[graylog2] Re: Source ip address instead of the hostname

[Michael Anthon]

Depends a bit on how you are collecting... but iwth NXLog you can add the 
following to the output sections
Exec $Hostname = host_ip();


If you are using the collectors you can add this in the verbatim config 
section for your outputs.

You could also use the same trick to instead add another column for the 
host_ip, really depends on your needs

Cheers,
Michael

On Sunday, 18 September 2016 22:02:53 UTC+10, Dmitriy Shleht wrote:
>
>
> 
>
>
> 
> Hi. We have a lot of hosts. We prefer to see the host address rather than 
> its name. How to do it?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/6fd45e20-4554-40b3-9d78-74cb77b10378%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Sum values from squid field

[Michael Anthon]

Hi Daniel,
In fact the only setting I have in that file is this
elasticsearch.url: "http://127.0.0.1:9200;

This is actually causing issues with the way graylog configures the 
elasticsearch listener but changing this address to the local interface's 
network address should fix that.

That URL should be the only setting required to make Kibana work out of the 
box.  Have a look in /opt/graylog/elasticsearch/config/elasticsearch.yml 
for the "network.host" and "http.port" settings to see how graylog has 
configured the elasticsearch listener

You can install Kibana on any machine that has network access to the 
elasticsearch cluster


On Thursday, 15 September 2016 04:10:05 UTC+10, Daniel Reif wrote:
>
> Michael Anthon, 
> *you could publish your kibana.yml?I am unable to do Kibana find my 
> ElasticSearch cluster and load messages.*
> Em quarta-feira, 14 de setembro de 2016 03:17:44 UTC-3, Michael Anthon 
> escreveu:
>>
>> No, you point Kibana at the elasticsearch instance and it "just works". 
>>  There is an option in the Kibana to reload the fields from the indexes in 
>> case they get messed up (sometimes happens when you change the field 
>> extractors in a way that changes the types)
>>
>> On Friday, 9 September 2016 14:52:41 UTC+10, Aykisn wrote:
>>>
>>> Hello Michael,
>>>
>>> I'm really interested in this, have been looking for this feature since 
>>> graylog doesn't support it (yet).
>>> I have a question though, do you need to recreate the fields on kibana ?
>>>
>>> Thanks.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/c5b60ead-35ac-4af0-a19e-ce23d442792c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] elasticsearch network.host address

[Michael Anthon]

Hi All,
Every time I run the reconfigure command at the moment it updated the 
"network.host" entry in /opt/graylog/elasticsearch/config/elasticsearch.yml 
to the network address of the machine instead of the (for me) desired 
0.0.0.0 (I have Kibana running on the server as well attempting to connect 
to 127.0.0.1).

I'm fairly sure this didn't happen prior to the last update I did to 2.1.0 
and that there were no intentional config changes (but I won't rule that 
out!)

I can see in the reconfigure output that it's replacing this line but I'm 
not sure where it's getting the network address from.

Is this something that may have changed in the latest release and/or is 
there a way for me to override the setting so that elasticsearch will be 
configured to listen on 0.0.0.0?

Currently I'm manually editing the 
/opt/graylog/elasticsearch/config/elasticsearch.yml after a reconfigure

Thanks,
Michael

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/22162a81-7f02-46c5-bdbe-6e01028203a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: How to configure multiple output

[Michael Anthon]

I ran into this issue last night as well.  It seems to me (from looking at 
the beats doco) that beats doesn't handle multiple outputs.  I'm not sure 
how graylog is deciding which output to use but it seems that we can't use 
this type of setup for beats (regardless of the fact that the interface 
allows you to configure it).

Unless I'm missing something completely Beats doesn't seem to have the 
concept of "routes" like nxlog does, there is no way to associate an input 
to an output.

On Tuesday, 6 September 2016 17:57:41 UTC+10, IronCocker wrote:
>
> [root@mirror ~]# more /etc/graylog/collector-sidecar/generated/filebeat.yml
> filebeat:
>   prospectors:
>   - document_type: linux
> fields:
>   gl2_source_collector: 0d2e5631-e187-4f09-b1a1-562908f44631
> ignore_older: 0
> input_type: log
> paths:
> - /var/log/*
> scan_frequency: 10s
> tail_files: true
>   - document_type: nginx
> fields:
>   gl2_source_collector: 0d2e5631-e187-4f09-b1a1-562908f44631
> ignore_older: 0
> input_type: log
> paths:
> - /var/log/nginx/*
> scan_frequency: 10s
> tail_files: true
> output:
>   logstash:
> hosts:
> - 192.168.1.1:5044
>
> Hi,
> I configured two tags: *linux* and *nginx*, tag *linux* output ['
> 192.168.1.1:*5044*'], tag *nginx* output ['192.168.1.1:*5055*'], but 
> *filebeat.yml* only have *linux* output, How should i do？
> thx.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ed2047db-631b-44aa-ae10-246ba787dfa1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: "Best practice" for multiple source/input configurations

[Michael Anthon]

That's the way I've ended up going as well, it definitely make managing 
extractors simpler since the extractors on an input all apply to the same 
types of messages.

