[graylog2] Finding related messages clustered in time

When reading logs the old-fashioned way on a unix terminal with text search, my frequent practice is to search / grep to zero in on an event of interest, then read messages above and below to see what was happening just before and after the event. But I haven't found a way to replicate this p

Re: [graylog2] Re: grok extractors not working

Much appreciated! On Thursday, May 28, 2015 at 3:25:05 PM UTC-6, Kay Röpke wrote: > > I'm not an expert on the OVAs so I would recommend simply setting up a > test instance to check this. Or you can wait until I get to it in the (my) > morning ;) > -- You received this message because you are

Re: [graylog2] Re: grok extractors not working

I'm not an expert on the OVAs so I would recommend simply setting up a test instance to check this. Or you can wait until I get to it in the (my) morning ;) On May 28, 2015 11:23 PM, "Jesse Skrivseth" wrote: > I hear the upgrade path is still in the works, but is there a way to > upgrade in-place

Re: [graylog2] Re: grok extractors not working

I hear the upgrade path is still in the works, but is there a way to upgrade in-place or at least without data loss? On Thursday, May 28, 2015 at 3:18:06 PM UTC-6, Kay Röpke wrote: > > Many thanks! > > I will have a look in the morning. > In the meantime it would be helpful if you could give 1.1

Re: [graylog2] Re: grok extractors not working

Could you please create an extractor that shows this behavior and export its configuration? If at all possible please include a couple of messages which should cause extracted fields to show up. Please also include all the necessary grok patterns. Otherwise it is extremely difficult to reproduce an

[graylog2] Re: grok extractors not working

Many hours later, I'm no closer to a solution. It seems to be completely unpredictable. I have a grok extractor named "XTM515_firewall". It looks like this: %{NOTSPACE:SerialNumber} %{SYSLOGPROG:MessageType}: msg_id=%{QUOTEDSTRING:MessageId} %{NOTSPACE:Action} %{NOTSPACE:SourceInterface} %{NOT

[graylog2] Re: grok extractors not working

Something is wrong with my environment. I've deleted every extractor I have on all inputs, yet some of the previously defined extraction is still occurring as messages flow in. Newly created grok extractors don't work, nor do simple regex to extract a single term into a named field Very odd..

Re: [graylog2] Graylog 1.1.0-beta.2 collector issue in webinterface

Arie, thanks for he report. There is an issue and a pull request to fix the issue on GitHub. https://github.com/Graylog2/graylog2-web-interface/issues/1334 https://github.com/Graylog2/graylog2-server/pull/1190 This will be fixed in the next beta or rc. Regards, Bernd Arie [Thu, May 28,

Re: [graylog2] Re: collector questions

Arie, can you put an ECHO in front of the "%PROCRUN //IS//%SERVICE_NAME%" line. That should print the command as it would be executed. Then try to fiddle with it until it works. That would be awesome! Bernd Arie [Wed, May 27, 2015 at 02:14:32PM -0700] wrote: >It appears to go wrong at this line:

[graylog2] Re: grok extractors not working

Jochen, After the extractor is created, I expected the fields to be available on the message itself. I look at all messages in the last 5 minutes, visually find a message that follows this structure, click on it to show the field list, but none of the supposedly extracted fields show in the fie

Re: [graylog2] Graylog 1.1.0-beta.2 collector issue in webinterface

Hi Bernd, Just installed and tried it, the error is still there. Tested it with a windows and linux collector, and in both cases, no results. Arie. On Thursday, May 28, 2015 at 3:58:56 PM UTC+2, Bernd Ahlers wrote: > > Arie, > > thanks for the report. Do you still have that problem with beta.3

Re: [graylog2] Graylog 1.1.0-beta.2 collector issue in webinterface

Arie, thanks for the report. Do you still have that problem with beta.3? Bernd Arie [Thu, May 28, 2015 at 06:22:49AM -0700] wrote: >Hi All, > >When we look @ System > Collectors and select "show messages", >no messages are show in the UI. > >Messages are visible with a normal search. > > >Runnin

