master = false elasticsearch_node_data = false Graylog2 Web 0.20.0 preview 2 installed via zip from Github Systems status System messages: Started up. ElasticSearch Cluster is green Elasticsearch logs graylog2.log [2013-10-11 17:35:32,034][INFO ][cluster.service ] [Thundra] added {[graylog2-server][PLpmGkraTO6oCJjCHGbIOw][inet[/10.54.10.10:9350]]{client=true, data=false, master=false},}, reason: zen-disco-receive(join from node[[graylog2-server][PLpmGkraTO6oCJjCHGbIOw][inet[/10.54.10.10:9350]]{client=true, data=false, master=false}]) Thanks, Deepak -- The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Policy Expert is a trading name of QMetric Group Limited who is authorised and regulated by the Financial Conduct Authority. The registered company address of QMetric Group Limited is: 32-38 Dukes Place, London, EC3A 7LP and its company registration number is 07151701. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to a topic in the Google Groups graylog2 group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/graylog2/JF_2asPyKtk/unsubscribe. To unsubscribe from this group and all its topics, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Policy Expert is a trading name of QMetric Group Limited who is authorised and regulated by the Financial Conduct Authority
[graylog2] [ANNOUNCE] Graylog2 v0.20.1 has been released
We just released v0.20.1: * http://blog.torch.sh/graylog2-v0-20-1-has-been-released/ It brings an important bugfix, several improvements and a new feature: Dead letter queues and indexer failure reporting. Thanks, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] graylog-0.20 main.css is empty, /streams results in 500 (upgrade from 0.13)
Yes! Your old data unfortunately is not compatible with the new version. We did so many changes from 0.12 to 0.20 that we decided to make a hard break and not build in any migrations or similar. Future versions will of course ship with a proper migration path. Starting with a clean ElasticSearch and MongoDB setup should fix your problems. Thanks, Lennart On Fri, Feb 21, 2014 at 12:50 PM, sjon sjon.hortens...@gmail.com wrote: I just installed graylog-web-interface-0.20 and some things don't seem to work right. The interface looks a bit strange because /assets/stylesheets/main.css is empty (although the response-code is 200). Also; the /streams page is empty (with a 500 response-code). I cannot find any messages in the logfiles that help me any further. Can anyone help me debug this? This installation runs with a pre-0.20 elasticsearch mongo database and I haven't taken any explicit migration steps; might that be the problem? -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] graylog2 server's elasticsearch settings
On Fri, Feb 21, 2014 at 11:27 PM, Romeo Theriault romeo.theria...@maine.edu wrote: Do these settings (e.g. shards, replicas, indices) over-ride the elasticsearch settings that I configure in elasticsearch's config file? Yes! You do not need to use the ElasticSearch YML file at all if the config available in graylog2.conf is enough. Usually that is the case and we recommend using the ElasticSearch config only for experienced users. From the graylog2 server's server.conf file I'm guessing that graylog2_server has an embedded version of elasticsearch. Is this correct? Correct. Thanks, Lennart -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] How to use custom field value in field chart
Hey Reginaldo, select a field you want to chart from the sidebar, hit the little cog and press Generate chart. Note that this is of course only possible for numeric values. You can also get the same data via the REST APIs, that is true. :) Let me know if you need help with anything. Thanks, Lennart On Wed, Feb 19, 2014 at 9:01 PM, Reginaldo Russinholi bagr...@gmail.com wrote: Hi, I'd like to generate a chart using a custom field value, that is inside the messages sent to Graylog2, but using Graylog Web Interface I see no way to do this. Is there a way to do this? Is it possible retrieve the custom field value searching 'fieldhistogram' by using the Graylog2 REST API? Regards, Reginaldo Russinholi -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[graylog2] [ANNOUNCE] Graylog2 v0.20.0 has been released