The only gotcha I've run into is with testing filebeats, the collector 
allows you to set up and attempt to use multiple outputs however it seems 
that filebeats only supports one output so I've switched back to using 
nxlog again

On Thursday, 8 September 2016 03:11:28 UTC+10, 8bits...@gmail.com wrote:
>
> I use a different input for each type of log, platform, eventlog, iis, 
> etc..  My thinking was mainly I want to see everything from something 
> specific without noise from another and without the need for a stream.
>
> -
>
> On Wednesday, September 7, 2016 at 4:01:08 AM UTC-6, Michael Anthon wrote:
>>
>> While our system currently isn't that large I'm trying to determine the 
>> best way to configure Graylog to make future updates and extensions simple 
>> to manage.
>>
>> Where I'm struggling with this is with the impact in terms of performance 
>> of configuring things certain ways.
>>
>> So, for example, we have data being sourced from several different types 
>> of logs
>>
>>- IIS Logs
>>- nginx logs
>>- Windows event logs
>>- PHP Error logs
>>- Custom application logs
>>- syslogs from various devices and servers
>>- tomcat/java logs
>>
>> Each of these different types has various requirements in terms of 
>> extractors and processing that we do to provide us with useful fields for 
>> searching.
>>
>> The options as I see them are 
>>
>>1. create a small number of inputs that handle all the messages and 
>>have a large set of extractors to deal with all the different message 
>> types 
>>that come through the input.
>>2. create an input for each type of message source with the 
>>extractors for that type of message as needed
>>
>> To me, option 2 seems the more sensible in terms of future management and 
>> even initial setup but I'm unsure of the impact of having more inputs 
>> versus less inputs with more extractors.
>>
>> I'd appreciate any insight/advice on this (or pointers to documentation 
>> that I may have missed)
>>
>> Cheers,
>> Michael
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/87a77fa3-4a61-42c2-8170-329050e15a83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] "Best practice" for multiple source/input configurations

[Michael Anthon]

While our system currently isn't that large I'm trying to determine the 
best way to configure Graylog to make future updates and extensions simple 
to manage.

Where I'm struggling with this is with the impact in terms of performance 
of configuring things certain ways.

So, for example, we have data being sourced from several different types of 
logs

   - IIS Logs
   - nginx logs
   - Windows event logs
   - PHP Error logs
   - Custom application logs
   - syslogs from various devices and servers
   - tomcat/java logs

Each of these different types has various requirements in terms of 
extractors and processing that we do to provide us with useful fields for 
searching.

The options as I see them are 

   1. create a small number of inputs that handle all the messages and have 
   a large set of extractors to deal with all the different message types that 
   come through the input.
   2. create an input for each type of message source with the extractors 
   for that type of message as needed

To me, option 2 seems the more sensible in terms of future management and 
even initial setup but I'm unsure of the impact of having more inputs 
versus less inputs with more extractors.

I'd appreciate any insight/advice on this (or pointers to documentation 
that I may have missed)

Cheers,
Michael

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3f22860f-7b86-4f6c-a0bb-2f1431adf874%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Issue with winlogbeat and TLS connections

[Michael Anthon]

Hi All,
I have just attempted to set up filebeat and winlogbeat to see how they 
perform but ran into a bit of an issue with using winlogbeat and TLS 
connections.

The config file generated look (in part) like this for an output defined in 
collectors with "Enable TLS support" and "Insecure TLS connection" both 
enabled and none of the cert/key/ca fields filled in

output:
  logstash:
hosts:
- graylog.example.com:5044
tls:
  certificate_authorities:
  - ""
  insecure: true

The same settings on a filebeat input generate the following config snippet 
(and this works quite happily)

output:
  logstash:
hosts:
- graylog.exampe.com:5044
tls:
  insecure: true

The winlogbeat config will not work (configtest throws an error until I 
manually remove the certificate_authorities line) 

At this point I'm reverting back to using nxlog for the windows logs but 
would be keen to revisit this once it's fixed.

