Re: [graylog2] Re: buglet: broken link http://info.graylog.org/marketplace-requests

Which extensions (possibly blocking content > like Javascript) are you using? > > Cheers, > Jochen > > > On Tuesday, 7 February 2017 05:59:37 UTC+1, Jason Haar wrote: >> >> Hi there >> >> I just did a search on the marketplace for Azure related plug

Re: [graylog2] Re: Changing timestamps?

of people. If you're using syslog, then your records are flowing into graylog within sub-second accuracy - so throwing away the perceived timestamp and put a proper one in doesn't change the accuracy. And for those where being off by 0.4sec matters - well continue to use 'false' :-) -- Chee

Re: [graylog2] Re: mongodb_uri doesn't like multiple server urls?

are no brackets :-) I did not find that intuitive, but that's the mongodb standard, so I'd better get used to it :-) Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Y

[graylog2] mongodb_uri doesn't like multiple server urls?

n(ReflectionUtils.java:53) ~[graylog.jar:?] at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:221) ~[graylog.jar:?] ... 5 more -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB

[graylog2] is there a plugin for Azure/365live logging?

if anyone had one for Azure/365? Splunk has one (https://splunkbase.splunk.com/app/3110/) from the looks of it if that helps -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You

Re: [graylog2] Re: unable to receive syslog/tls from Cisco devices

Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this grou

Re: [graylog2] Re: unable to receive syslog/tls from Cisco devices

st had been through the drama. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users&quo

[graylog2] unable to receive syslog/tls from Cisco devices

orker(Unknown Source) [?:1.8.0_77] at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_77] at java.lang.Thread.run(Unknown Source) [?:1.8.0_77] -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0

[graylog2] elasticsearch_max_number_of_indices change doesn't appear to be listened to?

? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubs

Re: [graylog2] Re: hot-warm-architecture

environment is still nowhere near as busy as using (say) Linux as a router could be, so I'm worried by your comment because we use firewalling on our graylog systems too... Although being old school, I used iptables - not firewalld (not that it should make a difference?) -- Cheers Jason Haar

Re: [graylog2] Re: Whats Better for Graylog Udp or Tcp

as its more efficient. But if WANs or the Internet is involved - use TCP. And in fact, use TLS over TCP - just because it's 2016 - not 1999 ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5

Re: [graylog2] Re: Graylog2 send Alerts with SMS

time for maintaining it?" ie if you're not paying for a product, YOU ARE THE PRODUCT ...although these days, it seems to be that even if you are paying, you're also the product :-/ (see Windows 10) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8

Re: [graylog2] Re: unable to figure out permissions using REST API

and I should use Roles instead. Is that a mistake? Also I can't see how to add permissions against the account - is this action not supported through the GUI? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF

[graylog2] unable to figure out permissions using REST API

e that allows universal search - but with no form of write access? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google

Re: [graylog2] Re: alerting plugins seem to lack all context?

form". That's why I can't find any POST variables - there aren't any. So now I'm using the following to get me an array of field->values - works fine :-) $json = file_get_contents('php://input'); $obj = json_decode($json); -- Cheers Jason Haar Information Security Manager, Trimble N

[graylog2] alerting plugins seem to lack all context?

ppears to have any actual data?? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylo

Re: [graylog2] Re: Geo-Location Processor doesn't create _geolocation fields for custom fields created by pipeline rules

essor support both string and "ip" fields types? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Grou

Re: [graylog2] Re: Indicators of Compromise (IOCs)

- could be abused in all sorts of ways :-) Hmm, I thought I added this to the Ideas site a few days ago - can't find it now? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D

Re: [graylog2] Syslog severity mapper decorator

b71092.1d770716.5c18%40jalogisch.de?utm_medium=email_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F

Re: [graylog2] How to configure graylog 2.0.3 to email using system mail agent ?