Hey everybody, we are so happy to announce that we just released Graylog2 v0.20.0 after almost a full year of work. You can find the release announcement page here: http://graylog2.org/wow/such/0.20.0 With this as a foundation we'll be releasing regular updates with new features based on the many requests we already got by you. Thank you very much for helping us so much in the last months. You are awesome! Have a great day, Lennart (in behalf of the whole TORCH team) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Permission denied to input on syslog port 514
Great! Thanks for posting your solution. On Thu, Feb 13, 2014 at 1:48 PM, André Coelho coe...@gmail.com wrote: I'm configuring a switch that does not have the option to set other port for the destination log server, it only sends to port 514. I have tried authbind but it does not work with port 514 I have tried setcap 'cap_net_bind_service=+ep' /usr/bin/java but it does not work Then finally using IPTABLES worked: iptables -A PREROUTING -t nat -i eth0 -p udp --dport 514 -j REDIRECT --to-port 10515 Thanks for you help Em quarta-feira, 12 de fevereiro de 2014 17h14min51s UTC-2, lennart escreveu: You need to be root to bind sockets on ports =1024 on most *NIX systems. Either run graylog2-server as root (not recommended) or use a port higher than 1024. You could also try to give the local user than runs graylog2-server permission to bind to those restricted ports, but usually just choosing a higher port is the easiest solution. On Wed, Feb 12, 2014 at 7:19 PM, André Coelho coe...@gmail.com wrote: Hi All I have this version of graylog installed on ubuntu 12.04: Graylog2-server (Current: 0.20-rc.1-1) Graylog2-web (Current: 0.20-rc.2) Graylog2-radio Current: 0.20-rc.2) When I try to add a global Syslog Input to listen on port 514 TCP or UDP (bind address: 0.0.0.0) the server gives this error: Input 52fbb0d5e4b0a4cfa9f30f88 has failed to start on node f728fbee-73f5-4a3a-a0f1-c10511eed089 for this reason: Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Permission denied. This means that you are unable to receive any messages from this input. This is mostly an indication for a misconfiguration or an error. You can click here to solve this And the log looks like this: 2014-02-12 16:16:39,732 ERROR: org.graylog2.inputs.InputRegistry - The [org.graylog2.inputs.syslog.udp.SyslogUDPInput] input with ID 52fbba87e4b0f89aaac73a29 misfired. Reason: Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Permission denied This looks like the user that graylog runs does not have permission to bind port 514. Someone knows how to fix this? Thanks -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] How to fix Check the system clocks of your graylog2-server nodes
Does it appear again if you just close it? Maybe you restarted you graylog2-server nodes a bit too fast. On Thu, Feb 13, 2014 at 10:31 AM, Şahin Koç shn...@gmail.com wrote: I am getting following warning and don't know how to fix it: Check the system clocks of your graylog2-server nodes. 12 minutes ago A graylog2-server node detected a condition where it was deemed to be inactive immediately after being active. This usually indicates either a significant jump in system time, e.g. via NTP, or that a second graylog2-server node is active on a system that has a different system time. Please make sure that the clocks of graylog2 systems are synchronized. I have only one graylog node with only one elastic search cluster. They are both present at the same server. System clock is set to local time of the location which is Istanbul. Please help me to fix it. Thanks -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Log monitoring with graylog2
That is an old documentation that I just removed. Sorry about the confusion. Every graylog2-server ships with a built in API browser. You can access it from the Nodes dropdown menu in /system/nodes of your graylog2-web-interface. On Thu, Feb 13, 2014 at 12:03 PM, Alik Kurdyukov akurdyu...@gmail.com wrote: Great, thanks. I found only http://docs.graylog2.apiary.io for docs on the API. It doesn't seem to be complete. Is there any other docs on the API? Or points in the server code? On Monday, February 10, 2014 4:52:08 PM UTC+4, lennart wrote: You could use the graylog2-server REST API to read data into Zabbix I think. On Mon, Feb 10, 2014 at 1:33 PM, Alik Kurdyukov akurd...@gmail.com wrote: Hello, First, thank you guys for great tool. I'm using it to monitor several distributed windows services. I need to monitor logs for messages with special levels i.e. fatal. I tried to implement log filtering plugin, but it seems there's no support for custom plugins yet. Is it possible to monitor logs for special kind of levels and post data into zabbix? Thanks, Alik. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Re: v0.20.0-rc.2: Incorrect Indices count