Cheers,
Michael

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/a99d3296-2e87-4771-b390-a257d19e9f17%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog2 sidecar and SSL

[Michael Anthon]

Thank you Marius!

Confirming that I didn't even consider that... I've just updated my copy of 
sidecar and it now functions correctly.

Cheers,
Michael

On Wednesday, 24 August 2016 18:38:31 UTC+10, Marius Sturm wrote:
>
> Hi Michael,
> usually the issue is a better place to ask related questions. In your case 
> I guess you updated the collector server plugin but didn't do the same for 
> the sidecar itself. After installing the latest sidecar version the fields 
> should be gone and the config should be valid again.
>
> Cheers,
> Marius
>
>
> On 24 August 2016 at 03:37, Michael Anthon <michael...@infoview.com.au 
> > wrote:
>
>> Thanks Marius,
>> Sorry it's taken me so long to repsond, I just had an unexpected week in 
>> the hospital.
>>
>> I've just tested the changes in beta 4 and I can now save those fields 
>> without a value however the generated config file still includes the 
>> entries like so...
>>
>> 
>>  Module om_ssl
>>  Host graylog2.example.org
>>  Port 12443
>>  OutputType GELF_TCP
>>  CAFile 
>>  CertFile 
>>  CertKeyFile 
>>  AllowUntrusted True
>>  Exec $short_message = $raw_event; # Avoids truncation of the 
>> short_message field.
>>  Exec $gl2_source_collector = '9e2660a6-b960-4daf-8d90-e37c3c0e1684';
>>  Exec $Hostname = hostname_fqdn();
>> 
>>
>> This doesn't work as nxlog doesn't like the missing values
>> 2016-08-24 11:34:58 INFO nxlog-ce-2.9.1716 started
>> 2016-08-24 11:34:58 ERROR SSL error, Failed to open certfile: ; The 
>> device does not recognize the command. 
>>
>> The config will need to be generated without those entries.
>>
>> As an aside, is the mailing list the best place to provide this type of 
>> feedback or should I be putting comments back against the issue in github?
>>
>> Thanks,
>> Michael
>>
>> On Monday, 15 August 2016 20:45:51 UTC+10, Marius Sturm wrote:
>>>
>>> Hi Michael,
>>> this was done here: 
>>> https://github.com/Graylog2/graylog-plugin-collector/issues/13
>>> Should be available in Graylog 2.1.0-RC1
>>>
>>> Cheers,
>>> Marius
>>>
>>>
>>> On 12 August 2016 at 13:20, Michael Anthon <michael...@infoview.com.au> 
>>> wrote:
>>>
>>>> Thanks Marius,
>>>> I've just upgraded to the latest beta and it certainly is looking a lot 
>>>> better, it also looks like it might solve another issue I was going to 
>>>> raise with the verbatim configurations since we want to do some custom 
>>>> processing on inputs to strip sensitive data before it's sent over to 
>>>> graylog.
>>>>
>>>> I still do however have an issue getting this to work.  The 3 field for 
>>>> the CA, certificate and key files are currently required before you can 
>>>> save the output.  I have no need of client certificates and don't have any 
>>>> since my goal is just to ensure that the data in transit is encrypted.  
>>>>
>>>> I've tried configuring these with just a space, a dot or a double 
>>>> quoted empty string but the nxlog config always includes the values which 
>>>> causes nxlog to reject the output configuration since the files don't 
>>>> exist.
>>>>
>>>> I have tried shutting down sidecar, removing those 3 lines from the 
>>>> config and running nxlog manually and this definitely works, it connects 
>>>> and sends messages to graylog.
>>>>
>>>> If those 3 fields could be made optional and not add those entries to 
>>>> the generated nxlog.conf then I think this would work perfectly.
>>>>
>>>> Cheers,
>>>> Michael
>>>>
>>>> On Friday, 12 August 2016 01:59:50 UTC+10, Marius Sturm wrote:
>>>>>
>>>>> Ah ja ok, we shipped the SSL feature recently. So you will see it in 
>>>>> the next Graylog release or you test the beta version.
>>>>>
>>>>>
>>>>> -- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "Graylog Users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to graylog2+u...@googlegroups.com.
>>>> To view this discussion on the web visit 
>>>> https://groups.google.com/d/msgid/graylog2/2e018723-1fbc-42f9-8f43-097b9d6acee0%40googlegroups.com
>>>>  
>>>> <https://groups

[graylog2] Re: CSV to field converter using whitespace delimiter

[Michael Anthon]

Going by the headers I'm guessing that's an IIS log?  As Jochen suggested 
previously, Grok is your friend.

