[graylog2] Re: 2.1 new api brower url take long time to return

2016-09-09 Thread Jochen Schalanda
Hi, there's a related bug report for this issue at https://github.com/Graylog2/graylog2-server/issues/2790 Cheers, Jochen On Friday, 9 September 2016 12:51:01 UTC+2, T.J. Yang wrote: > > I observed this issue after I upgraded from 2.0.3 to 2.1. > Same slow return for old http://myip:12900/

[graylog2] Re: API not working since 2.1 upgrade

2016-09-09 Thread Jochen Schalanda
Hi Aykisn, you can reach the API browser at http://:9000/api/api-browser. Cheers, Jochen On Friday, 9 September 2016 11:54:13 UTC+2, Aykisn wrote: > > The http://ip:9000/api/system link gets me to this page (after > authentication) : > > >

[graylog2] Re: Graylog 2.1 Search results error

2016-09-09 Thread Jochen Schalanda
Hi, please re-post your question in English. Cheers, Jochen On Friday, 9 September 2016 08:48:56 UTC+2, IronCocker wrote: > > 大家好: > > > 请看下图,这是什么情况?responsetime:100 是正常的,responsetime:>100就不正常,请大神指教。 > > > 版本是Graylog 2.1.0+62db7e0 > > > >

[graylog2] Re: API not working since 2.1 upgrade

2016-09-09 Thread Jochen Schalanda
Hi Aykisn, the redirect at the root resource of the Graylog REST API is there to prevent users from accidentally opening the Graylog REST API in their browser if they actually want to open the web interface. You can still access the "real" resources of the Graylog REST API as before, e. g.

[graylog2] Re: Automatic selection of stream

2016-09-08 Thread Jochen Schalanda
Jochen. > It was my mistake as I was testing REST API so due to multiple trigger > duplicate stream got created. > Now this is working perfectly fine. > > On Thursday, September 8, 2016 at 6:27:08 PM UTC+5:30, Jochen Schalanda > wrote: >> >> Hi Ajay, >> >&g

[graylog2] Re: Graylog extractor key=value with empty value

2016-09-08 Thread Jochen Schalanda
Hi Yves, I'd recommend using a suitable Grok pattern for this use case. Cheers, Jochen On Thursday, 8 September 2016 15:14:28 UTC+2, yvesloui...@gmail.com wrote: > > Hi everyone, > > I'm using graylog 2.0.3 and graylog 2.1.0, and I have a small problem with > the extractor key=value. > > My

[graylog2] Re: Number of records per second on the histogram

2016-09-08 Thread Jochen Schalanda
Hi Валерий, seconds-resolution for histograms is currently not possible in Graylog. Feel free to subscribe to https://github.com/Graylog2/graylog2-web-interface/issues/929 in order to get updates about the feature request. Cheers, Jochen On Wednesday, 7 September 2016 12:45:11 UTC+2, Валерий

[graylog2] Re: Automatic selection of stream

2016-09-08 Thread Jochen Schalanda
Hi Ajay, make sure that you only have exactly 1 stream with the name of your device (e. g. "1244-5124"). Unfortunately, the stream names don't have to be unique but the route_to_stream expects to only find 1 stream matching the name. Cheers, Jochen On Thursday, 8 September 2016 10:23:06

[graylog2] Re: Failed to start Grizzly HTTP server: permission denied - after 2.1 upgrade

2016-09-08 Thread Jochen Schalanda
Hi Steve, make sure that no other process is using the port you've configured and that you only use non-privileged ports in your Graylog configuration. Also make sure to check the local system logs in /var/log/, e. g. audit.log, for related error messages. Cheers, Jochen On Thursday, 8

[graylog2] Re: API not working since 2.1 upgrade

2016-09-08 Thread Jochen Schalanda
Hi Aykisn, that looks good. Do you have any specific problem you want to solve or was it a general question? Cheers, Jochen On Thursday, 8 September 2016 12:38:52 UTC+2, Aykisn wrote: > > Hi, > > Here is the output of the curl : > > HTTP/1.1 307 Temporary Redirect > Location:

