[graylog2] Re: graylog 2.0 GA - issues with nginx and reverse proxy - Error: Request has been terminated
Hi, For us Graylog v2.0 (since Beta) is working like a charm behind a Apache ReverseProxy with SSL Offloading Our config looks like this, maybe this helps someone: ServerName graylogserver.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/ssl/certs/graylog.crt SSLCertificateKeyFile /etc/ssl/certs/graylog.key KeepAliveTimeout 900 RewriteEngine On ## Graylog Dashboard RewriteCond %{REQUEST_URI} !^/api RewriteRule ^/(.*) http://localhost:9000/$1 [P,L] ## Graylog Api - also needed for the dashboard RequestHeaderset X-Graylog-Server-URL "https://graylogserver.example.com/api; RewriteCond %{REQUEST_URI} ^/api RewriteRule ^/(api\/)(.*) http://127.0.0.1:12900/$2 [P,L] Order allow,deny Allow from all Regards Micha -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c5a2838a-8ed8-4524-b4bb-4bb2019d7d2b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Load Balancer health check with Big-IP F5
Hi Marty, at the moment i just using one Node so i still wasn't place one of our F5 Clusters in front of Graylog. I just tested the monitor via telnet like i always do for new monitors. f5ve]# telnet graylogserver 12900 Trying graylogserver... Connected to graylogserver . Escape character is '^]'. GET /system/lbstatus HTTP/1.0 HTTP/1.1 200 OK X-Graylog-Node-ID: c02340cc-d5b7-4f27-aba6-b795c51865b8 X-Runtime-Microseconds: 187 Content-Type: text/plain Date: Fri, 15 Apr 2016 12:15:48 GMT Connection: close Content-Length: 5 ALIVE alternative you could change the receive string from ALIVE to just 200 and test if the pool stays up - if that doesnt work also - i guess there is a problem somewhere else. Greets Micha -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/f5822ec8-c2e8-466a-a45b-c31091d1dfab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Load Balancer health check with Big-IP F5
Hi Martin, For tthis monitor you dont't need an external Monitor on the F5 Just Configure the monitor like one of that, and it should work AS HTTP/1.0 *Send String:* GET /system/lbstatus HTTP/1.0\r\n\r\n *Receive String:* Alive OR as HTTP/1.1 *Send String:* GET /system/lbstatus HTTP/1.1\r\nHost: dummy\r\n\r\n *Receive String:* Alive Regards Micha Am Mittwoch, 13. April 2016 01:38:35 UTC+2 schrieb Marty: > > Hi Folks, > > Graylog V1.3.4 > > Just wondering if anyone has integrated the Graylog LB state into the F5 > native http health check. > I can't get this to work when sending: > > GET /system/lbstatus HTTP/1.1 > > > From the command line (using netcat) on the graylog node, this also fails. > Just get a newline (no output). > > $ echo -e "GET /system/lbstatus HTTP/1.1\r\n" | nc 127.0.0.1 12900 > > Using nc natively is OK, as seen below. Need to send twice, as shown. > > $ nc 127.0.0.1 12900 > GET /system/lbstatus HTTP/1.1 > > HTTP/1.1 200 OK > Content-Type: text/plain > X-Graylog-Node-ID: ----x > X-Runtime-Microseconds: 240 > Transfer-Encoding: chunked > > 5 > ALIVE > 0 > > > Using curl is fine: > > S curl -w '\n' http://127.0.0.1:12900/system/lbstatus > ALIVE > > I got around this on the F5, by using curl with an external script. > > Just wondering if there is an issue or I'm doing something incorrect. > > Cheers, > Martin > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/43f7d237-ca8f-4ef4-97a3-25666c94deba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Geo-Location Processor only resolves msg source address ?