Re: [graylog2] Re: collector questions

Arie, thank you for the update! Bernd Arie [Wed, May 27, 2015 at 02:14:32PM -0700] wrote: >It appears to go wrong at this line: > >"%PROCRUN%" //IS//%SERVICE_NAME% .. etc. > >No errors before. > > > >Op woensdag 27 mei 2015 22:25:02 UTC+2 schreef Bernd Ahlers: >> >> Arie, >> >> can you plea

[graylog2] Graylog 1.1.0-beta.2 collector issue in webinterface

Hi All, When we look @ System > Collectors and select "show messages", no messages are show in the UI. Messages are visible with a normal search. Running on centos-6.6 / elastic 1.5.2 / JRE 1.8 hth,, Arie -- You received this message because you are subscribed to the Google Groups "graylog

Re: [graylog2] Graylog 1.0.2: Graylog server or elasticsearch goes down and then refuses to restart

Hi Mike, from the error message it looks like MongoDB is also down from time to time. Could you check memory consumption on that box and 'dmesg' for OOM-killer? On 28 May 2015 at 14:04, Mike Hogan wrote: > Hello, > > I was using 0.9.7 (I think) for a number of months, then I upgraded to > 1.0.2

[graylog2] Graylog 1.0.2: Graylog server or elasticsearch goes down and then refuses to restart

Hello, I was using 0.9.7 (I think) for a number of months, then I upgraded to 1.0.2 in the last couple of weeks. Now I am finding that occasionally (once a day) the graylog ui becomes unresponsive. When I check the status I get this: root@graylog:/var/log/graylog/server# graylog-ctl status d

[graylog2] Re: rsyslogd Structured data

Hi, Okay thank you On Saturday, March 7, 2015 at 7:58:53 PM UTC+5:30, Lily Chadha wrote: > > Hi, > > i am new to syslog module.i am trying to log STRUCTURED DATA in log > file.But when i am using this parameter in template it is showing null > value.i am using rsyslogd 5.8.11. > this below tem

[graylog2] Re: rsyslogd Structured data

Hi Lily, please consult the official rsyslog support channels for detailed questions about rsyslog configuration: http://www.rsyslog.com/doc/free_support.html Cheers, Jochen On Thursday, 28 May 2015 13:55:35 UTC+2, Lily Chadha wrote: > > Hi Jochen, > > After loading mmjsonparse,i am still getti

[graylog2] Re: rsyslogd Structured data

Hi Jochen, After loading mmjsonparse,i am still getting structured data empty.Here is my debug log: 3818.712254754:main Q:Reg/w0 : ACTION 0 [mmjsonparse::mmjsonparse:] 3818.712262545:main Q:Reg/w0 : executing action 0 3818.712267008:main Q:Reg/w0 : Called action, logging to mmjsonparse 38

[graylog2] Re: rsyslogd Structured data

Hi Lily, please refer to the rsyslog documentation for examples: - http://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html - http://www.rsyslog.com/doc/v8-stable/configuration/modules/mmjsonparse.html - http://www.rsyslog.com/tag/structured-data/ Cheers,

[graylog2] Multiple source IP addresses to one Stream group - HOW? POSSIBLE? A BETTER WAY?

Hi, Garylog Newbie Please see picture attached. I have three streams matching a single source IP and warning keywords from logs: source IP: 192.168.0.1 stream 1-keyword:disconnect steram

[graylog2] Re: grok extractors not working

Hi Jesse, how exactly are you searching for those fields? Please be aware that additional fields aren't analyzed and thus wildcard search (e. g. "syslogprog:fire*") won't work. Cheers, Jochen On Thursday, 28 May 2015 04:02:21 UTC+2, Jesse Skrivseth wrote: > > So I have a collection of Grok pat