These are the patterns I'm using for my IIS logs (one for entries with a 
referer and one without)

%{YEAR:year;int}-%{MONTHNUM:monthnum;int}-%{MONTHDAY:monthday;int}[T ](?!<[0
-9])%{HOUR:hour;int}:%{MINUTE:minute;int}(?::%{SECOND:second;int})(?![0-9]) 
%{IPORHOST:s_ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{NOTSPACE:
cs_uri_query} %{NUMBER:s_port;int} %{NOTSPACE:cs_username} %{IPORHOST:c_ip} 
%{NOTSPACE:cs_user_agent} %{NUMBER:sc_status;int} %{NUMBER:sc_substatus;int} 
%{NUMBER:sc_win32_status;int} %{NUMBER:time_taken;long}

%{YEAR:year;int}-%{MONTHNUM:monthnum;int}-%{MONTHDAY:monthday;int}[T ](?!<[0
-9])%{HOUR:hour;int}:%{MINUTE:minute;int}(?::%{SECOND:second;int})(?![0-9]) 
%{IPORHOST:s_ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{NOTSPACE:
cs_uri_query} %{NUMBER:s_port;int} %{NOTSPACE:cs_username} %{IPORHOST:c_ip} 
%{NOTSPACE:cs_user_agent} %{NOTSPACE:cs_referer} %{NUMBER:sc_status;int} %{
NUMBER:sc_substatus;int} %{NUMBER:sc_win32_status;int} %{NUMBER:sc_bytes;int
} %{NUMBER:cs_bytes;int} %{NUMBER:time_taken;long}



On Wednesday, 17 August 2016 01:28:21 UTC+10, juli...@gmail.com wrote:
>
> Hi,
>
>
> So it seems the CSV to field converter doesn't work with whitespace 
> delimiters?
>
> Sample log:
> 2016-08-16 15:14:20 192.168.20.100 POST /Clients - 80 DOMAIN\user 
> 192.168.30.171 
> Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.116+Safari/537.36
>  
> 302 0 0 187
>
> I've tried both an actual whitespace and \s in the 'Separator character' 
> field but nothing does it.
>
>
> 
>
>
>
> Any tips or more doc on the matter so I can achieve this?
> I mean I can alternatively use GROK or do it from nxlog at the source but 
> I'd like this to work as well :)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/557ce3d3-9993-4d61-ba59-dfd403432e08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog2 sidecar and SSL

[Michael Anthon]

Thanks Marius,
Sorry it's taken me so long to repsond, I just had an unexpected week in 
the hospital.

I've just tested the changes in beta 4 and I can now save those fields 
without a value however the generated config file still includes the 
entries like so...


 Module om_ssl
 Host graylog2.example.org
 Port 12443
 OutputType GELF_TCP
 CAFile 
 CertFile 
 CertKeyFile 
 AllowUntrusted True
 Exec $short_message = $raw_event; # Avoids truncation of the short_message 
field.
 Exec $gl2_source_collector = '9e2660a6-b960-4daf-8d90-e37c3c0e1684';
 Exec $Hostname = hostname_fqdn();


This doesn't work as nxlog doesn't like the missing values
2016-08-24 11:34:58 INFO nxlog-ce-2.9.1716 started
2016-08-24 11:34:58 ERROR SSL error, Failed to open certfile: ; The device 
does not recognize the command. 

The config will need to be generated without those entries.

As an aside, is the mailing list the best place to provide this type of 
feedback or should I be putting comments back against the issue in github?