[graylog2] Re: Graylog V2 web interface stuck on loading after login

2016-09-08 Thread Jochen Schalanda
Hi Thangaraj, please create a new thread for your problem and provide as many details about your setup as possible (log files, configuration files, how you've installed Graylog and ES and which versions). Cheers, Jochen On Wednesday, 7 September 2016 18:08:35 UTC+2, Thangaraj Arunachalam

[graylog2] Re: API not working since 2.1 upgrade

2016-09-08 Thread Jochen Schalanda
Hi Aykisn, On Thursday, 8 September 2016 10:56:28 UTC+2, Aykisn wrote: > > I tried to change the rest line to : > rest_listen_uri = http://0.0.0.0:9000/api but it didn't help, it just > redirects me to the nrmal graylog web interface. > Yes, that's to be expected and an intentional redirect.

[graylog2] Re: Convert log level from number to a more understandable

2016-09-07 Thread Jochen Schalanda
Hi Pedro, you could use the message decorators introduced in Graylog 2.1.0 to convert those levels to a human-readable format: http://docs.graylog.org/en/2.1/pages/queries.html#syslog-severity-mapper Cheers, Jochen On Wednesday, 7 September 2016 11:29:07 UTC+2, pedro rijo wrote: > > We have

Re: [graylog2] Re: Graylog not connecting to elasticsearch

2016-09-07 Thread Jochen Schalanda
Hi Karan, try removing (or commenting out) the elasticsearch_discovery_zen_ping_unicast_hosts setting from your Graylog configuration file. Cheers, Jochen -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and

[graylog2] Re: Change "dynamic_templates" and "store_generic"

2016-09-07 Thread Jochen Schalanda
"index" : "not_analyzed" > }, > "ipt2323" : { > "type" : "string", > "index" : "not_analyzed" > }, > > curl -X GET 'http://localhost:9200/graylog2_0?pretty'

[graylog2] Re: Graylog email alert frequency

2016-09-07 Thread Jochen Schalanda
Hi Ajay, On Wednesday, 7 September 2016 05:20:15 UTC+2, Ajay Kumar wrote: > > Just out of curiosity, is it a limitation by design or intentionally > feature is kept like that? It's a current design limitation. Alerts are being generated by periodically running Elasticsearch queries (default:

[graylog2] Re: Install

2016-09-07 Thread Jochen Schalanda
Hi Chad, Graylog currently doesn't support running Elasticsearch plugins in its embedded instance at all (also see https://github.com/Graylog2/graylog2-server/issues/2789). You have to rely on the standard Elasticsearch configuration settings which Graylog provides:

[graylog2] Re: Coloros Graphics

2016-09-06 Thread Jochen Schalanda
Hi, using custom palettes for the graphs on dashboards are currently not supported by Graylog. If you want to learn how to create dashboards in general, please take a look at http://docs.graylog.org/en/2.1/pages/getting_started/create_dashboard.html. Cheers, Jochen On Tuesday, 6 September

Re: [graylog2] Re: alerting plugins seem to lack all context?

2016-09-06 Thread Jochen Schalanda
Hi Jason, I couldn't reproduce your problems with the HTTP Alarm Callback. Just to make sure, I've added a test case to our test harness for Graylog (see https://github.com/Graylog2/graylog2-server/commit/2b05856b6982b14508f3d0d23957ccdb54ec0eeb ). You could also try to use netcat or

[graylog2] Re: Bigger production setup

2016-09-06 Thread Jochen Schalanda
Hi Daniel, there's currently no detailed guide for creating a setup like the one in the image you've posted (and which is in the Graylog documentation). This being said, setting up these single components (primarily Elasticsearch, MongoDB, and Graylog itself) shouldn't be too hard. Is there

[graylog2] Re: Updating to Graylog 2.1.0 from 2.0.3

2016-09-06 Thread Jochen Schalanda
Hi, it depends on how you've installed Graylog in the first place. Generally speaking, Graylog 2.1.0 is a drop-in replacement for Graylog 2.0.x. Cheers, Jochen On Tuesday, 6 September 2016 12:48:06 UTC+2, Ciprian wrote: > > Hello, > > I have noticed that a new version of Graylog has been

[graylog2] Re: GELF basic concepts. How to collect log data?