Can you try to manually re-calculating the index ranges? System - Indices - Maintenance dropdown menu - Recalculate index ranges Thanks! On Wed, Feb 12, 2014 at 1:40 PM, Joe Vandermark joe.vanderm...@gmail.com wrote: Yes, just one index (fresh install) and it is working fine. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] rc2: gelf udp input aborts at first JSON parse error
We have identified that as a connection handling problem in the inputs and will fix it ASAP. Thanks! On Wed, Feb 12, 2014 at 12:52 PM, Martin René Mortensen martin.rene.morten...@gmail.com wrote: Hi, Im outputting GELF directory from apache, it may be a stretch, but it seemed to work. lately it doesnt, because of JSON parse errors, and at the first error it stops the input somehow, doesnt get any more messages. This is the error in graylog2 server log : 12:42:29,377 ERROR [GELFProcessor] Could not parse JSON! com.fasterxml.jackson.core.JsonParseException: Unrecognized character escape 'x' (code 120) at [Source: java.io.StringReader@791b6956; line: 1, column: 409] This is a sample log (I also log to files) : { version: 1.1, host: somehost.example.com, level: 6, timestamp: 1392205765, short_message: POST /ws/pure4WebService/ HTTP/1.1, _user-agent: Oracle HTTPClient Version 10h, _client: 1.1.127.198, _duration_usec: 263475, _duration_sec: 0, _status: 200, _request_path: /ws/pure4WebService/, _request: /ws/pure4WebService/, _method: POST, _referrer: -, _hostheader: www1.example.com, _bytes: 50378, _scheme: - } It validates fine as JSON on jsonlint.com, but its probably not the log message its complaining about - but I dont know which. I dont escape my 'x''s. /Martin -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] graylog2-server-0.20.0-rc.2 fails to run
not same cluster_name [elasticsearch] Seems like your graylog2-server node is running with cluster.name elasticsearch and your ElasticSearch node(s) are not. You need to set the same cluster.name everywhere. On Wed, Feb 12, 2014 at 6:40 PM, Craig Blake craigwbl...@gmail.com wrote: Hi, I'm trying to get graylog2 up and running for the first time and am continually getting errors about a missing ElasticSearch master. I'm following the directions here: http://support.torch.sh/help/kb/graylog2-server/installing-graylog2-server-v020x-on-nix-systems This is the configuration I'm using, built by following the directions at the above link and adding a change to disable multicast discovery from here: http://support.torch.sh/help/kb/graylog2-server/configuring-and-tuning-elasticsearch-for-graylog2-v0200 is_master = true node_id_file = /etc/graylog2-server-node-id password_secret = root_password_sha2 = plugin_dir = plugin rest_listen_uri = http://127.0.0.1:12900/ elasticsearch_max_docs_per_index = 2000 elasticsearch_max_number_of_indices = 20 retention_strategy = delete elasticsearch_shards = 4 elasticsearch_replicas = 0 elasticsearch_index_prefix = graylog2 allow_leading_wildcard_searches = false elasticsearch_cluster_name = elasticsearch elasticsearch_discovery_zen_ping_multicast_enabled = false elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300 elasticsearch_analyzer = standard output_batch_size = 5000 processbuffer_processors = 5 outputbuffer_processors = 5 processor_wait_strategy = blocking ring_size = 1024 mongodb_useauth = true mongodb_user = graylog2 mongodb_password = mongodb_replica_set = mongo01:27017,mongo02:27017 mongodb_database = graylog2 mongodb_port = 27017 mongodb_host = mongo01 mongodb_max_connections = 100 mongodb_threads_allowed_to_block_multiplier = 5 transport_email_enabled = false transport_email_hostname = mail.example.com transport_email_port = 587 transport_email_use_auth = true transport_email_use_tls = true transport_email_use_ssl = true transport_email_auth_username = y...@example.com transport_email_auth_password = secret transport_email_subject_prefix = [graylog2] transport_email_from_email = grayl...