Hi Edmundo, The hint with the configutation made it, changed it and now it seems to work :) <https://lh3.googleusercontent.com/-2FjsWE3k_CE/Vv5wm2TkQXI/ABA/lUz4B0F5gNcW2JFef3fpYhjVSk7SvxCbQ/s1600/config_changed.png> <https://lh3.googleusercontent.com/-NIlNPC1N8xU/Vv5wvjDgZGI/ABI/LC67YWfMjBgL7v83yk_IBDQbzjIHuQboA/s1600/config_changed_map.png> Thank you so far :) <https://lh3.googleusercontent.com/-2FjsWE3k_CE/Vv5wm2TkQXI/ABA/lUz4B0F5gNcW2JFef3fpYhjVSk7SvxCbQ/s1600/config_changed.png> Am Freitag, 1. April 2016 14:40:38 UTC+2 schrieb Micha -: > > > Sure :) > > > Is unchanged i think on my other manual installation with more or less > Productiv Traffic it looks same. But here a screenshot from the VM: > > > > <https://lh3.googleusercontent.com/-1YoS84W8Z8I/Vv5rySuqBoI/AAw/91sof8Iy5fUWuiRgoSppAFvb66rq4qkZQ/s1600/config.png> > > > > > Am Freitag, 1. April 2016 14:31:50 UTC+2 schrieb Edmundo Alvarez: >> >> It looks like it's running before extractors in your Graylog instance. >> Could you please share with us your "Message Processors Configuration" in >> System -> Configurations? >> >> Edmundo >> >> > On 01 Apr 2016, at 13:36, Micha - <michae...@wuerth-it.com> wrote: >> > >> > Hi Edmundo, >> > >> > Thanks for your reply - but then i guess should work since i have >> already an extractor and a field (client_ip) with only the IP Address - but >> it doesnt. >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > Seems still to me like it only resolves the sender Address, hmrpf >> > >> > Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez: >> > Hi Michael, >> > >> > The Geo-location resolver looks for IPs in all fields that _only_ >> contain an IP address. That means, you need to extract the IP to it's own >> field (using an extractor or sending logs with something like GELF), to >> make the geo-location work. >> > >> > The description text is unfortunately outdated, but will take care of >> fixing it for the next release. >> > >> > I hope that helps. >> > >> > Regards, >> > Edmundo >> > >> > > On 01 Apr 2016, at 09:55, michae...@wuerth-it.com wrote: >> > > >> > > Hi, >> > > >> > > Maybe I missed something somewhere, but it looks to me like >> Geo-Location Processor only tries to resolve the sender address of the >> message, and not any fields like stated in the description >> > > >> > > "scans all fields of every message for IPv4 addresses" >> > > >> > > >> > > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under >> configuration and added the DB file from Maxmind. >> > > >> > > Graylog Settings: >> > > >> > > Geo-Location Processor >> > > >> > > If enabled, the GeoIP processor plugin scans all fields of every >> message for IPv4 addresses and puts the location information into a field >> named fieldname_geolocation where "fieldname" is the name of the field in >> which an IP address has been found. >> > > >> > > Enabled: yes >> > > Database type: City database >> > > Database path: /etc/graylog/GeoLite2-City.mmdb >> > > >> > > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb >> > > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 >> /etc/graylog/GeoLite2-City.mmdb >> > > >> > > >> > > when i send a sample msg line into Graylog: >> > > root@graylog-beta:~# echo '8.8.8.8 - test message' | ncat -w1 -u >> 127.0.0.1 51 >> > > >> > > >> > > >> > > >> > > >> > > With Subystem Indexer Logging set to Debug i get this: >> > > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: >> org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location >> from IP 127.0.0.1 >> > > 2016-04-01_07:21:22.17079 >> com.maxmind.geoip2.exception.AddressNotFoundException: The address >> 127.0.0.1 is not in the database. >> > > 2016-04-01_07:21:22.17149 at >> com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161
Re: [graylog2] Geo-Location Processor only resolves msg source address ?
Sure :) Is unchanged i think on my other manual installation with more or less Productiv Traffic it looks same. But here a screenshot from the VM: <https://lh3.googleusercontent.com/-1YoS84W8Z8I/Vv5rySuqBoI/AAw/91sof8Iy5fUWuiRgoSppAFvb66rq4qkZQ/s1600/config.png> Am Freitag, 1. April 2016 14:31:50 UTC+2 schrieb Edmundo Alvarez: > > It looks like it's running before extractors in your Graylog instance. > Could you please share with us your "Message Processors Configuration" in > System -> Configurations? > > Edmundo > > > On 01 Apr 2016, at 13:36, Micha - <michae...@wuerth-it.com > > wrote: > > > > Hi Edmundo, > > > > Thanks for your reply - but then i guess should work since i have > already an extractor and a field (client_ip) with only the IP Address - but > it doesnt. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Seems still to me like it only resolves the sender Address, hmrpf > > > > Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez: > > Hi Michael, > > > > The Geo-location resolver looks for IPs in all fields that _only_ > contain an IP address. That means, you need to extract the IP to it's own > field (using an extractor or sending logs with something like GELF), to > make the geo-location work. > > > > The description text is unfortunately outdated, but will take care of > fixing it for the next release. > > > > I hope that helps. > > > > Regards, > > Edmundo > > > > > On 01 Apr 2016, at 09:55, michae...