2016-09-06 Thread Jochen Schalanda
Hi, the Graylog Marketplace offers GELF appenders for most of the existing Java logging frameworks: https://marketplace.graylog.org/addons?tag=java Simply choose one that works with your logging framework (SLF4J merely provides an API and relies on another logging framework). Cheers, Jochen

[graylog2] Re: fighting 2.1 install on ubuntu 14.04

2016-09-06 Thread Jochen Schalanda
Hi, please post the complete Graylog configuration file you're using and the complete logs of your Graylog node(s). It looks like there's some invalid configuration setting. Cheers, Jochen On Sunday, 4 September 2016 06:22:07 UTC+2, mach...@gmail.com wrote: > > I've been fighting a 2.1

[graylog2] Re: Graylog in Docker 2.1

2016-09-06 Thread Jochen Schalanda
Hi Hernán, please make sure that you're using the latest version of the Docker image ( 2.1.0-2 at the time of writing). Cheers, Jochen On Friday, 2 September 2016 22:48:30 UTC+2, Hernán Fernández wrote: > > Hello, > > I just saw that the rest api is running now on the web interface and the >

[graylog2] Re: alerting plugins seem to lack all context?

2016-09-06 Thread Jochen Schalanda
Hi Jason, which outputs are you using specifically? If these are 3rd party plugins, you might want to create a GitHub issue in the issue trackers of those projects. Cheers, Jochen On Tuesday, 6 September 2016 00:47:34 UTC+2, Jason Haar wrote: > > Hi there > > I've been playing around with

Re: [graylog2] Re: Graylog not connecting to elasticsearch

2016-09-06 Thread Jochen Schalanda
Hi Karan, please post the current Graylog and Elasticsearch configuration files you're using (after the changes you've made). Cheers, Jochen On Tuesday, 6 September 2016 09:38:24 UTC+2, Karan Chandok wrote: > > Hi Jochen, > > Yes elasticsearch is running on same machine. I have removed white

[graylog2] Re: Problems with Cisco Routers

2016-09-06 Thread Jochen Schalanda
Hi Israel, Cisco appliances often don't send valid syslog messages (RFC 3164 or RFC 5424) so that you have to use a Raw/Plaintext input instead of a Syslog input and extract the information you need either with extractors or with rules of

[graylog2] Re: Graylog email alert frequency

2016-09-06 Thread Jochen Schalanda
Hi David, Basically I want an email whenever an event matching the criteria hits that > stream. One email per event. Does anyone know if that's possible? That's currently not possible. Cheers, Jochen On Tuesday, 12 April 2016 19:43:31 UTC+2, David Rux wrote: > > Hey all, > > I have a

[graylog2] Re: Smtp configuration in conf file

2016-09-06 Thread Jochen Schalanda
Hi Ayksin, you have to configure the SMTP settings on every Graylog instance. Cheers, Jochen On Tuesday, 6 September 2016 07:32:34 UTC+2, Aykisn wrote: > > Hello, > > I was wondering if we needed to put the smtp configuration part in all the > graylog instances configuration file or just on

[graylog2] Re: Split and index with rules pipeline

2016-09-04 Thread Jochen Schalanda
September 2016 18:49:17 UTC+2, stella wrote: > > Jochen Schalanda, is it possible to implement my own split function and > plug in it on my own? > > пятница, 2 сентября 2016 г., 13:21:04 UTC+3 пользователь Jochen Schalanda > написал: >> >> Hi Stella, >> >

[graylog2] Re: Understanding drools

2016-09-04 Thread Jochen Schalanda
Hi Dima, On Sunday, 4 September 2016 15:45:30 UTC+2, Dima wrote: > > Why did you guys restrict rules so significantly in comparison to Drools? > Mainly two reasons: safety of execution and performance. > So what do I do if I need something custom... (e.g. some complex message > processing