@example.com I notice in the output some DEBUG messages that say this: 2014-02-12 17:30:43,380 DEBUG: org.elasticsearch.discovery.zen.ping.unicast - [graylog2-server] [2] filtering out response from [Scorpio][GrPJicD8TV6Kvaig7ZbLhQ][inet[/10.3.108.55:9300]], not same cluster_name [elasticsearch] And then the server fails with this error: 2014-02-12 17:30:48,377 ERROR: org.graylog2.Main - ERROR: No ElasticSearch master was found. Need help? * Official documentation: http://support.torch.sh/help/kb * Mailing list: http://support.torch.sh/help/kb/general/forums-mailing-list * Issue tracker: http://support.torch.sh/help/kb/general/issue-trackers * Commercial support: http://www.torch.sh/ But we also got some specific help pages that might help you in this case: * http://support.torch.sh/help/kb/graylog2-server/configuring-and-tuning-elasticsearch-for-graylog2-v0200 Terminating. :( Any ideas what the problem is? Thanks, Craig ~ -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Re: GELF multiline-Logs
Hey Cornelius, you are right, that was a bug. :) Kay already fixed it and we'll release RC.3 tomorrow: https://github.com/Graylog2/graylog2-web-interface/issues/612 Thank you very much, Lennart On Tue, Feb 11, 2014 at 3:18 PM, cornelius.r...@gmail.com wrote: Hi Kay, ok, I'm sorry, this work for me as expected, great! I think I have to be more precise: the line-breaks are displayed within the small message window on the right side, but not when displaying the message in Full-Screen-Mode. Would it be possible to have the same behaviour there? Thank you! Bye, Cornelius On Tuesday, February 11, 2014 10:29:31 AM UTC+1, Kay Röpke wrote: cc'ing mailing list. I just tested this and it works as expected for me. Could you please share an example message? Just to make sure you are also running the RC2 of the web interface, right? Because the bug was there and not in the server. I sent: curl -0 -XPOST http://localhost:12202/gelf -d '{short_message:ohai, full_message:this is a test , host:localhost, facility:test}' to my HTTP GELF input and it showed up as I expected (this is running RC2 here). Best, Kay On Mon, Feb 10, 2014 at 9:54 PM, corneli...@gmail.com wrote: Hi Kai, hi Lennart, I've just downloaded und installed RC2. The Update worked out of the box, I played a little with the new version, again an improvement - e.g. alerting now works! But unfortunately multiline-Line-Breaks still don't work for me :-( The GELF-Event contains them, but within the web-interface there are still no line-breaks :-( Ciao, Cornelius On Wednesday, February 5, 2014 3:12:38 PM UTC+1, Kay Röpke wrote: This will be fixed in RC2. Thanks for your report! On Wed, Feb 5, 2014 at 10:56 AM, Lennart Koopmann len...@torch.sh wrote: Thanks for reporting this! Please follow this issue: https://github.com/Graylog2/graylog2-web-interface/issues/601 Cheers, Lennart On Tue, Feb 4, 2014 at 7:44 PM, Grégory Nuyttens gregory@gmail.com wrote: At this time, I try a lot of thing: - simple messages with gelf and with an \n character inside my message - with logstash and multiline option but in the graylog web interface I only show a blank between multiple lines and no multiline display :-/ I think you told about this issue: https://github.com/Graylog2/graylog2-web-interface/pull/126, it seems to be closed and resolved but the problem is come back in this version??? Thanks if anyone have a solution or we can create again a new issue about this problem On Tuesday, January 28, 2014 4:24:40 PM UTC+1, corneli...@gmail.com wrote: Hi, first of all I want to say that I'm quite satisfied with graylog2 0.2.0 rc.1-1. But I have a question regarding multiline-Display within full_message. Although line-breaks, i.e. \n are included within the GELF-Message from logstash, e.g. Stacktraces are displayed as floating text. I read that there was an Issue 9 months ago, but that should be fixed. Is the same problem re-occuring? Or am I missing something? Regards, Cornelius -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Blacklists
Hey Tim, the blacklists were not re-implemented for 0.20.0 yet, but will come back in a way better implementation in a near-future version. Sorry for the inconvenience. Thanks, Lennart On Tue, Feb 11, 2014 at 5:10 PM, Tim timsha...@gmail.com wrote: Have been using Graylog 0.12 for a while Just been looking at the new 0.20 release candidate and cannot find any sign of where to configure blacklists Has this feature been removed from graylog? -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Exception on Users Tab