ou're running postfix, then I'd suspect you'll find it's actually running on 127.0.0.1 port 25 (that's the default for RHEL/CentOS). So just configure it to use that and it will act identically to calling /usr/sbin/sendmail -- Cheers Jason Haar Information Security Manager, Trimble Navigation L

Re: [graylog2] Re: upgrading from graylog-v2.0 to v2.1

e use a reverse proxy) that sounds like it's backwards compatible -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to th

[graylog2] has anyone got a plugin for reading Google Apps APIs?

programming skills I did manage to get a python demo script successfully pulling down admin login events - but that's about my limits - so I'm hoping someone has done a deeper integration and just hasn't got around to publishing it on the graylog market? :-) Thanks -- Cheers Jason Haar Information

Re: [graylog2] Re: Backfilling graylog with past data

nitely all went into "old" indices. Waitaminute - that's not how it works. Mustn't it always go into the current index, even if the timestamps are no longer vaguely related? I can't say I've thought much about it - it simply worked -- Cheers Jason Haar Information Security Manager, Trimble

Re: [graylog2] Re: Extractor help - domain name only

aylog at the moment and I don't know if it's weird Java-based regex library supports that - so I stuck with [a-z]+ to match "http" and "https" (and I guess "ftp" too) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171

Re: [graylog2] debugging pipelines is... difficult

On Mon, Jul 11, 2016 at 11:28 AM, Jason Haar <jason_h...@trimble.com> wrote: > If I take the regex I wrote in this rule (as per first email), replace > '\\' with '\', then the regex works fine via egrep. It's a simple "when, do > this" type statement: I can't see what

Re: [graylog2] debugging pipelines is... difficult

e another pipeline with two rules and it's working just fine - it seems to be the regex in this that is at fault, but I can't see how -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66

Re: [graylog2] Re: debugging pipelines is... difficult

On Wed, Jul 6, 2016 at 9:50 PM, Jochen Schalanda <joc...@graylog.com> wrote: > there's something coming up in Graylog 2.1.0 which will vastly simplify > testing pipeline rules. > That's great to hear. Any suggestions as to what's wrong with my rule? Thanks -- Cheers Jason H

Re: [graylog2] Re: first pipeline attempt not working

in your system. > Whoa! Thanks - that's good to know Perhaps the Input fiddling options should be mentioned in the "Message Processors Configuration" page - perhaps like a fake, uneditable "plugin 99" or something? -- Cheers Jason Haar Information Security Manager, Trimble

[graylog2] first pipeline attempt not working

mplicated, but even this doesn't work - so 'baby steps' :-) Any ideas? Also, I really only want this pipeline on one Input channel - do they have to be "universal"? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP

Re: [graylog2] Having some difficulties with 3 node graylog cluster

Seems to only affect Firefox (ie I see it every time I do a search in Firefox, but don't see it with Chrome) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You receiv

Re: [graylog2] what is the best way of creating fields in graylog?

existing pipeline configs after a reinstall, would that just be restoring pipeline_processor_pipelines* from backup, or would more mongodb fiddling be required? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2

[graylog2] what is the best way of creating fields in graylog?

servers? With drools, the rules file would be trivial to share - but I guess you have to restart graylog to reload it? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66

[graylog2] does graylog support multi-value queries?

ield and support for left hand wildcards - not good things to have in graylog from a performance perspective? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received

[graylog2] extractor not always running?

/elasticsearch-2.3.3-1 Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users&quo

[graylog2] recommendations for image/graphing for graylog?

through some kind of graphing package - any recommendations from the group how to do this? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message

Re: [graylog2] Re: large searches kill ES - can graylog stop this?

nism to pick up the fact that ES has indeed "run away" and then do something about it to fix it? Otherwise, how do graylog users solve this problem? It will happen again -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fin

[graylog2] large searches kill ES - can graylog stop this?