Thanks,
Michael

On Monday, 15 August 2016 20:45:51 UTC+10, Marius Sturm wrote:
>
> Hi Michael,
> this was done here: 
> https://github.com/Graylog2/graylog-plugin-collector/issues/13
> Should be available in Graylog 2.1.0-RC1
>
> Cheers,
> Marius
>
>
> On 12 August 2016 at 13:20, Michael Anthon <michael...@infoview.com.au 
> > wrote:
>
>> Thanks Marius,
>> I've just upgraded to the latest beta and it certainly is looking a lot 
>> better, it also looks like it might solve another issue I was going to 
>> raise with the verbatim configurations since we want to do some custom 
>> processing on inputs to strip sensitive data before it's sent over to 
>> graylog.
>>
>> I still do however have an issue getting this to work.  The 3 field for 
>> the CA, certificate and key files are currently required before you can 
>> save the output.  I have no need of client certificates and don't have any 
>> since my goal is just to ensure that the data in transit is encrypted.  
>>
>> I've tried configuring these with just a space, a dot or a double quoted 
>> empty string but the nxlog config always includes the values which causes 
>> nxlog to reject the output configuration since the files don't exist.
>>
>> I have tried shutting down sidecar, removing those 3 lines from the 
>> config and running nxlog manually and this definitely works, it connects 
>> and sends messages to graylog.
>>
>> If those 3 fields could be made optional and not add those entries to the 
>> generated nxlog.conf then I think this would work perfectly.
>>
>> Cheers,
>> Michael
>>
>> On Friday, 12 August 2016 01:59:50 UTC+10, Marius Sturm wrote:
>>>
>>> Ah ja ok, we shipped the SSL feature recently. So you will see it in the 
>>> next Graylog release or you test the beta version.
>>>
>>>
>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to graylog2+u...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/graylog2/2e018723-1fbc-42f9-8f43-097b9d6acee0%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/graylog2/2e018723-1fbc-42f9-8f43-097b9d6acee0%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Developer
>
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog Company
> Poolstraße 21
> 20335 Hamburg
> Germany
>
> https://www.graylog.com <https://www.torch.sh/>
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f8ee9ddd-977d-4998-9af9-508a195f7e79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: Graylog2 sidecar and SSL

[Michael Anthon]

Thanks Marius,
I've just upgraded to the latest beta and it certainly is looking a lot 
better, it also looks like it might solve another issue I was going to 
raise with the verbatim configurations since we want to do some custom 
processing on inputs to strip sensitive data before it's sent over to 
graylog.

I still do however have an issue getting this to work.  The 3 field for the 
CA, certificate and key files are currently required before you can save 
the output.  I have no need of client certificates and don't have any since 
my goal is just to ensure that the data in transit is encrypted.  

I've tried configuring these with just a space, a dot or a double quoted 
empty string but the nxlog config always includes the values which causes 
nxlog to reject the output configuration since the files don't exist.

I have tried shutting down sidecar, removing those 3 lines from the config 
and running nxlog manually and this definitely works, it connects and sends 
messages to graylog.

If those 3 fields could be made optional and not add those entries to the 
generated nxlog.conf then I think this would work perfectly.

Cheers,
Michael

On Friday, 12 August 2016 01:59:50 UTC+10, Marius Sturm wrote:
>
> Ah ja ok, we shipped the SSL feature recently. So you will see it in the 
> next Graylog release or you test the beta version.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/2e018723-1fbc-42f9-8f43-097b9d6acee0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Graylog2 sidecar and SSL

[Michael Anthon]

Oh yeah, I should have mentioned that sorry !


   - Graylog 2.0.3 (installed from current AWS AMI just a few days ago)
   - nxlog-ce-2.9.1716
   

On Friday, 12 August 2016 00:55:59 UTC+10, Michael Anthon wrote:
>
> Hi All,
> Is there a way to use the new collector setup to use SSL?  Maybe I'm just 
> missing something but there doesn't seem to be a way to enable it.
>
> I have set up an input that uses SSL and configured nxlog manually to send 
> to this input successfully.  The output definition in nxlog looks like 
> this...
>
> 
>  Module om_ssl
>  Host x.x.x.x
>  Port12203
>  AllowUntrusted true
>  OutputType  GELF_TCP
> 
>
> This works and I can send in log messages.
>
> If I try and use the same input via the collector configuration and 
> sidecar the output definition generated is still set to om_tcp instead of 
> om_ssl.  I would have thought that if the input is defined to use SSL/TLS 
> then the generated block should switch to om_ssl.
>
> Is this an issue with graylog2 or have I just done something wrong?
>
> Thanks
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/9add45c3-b0c2-438a-852c-6f428d4ccbd3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Graylog2 sidecar and SSL

[Michael Anthon]

Hi All,
Is there a way to use the new collector setup to use SSL?  Maybe I'm just 
missing something but there doesn't seem to be a way to enable it.

I have set up an input that uses SSL and configured nxlog manually to send 
to this input successfully.  The output definition in nxlog looks like 
this...


 Module om_ssl
 Host x.x.x.x
 Port12203
 AllowUntrusted true
 OutputType  GELF_TCP


This works and I can send in log messages.

If I try and use the same input via the collector configuration and sidecar 
the output definition generated is still set to om_tcp instead of om_ssl. 
 I would have thought that if the input is defined to use SSL/TLS then the 
generated block should switch to om_ssl.

Is this an issue with graylog2 or have I just done something wrong?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/730c6621-e6fd-4e37-b3cc-2c8d78ae770c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.