Hey Abhay, could it be that you are using a MongoDB database that was filled by a previous Graylog2 version? Thanks, Lennart On Mon, Feb 10, 2014 at 12:44 PM, ab...@fab.com wrote: Hi All, I just setup graylog2 version(graylog2-v0-20-0-rc-1-1) on production. When i click on system/users i am getting this error: lib.APIException: API call failed GET http://@graylog-server-ip:12900/users returned 500 Internal Server Error body: java.lang.NullPointerException at org.graylog2.users.User.getName(User.java:154) at org.graylog2.rest.resources.users.UsersResource.toMap(UsersResource.java:410) at org.graylog2.rest.resources.users.UsersResource.toMap(UsersResource.java:404) at org.graylog2.rest.resources.users.UsersResource.listUsers(UsersResource.java:96) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:151) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:171) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:152) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:104) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:402) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:349) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:106) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:259) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) at org.glassfish.jersey.internal.Errors.process(Errors.java:315) at org.glassfish.jersey.internal.Errors.process(Errors.java:297) at org.glassfish.jersey.internal.Errors.process(Errors.java:267) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:318) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:236) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1010) at org.graylog2.jersey.container.netty.NettyContainer.messageReceived(NettyContainer.java:254) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.handler.stream.ChunkedWriteHandler.handleUpstream(ChunkedWriteHandler.java:142) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459) at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536) at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at
Re: [graylog2] Plugins for Graylog2 0.20.x
0.1x plugins are not compatible and 0.20.0 only has the input plugin interfaces back for now, because the other types are not implemented yet. Cheers, Lennart On Thu, Feb 6, 2014 at 3:09 AM, Gonzalo Gómez García arcadia.gonz...@gmail.com wrote: Hi, I've got some questions about plugins on version 0.20 Are the 0.1x plugins compatible with Graylog2 0.20? Is there any documentation about custom plugin development for Graylog2 0.20? Regards -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[graylog2] [ANNOUNCE] Graylog2 v0.20.0-rc.2 has been released
Hey everybody, we just released the second RC version of Graylog2 v0.20.0. It brings a lot of fixes and improvements - Find a complete list in the announcement: * http://blog.torch.sh/graylog2-v0-20-0-rc-2-has-been-released/ Have a great day, Lennart (on behalf of the whole TORCH team) -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Graphite
Hey Jonathan, the Graphite forwarding will follow in future releases. I created this issue to make sure we properly schedule it after 0.20.0: https://github.com/Graylog2/graylog2-server/issues/421 Thanks, Lennart On Mon, Feb 10, 2014 at 5:18 PM, Jonathan Buch jb...@synyx.de wrote: Hi, I just got around to trying the new 0.20 branch of graylog2 with the goal of eventually phasing out a 0.9.* installation. Now, I've read that Graphite is included (http://blog.torch.sh/graylog2-v0-20-0-preview-5-has-been-released/), however on investigating that implementation seems to be mostly removed since the preview shortly before 0.20-rc.1 * A GraphiteFormatter exists but the method contents are commented out * 29ca7e6f4c9ac7 alerts are now sending emails. #356 removes the rest of the graphite implementation unceremoniously with Whoop! as the only comment. Is there a plan to revive this functionality? I guess it wouldn't really be hard to simply query JMX and use the available metrics and shove them into graphite, but I was hoping to skip that extra step. Greetings, Jo -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Error when merging charts