[graylog2] Re: [ANNOUNCE] Graylog v2.1.0 has been released

2016-09-02 Thread Jochen Schalanda
Hi, On Friday, 2 September 2016 00:37:14 UTC+2, walderba...@gmail.com wrote: > > Would I simply need to run the following? > […] > And would this preserve all my users, settings, data, etc? > > Yes. Cheers, Jochen -- You received this message because you are subscribed to the Google Groups

[graylog2] Re: Source IP address of the syslog messages

2016-09-01 Thread Jochen Schalanda
Hi Thomas, Cisco network appliances usually don't send valid syslog messages (according to RFC 3164 or RFC 5424). Try using a Raw/Plaintext UDP input in Graylog instead of the Syslog UDP input and use extractors to get the information you want into structured fields:

[graylog2] Re: Map Data Query Failed

2016-09-01 Thread Jochen Schalanda
t;SonicWALL Mobile Connect > for Android 4.0.5 (samsung SAMSUNG-SM-G920A; Android 6.0.1; SDK 23; build > 405)" > > On Wednesday, August 31, 2016 at 1:28:39 PM UTC-4, TheKrazyKaveman wrote: >> >> Syslog UDP >> >> On Wednesday, August 31, 2016 at 3:3

[graylog2] Re: Journal not processing new messages after adding hard drive

2016-09-01 Thread Jochen Schalanda
Hi Jamie On Wednesday, 31 August 2016 16:49:34 UTC+2, Jamie P wrote: > > On a side note. I followed the instructions to expand to an extra hard > drive, but none of the settings saved when doing the command to save info > to /etc/fstab. I had to put that info in manually and then then

[graylog2] Re: Dynamic filed names with grok

2016-09-01 Thread Jochen Schalanda
a.2-ffa3355* > четверг, 1 сентября 2016 г., 10:44:39 UTC+3 пользователь Jochen Schalanda > написал: >> >> Hi, >> >> I think that's not possible with Grok, but you could try to use the >> Tokenizer converter (create a Copy Input extractor, then select the

[graylog2] Re: Source IP address of the syslog messages

2016-09-01 Thread Jochen Schalanda
Hi Thomas, what exactly do you mean with "changing the source IP address"? Do the messages still arrive on the relevant network interface and in the Syslog input of Graylog? How did you check that? And how is your Syslog input and the Cisco syslog service configured? Cheers, Jochen On

[graylog2] Re: Geo-Location Processor doesn't create _geolocation fields for custom fields created by pipeline rules

2016-09-01 Thread Jochen Schalanda 
Thanks for the feedback!

On Wednesday, 31 August 2016 16:12:11 UTC+2, Jan wrote:
>
> Found the error. In my original pipeline-rule I used the "to_ip" function 
> to convert the pattern match to an IP. With this setting resolving the IP 
> to a geo location fails.
> I changed the rule now to

[graylog2] Re: Add server.log to Graylog

2016-09-01 Thread Jochen Schalanda
r.log. > > Also added syslog and I don't see it in the Graylog. > > Thanks, > -Praveena > > On Wednesday, August 31, 2016 at 12:31:25 AM UTC-7, Jochen Schalanda wrote: >> >> Hi Praveena, >> >> which server.log file do you mean specifically? >> &g

[graylog2] Re: API connectivity with reverse proxy (nginx)

2016-09-01 Thread Jochen Schalanda
Hi, are there any error messages in the logs of your Graylog node? What's the result of the following curl command (insert your Graylog admin credentials): curl -u admin:password https://graylog.corp.com/api/system/?pretty=true Also, your web_endpoint_uri is wrong and should point to

[graylog2] Re: Dynamic filed names with grok

2016-09-01 Thread Jochen Schalanda
Hi, I think that's not possible with Grok, but you could try to use the Tokenizer converter (create a Copy Input extractor, then select the Tokenizer converter) for this. Cheers, Jochen On Wednesday, 31 August 2016 14:19:39 UTC+2, AForton wrote: > > Is it possible to extract dynamic field

