Re: [graylog2] Callbacks and Proxy
Spoke too soon. org.graylog2.plugin.alarms.callbacks.AlarmCallbackConfigurationException: Configuration error. Couldn't parse socks_proxy correctly. 2016-11-17_15:46:46.67755 at org.graylog2.plugins.slack.callback.SlackAlarmCallback.initialize(SlackAlarmCallback.java:30) ~[?:?] 2016-11-17_15:46:46.67825 at org.graylog2.alarmcallbacks.AlarmCallbackFactory.create(AlarmCallbackFactory.java:43) ~[graylog.jar:?] 2016-11-17_15:46:46.67979 at org.graylog2.periodical.AlertScannerThread.doRun(AlertScannerThread.java:112) [graylog.jar:?] 2016-11-17_15:46:46.68032 at org.graylog2.plugin.periodical.Periodical.run(Periodical.java:77) [graylog.jar:?] 2016-11-17_15:46:46.68116 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_101] 2016-11-17_15:46:46.68168 at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_101] 2016-11-17_15:46:46.68236 at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_101] 2016-11-17_15:46:46.68275 at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_101] 2016-11-17_15:46:46.68342 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_101] 2016-11-17_15:46:46.68396 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_101] 2016-11-17_15:46:46.68465 at java.lang.Thread.run(Thread.java:745) [?:1.8.0_101] I'll just jump onto the Github page and join in. Thanks! On Wednesday, November 16, 2016 at 11:00:25 AM UTC-5, Jochen Schalanda wrote: > > Hi Tom, > > there's a feature request for this at > https://github.com/Graylog2/graylog-plugin-slack/pull/27, but the current > version of the Graylog Slack plugin doesn't support using HTTP proxies yet. > > Cheers, > Jochen > > Am 16.11.2016 um 16:37 schrieb Tom Vile <tom@gmail.com >: > > I am using the Slack plugin for callbacks but unfortunately I get "Could > not send message to Slack." In the triggered alerts. I tracked down the > error in the logs and it shows "java.net.ConnectException: Connection > refused" > I assume that it is caused by the fact that we are using a proxy for > outgoing connections and the plugin is not utilizing the proxy config to > route out to the internet. > > Is there a setting somewhere within Graylog to set a proxy variable so > that it uses the proxy for outbound internet connections? > > I am using the latest release of GrayLog. > > Thanks, > > Tom > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/72004dc5-98f8-41f2-8ed7-79a412ae14ca%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Callbacks and Proxy
I compiled it with -DskipTests=true and it created the jar file and seems to work. On Wednesday, November 16, 2016 at 11:00:25 AM UTC-5, Jochen Schalanda wrote: > > Hi Tom, > > there's a feature request for this at > https://github.com/Graylog2/graylog-plugin-slack/pull/27, but the current > version of the Graylog Slack plugin doesn't support using HTTP proxies yet. > > Cheers, > Jochen > > Am 16.11.2016 um 16:37 schrieb Tom Vile <tom@gmail.com >: > > I am using the Slack plugin for callbacks but unfortunately I get "Could > not send message to Slack." In the triggered alerts. I tracked down the > error in the logs and it shows "java.net.ConnectException: Connection > refused" > I assume that it is caused by the fact that we are using a proxy for > outgoing connections and the plugin is not utilizing the proxy config to > route out to the internet. > > Is there a setting somewhere within Graylog to set a proxy variable so > that it uses the proxy for outbound internet connections? > > I am using the latest release of GrayLog. > > Thanks, > > Tom > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/992d1f46-242c-4dfe-810e-61d74400b160%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Callbacks and Proxy
I attempted to compile it but got stuck with errors when it runs through the tests. org.graylog2.plugin.alarms.callbacks.AlarmCallbackConfigurationException: Configuration error. Couldnt parse socks_proxy correctly. at org.graylog2.plugins.slack.callback.SlackAlarmCallback.initialize(SlackAlarmCallback.java:30) at org.graylog2.plugins.slack.callback.SlackAlarmCallbackTest.checkConfigurationFailsIfChannelDoesAcceptDirectMessages(SlackAlarmCallbackTest.java:73) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) at org.junit.runners.ParentRunner.run(ParentRunner.java:363) at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:53) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:123) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:104) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:164) at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:110) at org.apache.maven.surefire.booter.SurefireStarter.invokeProvider(SurefireStarter.java:175) at org.apache.maven.surefire.booter.SurefireStarter.runSuitesInProcessWhenForked(SurefireStarter.java:107) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:68) On Wednesday, November 16, 2016 at 5:33:34 PM UTC-5, Jochen Schalanda wrote: > > Hi Tom, > > Am 16.11.2016 um 20:12 schrieb Tom Vile <tom@gmail.com >: > > Anyway for me to complie/download the plugin to test? > > > See https://help.github.com/articles/checking-out-pull-requests-locally/ and > the build instructions in the README file of the repository. > > Cheers, > Jochen > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/551644fd-3f7a-4c45-b4b6-61cfb5052ac7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Callbacks and Proxy
