[graylog2] Re: Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?
Hi Brandon, I see now what you and Henrik mean. That’s a far more suitable solution and one I will start to have a look at. My original approach / mind-set wasn`t correct. Thanks for yours and Henriks help. I`ve been playing with graylog for about 10 days on and off now and loving it! Kind Regards Aidan Venn On Thursday, May 28, 2015 at 9:40:20 AM UTC+1, Aidan Venn wrote: https://lh3.googleusercontent.com/-VXS0tYSBx3Y/VWYbA0x3z0I/Dg8/7ZikVzm-U_U/s1600/Untitled.png Hi, Garylog Newbie Please see picture attached. I have three streams matching a single source IP and warning keywords from logs: source IP: 192.168.0.1 stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail I want to group these streams and apply to multiple (1000 +) source IP addresses to benefit future scalability and large scale administration. Basically for each source IP they will be three or more streams but I only have to configure/edit the group once. I don`t want to have 1000 devices then have to copy each stream and then change the source IP address match. 10 keyword stream x 1000 devices would then equal 1 streams in total to configure and edit. This would be very time consuming. Especially if I had to make a change. One change to the group would apply to all. A one to many relationship. How can I do this? Perhaps my approach/idaea is incorrect so any recommendations would be great. Kind Regards Aidan Venn -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?
Hi Henrik and Bkeep, It’s about easily administrating / easily configuring many devices that utilise the same keywords but not the same streams. This would save a huge amount of time. If I have one device let’s say an access point I can then create 10 streams each with different keywords. This works fine and equals 10 streams in total. Example: * Source Stream Keyword* 1.1.1.1 stream 1-keyword:disconnect 1.1.1.1 stream 2-keyword:loss 1.1.1.1 stream 3-keyword:fail 1.1.1.1 stream 4-keyword:error 1.1.1.1 stream 5-keyword:connect 1.1.1.1 stream 6-keyword:deauthenticate 1.1.1.1 stream 7-keyword:reconnect 1.1.1.1 stream 8-keyword:failure 1.1.1.1 stream 9-keyword:crash 1.1.1.1 stream 10-keyword:dead I then need to add 1000 more access points. At present (based on my limited knowledge) I have to copy each stream and change the source address for each one. Let’s say 5 minutes for each Access Point. That equals 5000 minutes which equals 83 hours. As the numbers say VERY time consuming. If I do this and then the keywords change I then have to change at least 1000 streams keywords say from fail to failure. Again VERY time consuming and repetitive. I don`t necessarily want less streams but need a way to administrate multiple streams at once*. If I change the keyword once it applies to all streams that use that keyword*. If 1000 Access points then one change effects 1000 streams keywords. This would be save a HUGE amount of time. Perhaps I am approaching it wrong but *if *it’s difficult to change many devices stream keywords at once then it may struggle in some large scale environments. It might be that I need to write a script that will output what I need in JSON I then allow me to import as a content pack? Regards Aidan Venn On Thursday, May 28, 2015 at 9:40:20 AM UTC+1, Aidan Venn wrote: https://lh3.googleusercontent.com/-VXS0tYSBx3Y/VWYbA0x3z0I/Dg8/7ZikVzm-U_U/s1600/Untitled.png Hi, Garylog Newbie Please see picture attached. I have three streams matching a single source IP and warning keywords from logs: source IP: 192.168.0.1 stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail I want to group these streams and apply to multiple (1000 +) source IP addresses to benefit future scalability and large scale administration. Basically for each source IP they will be three or more streams but I only have to configure/edit the group once. I don`t want to have 1000 devices then have to copy each stream and then change the source IP address match. 10 keyword stream x 1000 devices would then equal 1 streams in total to configure and edit. This would be very time consuming. Especially if I had to make a change. One change to the group would apply to all. A one to many relationship. How can I do this? Perhaps my approach/idaea is incorrect so any recommendations would be great. Kind Regards Aidan Venn -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?
Hi, its like having a template applied to sources. change the template changes all the related sources. Like in Zabbix. Kind Regards Aidan On Thursday, May 28, 2015 at 9:40:20 AM UTC+1, Aidan Venn wrote: https://lh3.googleusercontent.com/-VXS0tYSBx3Y/VWYbA0x3z0I/Dg8/7ZikVzm-U_U/s1600/Untitled.png Hi, Garylog Newbie Please see picture attached. I have three streams matching a single source IP and warning keywords from logs: source IP: 192.168.0.1 stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail I want to group these streams and apply to multiple (1000 +) source IP addresses to benefit future scalability and large scale administration. Basically for each source IP they will be three or more streams but I only have to configure/edit the group once. I don`t want to have 1000 devices then have to copy each stream and then change the source IP address match. 10 keyword stream x 1000 devices would then equal 1 streams in total to configure and edit. This would be very time consuming. Especially if I had to make a change. One change to the group would apply to all. A one to many relationship. How can I do this? Perhaps my approach/idaea is incorrect so any recommendations would be great. Kind Regards Aidan Venn -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?