Re: [graylog2] Autmatically parsed fields in Syslog TCP/UDP input

2016-08-30 Thread Jochen Schalanda
Hi Markus On Tuesday, 30 August 2016 11:51:48 UTC+2, Markus Fischbacher wrote: > > I don't see a way to extract syslog levels - they doesn't come in the > message(-string) itself. Level and facility seems to come in additional udp > sections/frames. > If you're using a Raw/Plaintext input, the

Re: [graylog2] Autmatically parsed fields in Syslog TCP/UDP input

2016-08-30 Thread Jochen Schalanda
29. August 2016 16:47:12 UTC+2 schrieb Jochen Schalanda: >> >> Hi Markus, >> >> On Friday, 26 August 2016 20:06:04 UTC+2, Markus Fischbacher wrote: >> >>> Anton know a way to extract syslog Levels. That doesn’t comes in the >>> message itself. Level

[graylog2] Re: Geo-Location Processor doesn't create _geolocation fields for custom fields created by pipeline rules

2016-08-30 Thread Jochen Schalanda
nshot: > > > > > > Am Dienstag, 30. August 2016 10:16:01 UTC+2 schrieb Jochen Schalanda: >> >> Hi Jan, >> >> On Tuesday, 30 August 2016 10:03:24 UTC+2, Jan wrote: >>> >>> An Example message can look like this […] >>> >> >>

[graylog2] Re: Geo-Location Processor doesn't create _geolocation fields for custom fields created by pipeline rules

2016-08-30 Thread Jochen Schalanda
Hi Jan, On Tuesday, 30 August 2016 10:03:24 UTC+2, Jan wrote: > > An Example message can look like this […] > Okay, and how does it look like after you've extracted those IP addresses? Cheers, Jochen -- You received this message because you are subscribed to the Google Groups "Graylog

[graylog2] Re: Message truncating issue

2016-08-30 Thread Jochen Schalanda
Hi Jamie, your issue is caused by the ShortMessageLength setting in nxlog: https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#xm_gelf This will be addressed out-of-the-box in the next version of Graylog, see https://github.com/Graylog2/graylog-plugin-collector/issues/6 for details.

Re: [graylog2] 404 Error at Login

2016-08-29 Thread Jochen Schalanda
Hi Dave, the rest_transport_uri setting and the rest_listen_uri setting you've chosen are incompatible. I'd recommend setting only rest_listen_uri to your public IP address and using the default for rest_transport_uri (i. e. remove your own setting). Cheers, Jochen > Am 29.08.2016 um 17:42

[graylog2] Re: Graylog Cluster - Adding a Second Node

2016-08-29 Thread Jochen Schalanda
Hi Dustin, On Friday, 26 August 2016 19:54:03 UTC+2, Dustin Tennill wrote: > > Now for the issue(s): > 1. We see only incoming log message from a single source when searching > the last five minutes. It is always the same source. This happens even we > KNOW there are other log data from past

[graylog2] Re: Indicators of Compromise (IOCs)

2016-08-29 Thread Jochen Schalanda
Hi Julius, there's currently no official integration of TAXII with Graylog. I guess you would need to write a custom plugin for integrating TAXII or other IoC feeds and check against them. Cheers, Jochen On Monday, 29 August 2016 03:25:26 UTC+2, juliusb...@gmail.com wrote: > > graylog newbie

[graylog2] Re: Graylog Stack on Docker with Rancher

2016-08-29 Thread Jochen Schalanda
Hi Yossi, I'm not sure what the specific problem is, but you can configure Graylog to connect to a MongoDB replica set providing more than one MongoDB URI, see https://github.com/Graylog2/graylog2-server/blob/2.0.3/misc/graylog.conf#L384-L385 for an example. Cheers, Jochen On Sunday, 28

[graylog2] Re: Extractor for multiple regex groups

2016-08-29 Thread Jochen Schalanda
Hi Werner, support for multiple match groups will most likely not be added to the RegEx extractor. But you can use the message processing pipelines to write a rule doing what you want or use a Grok extractor instead. Cheers, Jochen On

[graylog2] Re: JSON extractor in 2.0.3, am I missing something?