Hi there I just did a simple search on 30 days of data and managed to trigger the following ES error [2016-06-01 00:12:53,525][WARN ][indices.breaker.fielddata] [fielddata] New used memory 11273780309 [10.4gb] for data of [message] would be larger than configured breaker: 10857952051

[graylog2] anyone know how to merge data into the GeoIP2 mmdb files?

ools still are? ;-) Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group.

[graylog2] fielddata error with search

nd give me an error page for starters. It looks to me like graylog didn't expect that ES search to error out and that caused it to block? (I'm assuming ES generated an error - the logs shows that WARN - I dunno what happens next) -- Cheers Jason Haar Information Security Manager, Trimble Navi

[graylog2] web interface with v2.0 appears to require direct REST access?

"Must be reachable by other Graylog server nodes if you run a cluster" - no mention of this being required by web browsers. I'm confused? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422

[graylog2] best way to do a "read only" audit account?

you shouldn't create more than are needed Wouldn't it be sensible to always have a "default" Stream named "All data" (would probably have to be hard-wired as readonly) - so that it can be allocated to Roles? It's really a "virtual" Stream, consisting of everything -- Cheers

Re: [graylog2] Re: installed marvel - now seemed to have corrupted entire graylog db

> Hi Jason, > > what's your Graylog and Elasticsearch configuration? Are there any error > messages in the logs of either Graylog or Elasticsearch? > > Cheers, > Jochen > > > On Monday, 11 April 2016 07:15:17 UTC+2, Jason Haar wrote: >> >>

[graylog2] installed marvel - now seemed to have corrupted entire graylog db

to do with marvel - it's just the last change I made. The reason I installed it was because I have had ES continually doing this kind of thing - but previously stopping graylog, restarting ES and waiting would lead to a happy ES - but no longer. -- Cheers Jason Haar Information Security Manager

Re: [graylog2] Re: [ANNOUNCE] Graylog v2.0-beta.1 has been released

On 25/03/16 10:53, Arie wrote: Super, Are there some guidelines on upgrading from 1.3.4 > 2.0? Would be useful. One is "don't have dots in your fieldnames" as I discovered :-( -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1

[graylog2] elasticsearch-1.7's "/_cat/shards" not reliable?

tually pick up ES errors, when the logfiles and commands like this totally fail to mention there's a problem? I can't fix something that I can't detect :-( Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6

[graylog2] relationship between graylog-server problems and elasticsearch

I need more graylog-servers feeding into the same ES? How can I differentiate between those two - what does that error case look like? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C0

[graylog2] should there be a "replace extractors" option?

re's some way I could do the same thing with curl/etc, but adding a "replace extractors" to the "import extractors/export extractors" dropdown list would be much easier? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fing

[graylog2] anyone written a nessus parser for GELF?

already done it, or conversely, is there a way of changing a program that outputs directly to Elasticsearch to output to GELF? (so as to make it work with graylog) If not, I guess I'll have a go at it :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481

[graylog2] why do open files increase over time?

lib/systemd/system/elasticsearch.service is replaced every time you upgrade elasticsearch. So either their documentation is wrong and /etc/sysconfig/elasticsearch is what "wins", or their rpm installer is broken. I'll open a bug report for them (not a graylog issue - but a FYI for others) -

[graylog2] logarithmic scaling on graphs?

that useful too? Thanks for the work! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Gr

Re: [graylog2] Re: GeoIp lookup plugin

;what can I do to prepare for geoip support?") -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to t

Re: [graylog2] confused how extractor fields work

e message field So how can I make my "url" field properly searchable? (ie to handle wildcards) Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --

Re: [graylog2] Re: Graylog Best Practices

n email to graylog2+unsubscr...@googlegroups.com > <mailto:graylog2+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/CAL5rfGViaTCAQw4iCOgYH96Ghpq_sDoo7uVBzCb49LaSxmU9xA%40mail.gmail.com > <https://groups.google

[graylog2] confused how extractor fields work

quot; that showed up in the middle of the "sentence" that was associated with the new fieldname - ie pretty simple. And yet I couldn't search for a word? The converter on the extractor was the default "Numeric" - should it be something else? This is graylog-1.2.2 Thanks -- Cheers J

[graylog2] Google Apps logging/reports support for graylog?