As far as I know the source is not mandatory. You can create a proper regex to pull in messages meeting the criteria from one of many sources. Maybe setting up extractors and then using the exists clause from a stream would give you want you want. Using an extractor you can set a specific field as true or whatever you want then use the stream to pull in logs having only that field set. On 05/29/2015 04:06 PM, Henrik Johansen wrote: Hi Aidan, I am curious - why do you need a stream per source / keyword combination? Could you outline what you want to achieve with that solution - perhaps you're just approaching the problem the wrong way? The only reason I can think of for doing what you have outlined is permissions (ie strict delegation of access based on source / keyword combinations) ... ? --- HenrikJ On 29. maj 2015 kl. 21.55.11 CEST, Aidan Venn aidanv...@gmail.com wrote: Hi Jochemb, They could be a thousand sources but I only want to Create and EDIT one set of related streams that are applied to the sources when edited. A one to many approach. ONE set of streams MANY source ip addresses. Stream set: stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail stream 4-keyword:error steram 5-keyword:connect stream 6-keyword:deauthenticate stream 7-keyword:reconnect steram 8-keyword:failure stream 9-keyword:crash These would then be applied to 1000+ sources. If I then need to make a change I only have to do it once. Thanks for taking an interest. Kind Regards Aidan Venn On Friday, May 29, 2015 at 1:27:01 PM UTC+1, Jochemb wrote: Make three streams: stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail Without a source? Op donderdag 28 mei 2015 10:40:20 UTC+2 schreef Aidan Venn: https://lh3.googleusercontent.com/-VXS0tYSBx3Y/VWYbA0x3z0I/Dg8/7ZikVzm-U_U/s1600/Untitled.png Hi, Garylog Newbie Please see picture attached. I have three streams matching a single source IP and warning keywords from logs: source IP: 192.168.0.1 stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail I want to group these streams and apply to multiple (1000 +) source IP addresses to benefit future scalability and large scale administration. Basically for each source IP they will be three or more streams but I only have to configure/edit the group once. I don`t want to have 1000 devices then have to copy each stream and then change the source IP address match. 10 keyword stream x 1000 devices would then equal 1 streams in total to configure and edit. This would be very time consuming. Especially if I had to make a change. One change to the group would apply to all. A one to many relationship. How can I do this? Perhaps my approach/idaea is incorrect so any recommendations would be great. Kind Regards Aidan Venn -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com mailto:graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com mailto:graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?
Hi Aidan, I am curious - why do you need a stream per source / keyword combination? Could you outline what you want to achieve with that solution - perhaps you're just approaching the problem the wrong way? The only reason I can think of for doing what you have outlined is permissions (ie strict delegation of access based on source / keyword combinations) ... ? ---HenrikJ On 29. maj 2015 kl. 21.55.11 CEST, Aidan Venn aidanv...@gmail.com wrote:Hi Jochemb,They could be a thousand sources but I only want to Create and EDIT one set of related streams that are applied to the sources when edited. A one to many approach. ONE set of streams MANY source ip addresses.Stream set:stream 1-keyword:disconnectsteram 2-keyword:lossstream 3-keyword:failstream 4-keyword:errorsteram 5-keyword:connectstream 6-keyword:deauthenticatestream 7-keyword:reconnectsteram 8-keyword:failurestream 9-keyword:crashThese would then be applied to 1000+ sources. If I then need to make a change I only have to do it once.Thanks for taking an interest.Kind RegardsAidan VennOn Friday, May 29, 2015 at 1:27:01 PM UTC+1, Jochemb wrote:Make three streams:stream 1-keyword:disconnectsteram 2-keyword:lossstream 3-keyword:failWithout a source? Op donderdag 28 mei 2015 10:40:20 UTC+2 schreef Aidan Venn: Hi,Garylog NewbiePlease see picture attached.I have three streams matching a single source IP and warning keywords from logs:source IP: 192.168.0.1stream 1-keyword:disconnectsteram 2-keyword:lossstream 3-keyword:failI want to group these streams and apply to multiple (1000 +) source IP addresses to benefit future scalability and large scale administration. Basically for each source IP they will be three or more streams but I only have to configure/edit the group once.I don`t want to have 1000 devices then have to copy each stream and then change the source IP address match. 10 keyword stream x 1000 devices would then equal 1 streams in total to configure and edit. This would be very time consuming. Especially if I had to make a change. One change to the group would apply to all. A one to many relationship. How can I do this?Perhaps my approach/idaea is incorrect so any recommendations would be great.Kind RegardsAidan Venn-- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?
Hi Jochemb, They could be a thousand sources but I only want to Create and EDIT one set of related streams that are applied to the sources when edited. A one to many approach. ONE set of streams MANY source ip addresses. Stream set: stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail stream 4-keyword:error steram 5-keyword:connect stream 6-keyword:deauthenticate stream 7-keyword:reconnect steram 8-keyword:failure stream 9-keyword:crash These would then be applied to 1000+ sources. If I then need to make a change I only have to do it once. Thanks for taking an interest. Kind Regards Aidan Venn On Friday, May 29, 2015 at 1:27:01 PM UTC+1, Jochemb wrote: Make three streams: stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail Without a source? Op donderdag 28 mei 2015 10:40:20 UTC+2 schreef Aidan Venn: https://lh3.googleusercontent.com/-VXS0tYSBx3Y/VWYbA0x3z0I/Dg8/7ZikVzm-U_U/s1600/Untitled.png Hi, Garylog Newbie Please see picture attached. I have three streams matching a single source IP and warning keywords from logs: source IP: 192.168.0.1 stream 1-keyword:disconnect steram 2-keyword:loss stream 3-keyword:fail I want to group these streams and apply to multiple (1000 +) source IP addresses to benefit future scalability and large scale administration. Basically for each source IP they will be three or more streams but I only have to configure/edit the group once. I don`t want to have 1000 devices then have to copy each stream and then change the source IP address match. 10 keyword stream x 1000 devices would then equal 1 streams in total to configure and edit. This would be very time consuming. Especially if I had to make a change. One change to the group would apply to all. A one to many relationship. How can I do this? Perhaps my approach/idaea is incorrect so any recommendations would be great. Kind Regards Aidan Venn -- You received this message because you are subscribed to the Google Groups graylog2 group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