@wuerth-it.com wrote: > > > > > > Hi, > > > > > > Maybe I missed something somewhere, but it looks to me like > Geo-Location Processor only tries to resolve the sender address of the > message, and not any fields like stated in the description > > > > > > "scans all fields of every message for IPv4 addresses" > > > > > > > > > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under > configuration and added the DB file from Maxmind. > > > > > > Graylog Settings: > > > > > > Geo-Location Processor > > > > > > If enabled, the GeoIP processor plugin scans all fields of every > message for IPv4 addresses and puts the location information into a field > named fieldname_geolocation where "fieldname" is the name of the field in > which an IP address has been found. > > > > > > Enabled: yes > > > Database type: City database > > > Database path: /etc/graylog/GeoLite2-City.mmdb > > > > > > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb > > > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 > /etc/graylog/GeoLite2-City.mmdb > > > > > > > > > when i send a sample msg line into Graylog: > > > root@graylog-beta:~# echo '8.8.8.8 - test message' | ncat -w1 -u > 127.0.0.1 51 > > > > > > > > > > > > > > > > > > With Subystem Indexer Logging set to Debug i get this: > > > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: > org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location > from IP 127.0.0.1 > > > 2016-04-01_07:21:22.17079 > com.maxmind.geoip2.exception.AddressNotFoundException: The address > 127.0.0.1 is not in the database. > > > 2016-04-01_07:21:22.17149 at > com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > > 2016-04-01_07:21:22.17230 at > com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > > 2016-04-01_07:21:22.17284 at > org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > > 2016-04-01_07:21:22.17429 at > org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > > 2016-04-01_07:21:22.17572 at > org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > > 2016-04-01_07:21:22.17587 at > org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) > &g
Re: [graylog2] Geo-Location Processor only resolves msg source address ?
Hi Edmundo, Thanks for your reply - but then i guess should work since i have already an extractor and a field (client_ip) with only the IP Address - but it doesnt. <https://lh3.googleusercontent.com/-Ic7h59J7vUY/Vv5cTS5LbCI/AAg/elazRSpy4yQMSGqEnHdJbpJlQYltq2mpw/s1600/message.png> <https://lh3.googleusercontent.com/-XACljpLHqGU/Vv5cPrb6qqI/AAc/B8QCcLCgYAAwP6VhS-m7UIDgv1XPepY1w/s1600/Extractor.png> Seems still to me like it only resolves the sender Address, hmrpf Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez: > > Hi Michael, > > The Geo-location resolver looks for IPs in all fields that _only_ contain > an IP address. That means, you need to extract the IP to it's own field > (using an extractor or sending logs with something like GELF), to make the > geo-location work. > > The description text is unfortunately outdated, but will take care of > fixing it for the next release. > > I hope that helps. > > Regards, > Edmundo > > > On 01 Apr 2016, at 09:55, michae...@wuerth-it.com wrote: > > > > Hi, > > > > Maybe I missed something somewhere, but it looks to me like Geo-Location > Processor only tries to resolve the sender address of the message, and not > any fields like stated in the description > > > > "scans all fields of every message for IPv4 addresses" > > > > > > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under > configuration and added the DB file from Maxmind. > > > > Graylog Settings: > > > > Geo-Location Processor > > > > If enabled, the GeoIP processor plugin scans all fields of every message > for IPv4 addresses and puts the location information into a field named > fieldname_geolocation where "fieldname" is the name of the field in which > an IP address has been found. > > > > Enabled: yes > > Database type: City database > > Database path: /etc/graylog/GeoLite2-City.mmdb > > > > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb > > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 > /etc/graylog/GeoLite2-City.mmdb > > > > > > when i send a sample msg line into Graylog: > > root@graylog-beta:~# echo '8.8.8.8 - test message' | ncat -w1 -u > 127.0.0.1 51 > > > > > > > > > > > > With Subystem Indexer Logging set to Debug i get this: > > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: > org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location > from IP 127.0.0.1 > > 2016-04-01_07:21:22.17079 > com.maxmind.geoip2.exception.AddressNotFoundException: The address > 127.0.0.1 is not in the database. > > 2016-04-01_07:21:22.17149 at > com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17230 at > com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17284 at > org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17429 at > org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17572 at > org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17587 at > org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) > > [graylog.jar:?] > > 2016-04-01_07:21:22.17656 at > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18244 at > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18651 at > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18660 at > com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) > [graylog.jar:?] > > 2016-04-01_07:21:22.18663 at > com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) > > [graylog.jar:?] > > 2016-04-01_07:21:22.1866