Anyway for me to complie/download the plugin to test? On Wednesday, November 16, 2016 at 11:00:25 AM UTC-5, Jochen Schalanda wrote: > > Hi Tom, > > there's a feature request for this at > https://github.com/Graylog2/graylog-plugin-slack/pull/27, but the current > version of the Graylog Slack plugin doesn't support using HTTP proxies yet. > > Cheers, > Jochen > > Am 16.11.2016 um 16:37 schrieb Tom Vile <tom@gmail.com >: > > I am using the Slack plugin for callbacks but unfortunately I get "Could > not send message to Slack." In the triggered alerts. I tracked down the > error in the logs and it shows "java.net.ConnectException: Connection > refused" > I assume that it is caused by the fact that we are using a proxy for > outgoing connections and the plugin is not utilizing the proxy config to > route out to the internet. > > Is there a setting somewhere within Graylog to set a proxy variable so > that it uses the proxy for outbound internet connections? > > I am using the latest release of GrayLog. > > Thanks, > > Tom > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/cd5b6ca6-a3c5-4229-b5f6-235eb6fa8890%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Callbacks and Proxy
I am using the Slack plugin for callbacks but unfortunately I get "Could not send message to Slack." In the triggered alerts. I tracked down the error in the logs and it shows "java.net.ConnectException: Connection refused" I assume that it is caused by the fact that we are using a proxy for outgoing connections and the plugin is not utilizing the proxy config to route out to the internet. Is there a setting somewhere within Graylog to set a proxy variable so that it uses the proxy for outbound internet connections? I am using the latest release of GrayLog. Thanks, Tom -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/8d3685d3-2f12-4487-9755-e14459d0f073%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Assistance with a GROK pattern for Cisco
I have been attempting to parse Cisco logs and am having some success but there is a pattern that I seem to be stuck on and could use some assistance. Here is the pattern: <166>Aug 14 2016 08:51:20 MAIN-ASA : %ASA-6-302015: Built outbound UDP connection 1124289141 for TCN:4.2.2.2/53 (4.2.2.2/53) to inside200:10.200.1.37/62708 (10.200.1.37/62708) I can match up to: <166>Aug 14 2016 08:51:20 MAIN-ASA : %ASA-6-302015: Built outbound UDP connection 1124289141 for TCN:4.2.2.2/53 With this pattern: %{WORD:ASA_Action} %{WORD:ASA_Protocol} %{WORD:UNWANTED} %{WORD:UNWANTED} %{WORD:UNWANTED} %{HOSTNAME:ASA_Source_Interface}:%{HOSTNAME:ASA_Source_IP}/%{POSINT:ASA_Source_Port} I can't seem to get beyond (4.2.2.2/53). I have tried \\(%{HOSTNAME:UNWANTED}/%{POSINT:UNWANTED}\\) but it doesn't match. I would appreciate any asssistance. Thanks! -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c2b6bd47-c813-4973-8ce3-d6dd724eada2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: [graylog2] Need assistance on building an alert.
Here I am over thinking the issue. I will talk with the networking guys to go that route as it makes sense and keeps the processing down on my server. We use Cisco gear and have worked on them before and have done something similar in the past. I guess since I don't control the networking equipment it didn't cross my mind. Thanks for the suggestion. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/711db8ec-a4ca-4d25-a90a-a941705c00d7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Need assistance on building an alert.
I have been tasked with building out a Graylog2 cluster solution at my company and it has been going very well but need some help with the best way to handle a rather complex alert. We have roughly1500 Windows computers with 4 at roughly 400 locations on their own private networks. They are locked down so that they can only communicate with specific IP addresses listed in a firewall that is at each location. All the firewalls are of the same make and model if that helps. I do not need assistance with communication to each location as that is already working. What I want to do is create an alert so that if one of the computers attempts to communicate outside of the approved IP network I get an alert. -- Example: Location has an IP network of 192.168.1.0 PC attempts to communicate with an IP address outside of the IP range of 192.168.1.1-10 If the PC attempts to connect to an IP of say 172.17.1.1 or any other not approved I receive an alert. -- Generally this is not an issue but security is a top priority and there have been times where a tech plugs in something where he/she shouldn't or an employee does the same. I have been successful in setting up quite a few alerts and they work great but I want to make certain I do this in the best possible way without it being too complex if possible. What would be the best way of handling a condition like this? Thanks in advance for any suggestions, Tom -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/0e029699-f35e-4c0d-83c6-8d23d0c0e426%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.