Hi there Has anyone figured out how to get Google Apps logging into graylog? (sort of the Google equivalent to the AWS CloudTrails plugin) I see there's a Splunk connector for it https://splunkbase.splunk.com/app/2714/ -- Cheers Jason Haar Corporate Information Security Manager, Trimble

Re: [graylog2] Re: Upgrade to 1.2.1 Graylog Journal does not flush messages, index range issue

ble to self-heal in these situations? I mean a corrupt file is useless - so why tolerate them? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this mes

[graylog2] question about interpreting graylog stats

ee more incoming than outgoing? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylo

Re: [graylog2] Re: upgrading graylog-server from 1.16 to 1.2rc4 totally broke all LDAP access

2015-09-09T05:46:52.776-04:00 TRACE [DelegatingSubject] attempting to get session; create = false; session is null = true; session has id = false -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F

Re: [graylog2] Re: upgrading graylog-server from 1.16 to 1.2rc4 totally broke all LDAP access

-09T05:46:52.749-04:00 TRACE [LdapConnector] Binding DN CN= did not throw, connection authenticated: true So that binary blob shows up on it's own line (ie doesn't begin with a timestamp) - so there must be a carriage return in there - could that cause issues? -- Cheers Jason Haar Corporate In

[graylog2] upgrading graylog-server from 1.16 to 1.2rc4 totally broke all LDAP access

Hi there Says it all really. After upgrading from 1.16 to 1.2rc4, none of the LDAP (actually ActiveDirectory) accounts work - even the Admin ones (thankfully the standard backdoor "admin" account still works) I tried logging in with a new LDAP account - it also fails (default user mode:

[graylog2] Re: upgrading graylog-server from 1.16 to 1.2rc4 totally broke all LDAP access

Whoops - forgot to mention this was LDAPS to our Global Catalog LDAP service (that's the trick Microsoft uses to emulate "flattening" an AD hierarchy Also I just changed from LDAPS to LDAP so that I could sniff what's going on. According to wireshark the group search filter was working -

[graylog2] is there a GELF over HTTPS option?

el can (eg using HTTP Keepalive) - or is it really designed for once-in-a-while web application transactions Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D

Re: [graylog2] Users and access on Global search

on it -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups Graylog Users group. To unsubscribe

[graylog2] AWS Cloudtrail plugin issue with multiple regions?

.input.cloudtrail.CloudTrailSubscriber.run(CloudTrailSubscriber.java:80) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you

[graylog2] are there standard field names?

are there any standard field naming conventions that should be abided by? Obviously elasticsearch is meant to be arbitrarily extendable, but I'm concerned I'll try some plugin later and it won't work because I've fiddled with fieldnames when I shouldn't have, etc -- Cheers Jason Haar Corporate

Re: [graylog2] Re: what can I do to prepare for geoip support?

On 13/08/15 09:06, Jochen Schalanda wrote: Hi Jason, I hear that some form of geoip support is expected in graylog-1.2? That's currently not planned. Pity. You might want to update GL2E-I-364 - it says it's expected in 1.2 -- Cheers Jason Haar Corporate Information Security Manager

[graylog2] what can I do to prepare for geoip support?

that? Fun times :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups Graylog Users group

[graylog2] Re: Very slow output msg/s read from journal

I can imagine that impacting many of us. Does anyone know of a way of measuring the impact of extractors? ie metrics on how long it takes extractors to process messages? Then this sort of issue could be diagnosed a lot quicker -- You received this message because you are subscribed to the

[graylog2] wildcard searches on fields besides messages?

Hi there I've used extractors to create a bunch of fields to apply over incoming data to search against. Similarly I have other data coming in via GELF with extra fields too. Search works when I do fieldName:full-value, but doesn't work for fieldName:full or fieldName:full*. It's as if they

[graylog2] Re: elasticsearch crashed and now graylog-server broken?