I can confirm that this is exactly the issue I fixed. Will indeed be included in rc.2. :) Thanks for your kind words! On Fri, Feb 7, 2014 at 11:57 AM, Paul Dunkler paul.dunk...@xyrality.com wrote: Fine. Thanks for the fast response. I'm with you that your fix could have fixed that issue i'm facing too! Will report back after you've released the RC2. I believe this could be related to this issue https://github.com/Graylog2/graylog2-web-interface/issues/590 Previously if the graph data had missing values, then the number of data points reported was lower than the time range would've required. After the fix we fill those missing buckets with a 0, so both time series will have the same amount of data and also there won't be any wrong interpolation going on. I believe this will also fix the graph merge problem. We aim to release RC2 as soon as possible, possibly even today. And thank you for your praise :) Yes, this is one of the ways to report these things, but you could also use the github projects to file bug reports if you like. cheers, -k On Friday, February 7, 2014 10:59:35 AM UTC+1, Paul Dunkler wrote: Hi there, first i would like to say - VERY VERY AWESOME NEW GRAYLOG2!! I already used the first versions of graylog2 since some time - And i'm totally impressed of the new version! Nice features, cool design - good handling! I tried to use the Merge Graphs-Feature, did one search, pinned a graph and then did another one, created a new graph, dropped it on the other one - But that doesn't seem to work. There are some Javascript-Errors from Rickshaw that stacked series cannot have differing numbers of points: 375 vs 346. Here are 2 screenshots - Hope they'll help: http://www.directupload.net/file/d/3526/j9x59yr8_png.htm http://www.directupload.net/file/d/3526/vfutvfry_png.htm Or isn't this the right place for such error reports? If not, please tell me the right one! -- Mit freundlichen Grüßen / Kind regards Paul Dunkler -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Re: GELF multiline-Logs
Thanks for reporting this! Please follow this issue: https://github.com/Graylog2/graylog2-web-interface/issues/601 Cheers, Lennart On Tue, Feb 4, 2014 at 7:44 PM, Grégory Nuyttens gregory.nuytt...@gmail.com wrote: At this time, I try a lot of thing: - simple messages with gelf and with an \n character inside my message - with logstash and multiline option but in the graylog web interface I only show a blank between multiple lines and no multiline display :-/ I think you told about this issue: https://github.com/Graylog2/graylog2-web-interface/pull/126, it seems to be closed and resolved but the problem is come back in this version??? Thanks if anyone have a solution or we can create again a new issue about this problem On Tuesday, January 28, 2014 4:24:40 PM UTC+1, corneli...@gmail.com wrote: Hi, first of all I want to say that I'm quite satisfied with graylog2 0.2.0 rc.1-1. But I have a question regarding multiline-Display within full_message. Although line-breaks, i.e. \n are included within the GELF-Message from logstash, e.g. Stacktraces are displayed as floating text. I read that there was an Issue 9 months ago, but that should be fixed. Is the same problem re-occuring? Or am I missing something? Regards, Cornelius -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] 0.20 rc1.1 ui fields and order
The LogMessage changed indeed. It is now this: https://github.com/Graylog2/graylog2-server/blob/020/graylog2-plugin-interfaces/src/main/java/org/graylog2/plugin/Message.java The official docs for this will follow soon. On Wed, Feb 5, 2014 at 1:03 PM, Martin René Mortensen martin.rene.morten...@gmail.com wrote: Great. Any hints on how to use drools now? I cant seem to get it right in any way. New escape sequences? new LogMessage object to import ? Its difficult to tell from the source. On Monday, 3 February 2014 09:48:17 UTC+1, lennart wrote: Hey Martin, we already have your suggestions on the near-future roadmap. Thank you very much! Drools is still available in v0.20.0 and just needs a documentation update. That is one of the remaining tickets in the 0.20.0 milestone. Thanks, Lennart On Fri, Jan 31, 2014 at 6:59 PM, Martin René Mortensen martin.ren...@gmail.com wrote: Hi, First, 0.20 is a great release, I love it, especially the upgraded radio and choosing kafka for queueing, its blazingly fast. I have a few very important (I think) comments - maybe I just dont know which little button to press, but I cant get it to work. - Fields resetting: I cannot get the chosen fields to stick! they keep resetting when I reload the search and its really annoying. - Field sort order? How to do you chose the sort order of fields? I cant see a way, and I dont understand the current sort order. And a few questions: - Will drools rules stay in ? its a very effective tools for extracting alot of fields in one go. The online field extractor is nice and comprehensive, but its insane to make 200 rules for extracting fields from cisco devices logs for example. I suspect its also ineffective, when I can match 1 line, and extract all the fields in one group capturing regexp with drools rules. Brgds. Martin -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Re: Message retention time
The MongoDB part is for old Graylog2 versions only. Be aware that manually deleting data can cause performance issues and needs a manual re-calculation of the index ranges meta data after it. On Tue, Feb 4, 2014 at 10:21 AM, Jean-Luc Bassereau jlbasser...@gmail.com wrote: Hello, As far as I know, I'm able to delete datas from a snigle host using these commands : Deletion from ES : # curl -XDELETE 'http://localhost:9200/graylog2_*/message/_query' -d ' { query_string : { default_field : host, query : servername } }' Deletion from mongoDB : # mongo MongoDB shell version: 2.4.6 connecting to: test use graylog2 switched to db graylog2 db.auth('grayloguser', 'PASSWORD') 1 db.hosts.remove( { 'host' : /^servername/ } ) 2014-02-03 Lennart Koopmann lenn...@torch.sh: Yes, we are working on that - But it will not be included in v0.20.0 yet. Thanks, Lennart On Mon, Feb 3, 2014 at 10:59 AM, Javier Barroso javibarr...@gmail.com wrote: Hello, Are there some work in progress about this issue ? Is it possible to delete messages only from a specific source ? It would be useful having an interface to delete the most noise logs (for example, applications with debug mode turned on) Thank you very much El jueves, 19 de diciembre de 2013 12:01:45 UTC+1, lennart escribió: We are working on that for v0.20.0 in these days actually. :) On Thu, Dec 19, 2013 at 10:37 AM, Ruurd Adema ruurd...@gmail.com wrote: Me2! Retention based on time would be awesome! +1 feature request. Op maandag 24 december 2012 11:08:09 UTC+1 schreef Roman Lobus: Hello, Message retention time setting was removed in the new version of Graylog (0.10.1) but I can't find this setting in configuration file. What is exact name of message retention time option? Thank you in advance! Roman -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- Cordialement, Jean-Luc Bassereau -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Graylog 0.20.0 with Nagios
It is basic HTTP authentication. For example with curl: curl -XGET http://youruser:password@127.0.0.1:12900/system On Tue, Jan 28, 2014 at 8:49 AM, datluc lucypa...@googlemail.com wrote: Nobody ? -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Standart users can't create new dashboard (stacktrace generated)
That is indeed a bug. https://github.com/Graylog2/graylog2-web-interface/issues/593 Thanks for reporting this, Lennart On Mon, Feb 3, 2014 at 4:53 PM, Raphaël Berlamont raphael.berlam...@raphux.com wrote: Hi list, it seems that a user can't create a personnal dashboard, even if the user is prompt for this action : https://lh4.googleusercontent.com/-JbRr5q3UOqI/Uu-5t28VDYI/MlI/telzY49O1Z0/s1600/create_new_dashboard.png User is then redirected to the «create dashboard» formular, but when he clicks on the «Create», stacktrace appears, and in the log, we have this : === 16:48:31,047 INFO [ShiroAuthorizationFilter] User not authorized. org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [dashboards:create] at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:323) at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137) at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205) at org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74) at org.graylog2.security.ShiroAuthorizationFilter.filter(ShiroAuthorizationFilter.java:52) at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:171) at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:74) at org.glassfish.jersey.process.internal.Stages.process(Stages.java:197) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:250) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) at org.glassfish.jersey.internal.Errors.process(Errors.java:315) at org.glassfish.jersey.internal.Errors.process(Errors.java:297) at org.glassfish.jersey.internal.Errors.process(Errors.java:267) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:318) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:236) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1010) at org.graylog2.jersey.container.netty.NettyContainer.messageReceived(NettyContainer.java:254) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.handler.stream.ChunkedWriteHandler.handleUpstream(ChunkedWriteHandler.java:142) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459) at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536) at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) === I think