It just happened again and this time elasticsearch is hosed. The out of memory error was system-wide - dmesg confirmed it. So the system ran out of memory, elasticsearch crashed, and now graylog-server cannot talk to it any more. When graylog-server attempts to connect to elasticsearch, it

[graylog2] Re: GrayLog 1.1.4 - ActiveDirectory connection

You've got a bad filter. There is no uid field in AD, you either need to use sAMAccountName or userPrincipalName Use sAMAccountName is you are a single domain, or userPrincipalName if you have multiple domains in a single forest (and use the GC ldap port [3268] instead of standard ldap) Jason

[graylog2] Re: GrayLog 1.1.4 - ActiveDirectory connection

We have the following format and it works for us Search Base DN: dc=xxx,dc=yyy User Search Pattern: ((objectClass=user)(userPrincipalName={0})) Display Name attribute: displayName (so did you remember to put brackets around the filter?) Jason -- You received this message because you are

[graylog2] TCP Syslog input channel restarting all the time?

Hi there I'm using syslog-ng to feed in data via a syslog/TCP channel and it's continually (every 10 seconds) dropping the TCP channel - forcing syslog-ng to restart it 2015-07-29T02:26:31+00:00 syslog.server syslog notice syslog-ng[30512]: Syslog connection broken; fd='408',

[graylog2] Re: Does GELF over UDP support timestamp field?

I don't believe - how STUPID of me!!! Spot on - I was testing this by working on an apache access_log file I copied over on Saturday and by the time I stopped fiddling and started testing, it was days old. And then didn't even think to expand the search to multiple days. D'oh!!! Working fine

[graylog2] resource cost of adding fields to graylog

Hi there I've been adding extractors to our incoming syslog Input and it's been great - fantastic feature :-) However, I'm starting to get worried about the longer-term impact of me going all hell-for-leather on this: how much of a performance impact does adding new fields have? I've added

[graylog2] Does GELF over UDP support timestamp field?

Hi there I'm trying to feed data from files in via GELF over UDP and hit a wall. The following sample code works fine (note xtimestamp) echo '{version: 1.1,host: example.org,xtimestamp: 1437290906.000,short_message: A3 short message that helps you identify what is going on,full_message:

[graylog2] Re: Graylog web interface 1.1.4 - change default port

Just a FYI but if you wanted to expose graylog on the normal ports (port 80 (http) or port 443 (https)) then it doesn't work because graylog runs as an unprivileged user. I fake it via iptables trickery (Linux - I expect other OSes have the same feature) ie *nat -A PREROUTING -p tcp -m tcp

[graylog2] rewrite incoming syslog stream to fix borked content?

Hi there I have an incoming syslog stream that amongst working data also contains borked syslog records from Snare - which is a Windows EventLog to syslog service The problem is the application_id ends up as MSWinEventLogtab0tabSecurity and message: begins with Sun Jul 26 03:36:53 2015 4769

[graylog2] how does graylog-collector detect change?

Hi there I'm wanting to feed our (multiple) squid server logs into graylog and want to simply rsync the logs into a staging directory on the server, and have the collector pipe them in via the GELF connector. (ie I don't want them put into syslog, nor do I want to install java on the proxies

[graylog2] thanks, and hint for those dealing with AD forests (LDAP authentication)

Hi there I just learnt about graylog2 yesterday: what a revelation! The developers have done a WONDERFUL job. I have our central syslog server forwarding 1000+ syslog records/sec into a single virtual CentOS7 server and it's humming along. Obviously not much data in it yet, but so far I'm

[graylog2] how about abstracting out authentication via reverse-proxy?

Hi there Let me confess that I have an agenda of wanting graylog-web to support SAML, but from my google-ing about I can also see others have asked for Kerberos, Basic, etc authentication to be added to graylog-web. That is actually sounding like a whole lot of work... I was wondering if an