Re: [graylog2] Re: Message retention time
Yes, we are working on that - But it will not be included in v0.20.0 yet. Thanks, Lennart On Mon, Feb 3, 2014 at 10:59 AM, Javier Barroso javibarr...@gmail.com wrote: Hello, Are there some work in progress about this issue ? Is it possible to delete messages only from a specific source ? It would be useful having an interface to delete the most noise logs (for example, applications with debug mode turned on) Thank you very much El jueves, 19 de diciembre de 2013 12:01:45 UTC+1, lennart escribió: We are working on that for v0.20.0 in these days actually. :) On Thu, Dec 19, 2013 at 10:37 AM, Ruurd Adema ruurd...@gmail.com wrote: Me2! Retention based on time would be awesome! +1 feature request. Op maandag 24 december 2012 11:08:09 UTC+1 schreef Roman Lobus: Hello, Message retention time setting was removed in the new version of Graylog (0.10.1) but I can't find this setting in configuration file. What is exact name of message retention time option? Thank you in advance! Roman -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+u...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Re: [Help me] Using GELF HTTP input
You have to go to System - Inputs in the web interface to start new inputs. On Thu, Jan 30, 2014 at 12:38 PM, Deep Pai flickr.ordinarywo...@gmail.comwrote: Hi, How do you do step (1)? How do you setup graylog 2 to listen to GELF UDP input? I installed graylog2 but I only see that it is listening to the following ports: tcp0 0 :::12900 :::*LISTEN 5411/java tcp0 0 :::9350 :::*LISTEN 5411/java udp0 0 :::54328 :::*5411/java On Thursday, 2 January 2014 15:38:08 UTC+5:30, Dmitri Stoljarov wrote: 0. Use latest graylog2. Setup it according instructions. 1. Create new graylog GELF UDP input. E.g. (port: 4450,bind_address: 0.0.0.0) 2. Configure logstash output: output { gelf { type = your-name port = 4450 host = graylog2_ip_address facility = your-facility } } 3. Verify that firewall is not blocking traffic to/from your graylog and logstash servers. 4. For debugging, create stdout output on logstash, to be sure, that messages are picked up by intput filter and forwarded to output filter. On Thursday, January 2, 2014 10:52:15 AM UTC+2, Lê Bình wrote: I tried what you tell me, it doesn't make diferrent. Graylog2 should not receive message from gelf output. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] No results in stream
That should not happen because Graylog2 is never deleting or even changing any already written messages. Please make sure that you have selected the correct time range for the search and that all graylog2-server and graylog2-web-interface nodes are running with the same server time. On Wed, Jan 29, 2014 at 7:38 PM, Summer Brooks sum...@historytype.comwrote: I'm running rc.1.1, and most things are working well so far, but I wanted to run this issue by the group before submitting it as a bug. It's entirely possible someone has already found a fix. I have an otherwise functioning stream set up, and alarms are working properly against it. However, the stream seems to periodically flush itself of log entries, so I get No results in stream when I try to open it. I'm not quite sure where to look for what might be causing that, so any help would be appreciated. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Re: [ANNOUNCE] Graylog2 v0.20.0-rc.1 has been released
Thank you *very* much Dmitri! :) I created a lot of issues for RC.2 and some for 0.20.1. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [graylog2] Re: Graylog v0.20.0 RC.1 Important Error !!!
If you are using ES with multicast then this could be any ES node with the same cluster.name that is discoverable via multicast. See also: http://support.torch.sh/help/kb/graylog2-server/configuring-and-tuning-elasticsearch-for-graylog2-v0200 On Tue, Jan 14, 2014 at 1:09 PM, datluc lucypa...@googlemail.com wrote: Where does elasticsearch get the IP adress [[Sauron][jko_l23FRI6BW7eEU2ULHg][inet[/10.7.1.129:9300]]] ? The IP Adress of my Graylog System is 10.7.1.60. Kind Regards Lucy -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.