2016-08-29 Thread Jochen Schalanda
For reference: https://github.com/Graylog2/graylog2-server/issues/2751 We will tackle this issue in one of the next releases of Graylog. Cheers, Jochen On Friday, 26 August 2016 13:32:03 UTC+2, Kostya Vasilyev wrote: > > Jochen, > > On Friday, August 26, 2016 at 1:49:04 PM U

[graylog2] Re: graylog message in unwanted characters

2016-08-29 Thread Jochen Schalanda
Hi Sam, what kind of input did you create in Graylog? What kind of client does send this binary content? What should it send? Cheers, Jochen On Sunday, 28 August 2016 01:12:14 UTC+2, sam wrote: > > Hi All, > > I see some different messages in my graylog server. Not sure of this > language.

[graylog2] Re: Graylog server logs collector error

2016-08-29 Thread Jochen Schalanda
Hi Sam, which tags did you configure in the Graylog web interface for your collectors and how did you configure this specific Graylog Collector Sidecar? Cheers, Jochen On Saturday, 27 August 2016 12:17:23 UTC+2, sam wrote: > > HI All, > > I am able to get logs into the server. but I see the

[graylog2] Re: Graylog graylog-2.1.0-rc.1.tgz Web Interface not loading

2016-08-29 Thread Jochen Schalanda
Hi, please post the complete Graylog configuration file and the complete Graylog log file. Are there additionally any error messages in the Developer Console of your web browser when opening http://10.20.2.75:9000/api/? Cheers,

Re: [graylog2] Autmatically parsed fields in Syslog TCP/UDP input

2016-08-29 Thread Jochen Schalanda
Hi Markus, On Friday, 26 August 2016 20:06:04 UTC+2, Markus Fischbacher wrote: > Anton know a way to extract syslog Levels. That doesn’t comes in the > message itself. Level and facility should be udp section? > Could you please rephrase that? I don't understand what you're trying to say.

[graylog2] Re: Multiple nodes in a cluster

2016-08-26 Thread Jochen Schalanda
Hi Steve, On Wednesday, 24 August 2016 22:55:21 UTC+2, Steve Kuntz wrote: > > [NodePingThread] Did not find meta info of this node. Re-registering. I > have changed all IPs appropriately in the configuration of the 3rd node. > This error message is usually a sign of clock skew on the Graylog

[graylog2] Re: JSON extractor in 2.0.3, am I missing something?

2016-08-26 Thread Jochen Schalanda
Hi Kostya, On Thursday, 25 August 2016 16:02:23 UTC+2, Kostya Vasilyev wrote: > > If you meant that there are no double quotes around key names -- that's > just how shows in the Graylog UI. > No, that's the actual content of the "result" field. On Thursday, 25 August 2016 16:02:23 UTC+2,

[graylog2] Re: How to change the data type of an extracted field

2016-08-26 Thread Jochen Schalanda
Hi, you can't change the types of a field in an existing index. The schema has to be defined up-front. I'm pretty sure you want to read http://docs.graylog.org/en/2.0/pages/configuration/elasticsearch.html#custom-index-mappings . Cheers, Jochen On Friday, 26 August 2016 05:38:44 UTC+2, Gray

[graylog2] Re: [ANNOUNCE] Graylog v2.1.0-RC.1 has been released

2016-08-26 Thread Jochen Schalanda
Hi, On Thursday, 25 August 2016 23:33:54 UTC+2, 123Dev wrote: > > Or is it simply following these steps. > > http://docs.graylog.org/en/latest/pages/configuration/graylog_ctl.html#upgrade-graylog > Which were used to upgrade from 2.0 to 2.0.3 > Yes, that should still work but make sure to read

[graylog2] Re: VMware OVF disk filled, now have all shards unassigned

2016-08-26 Thread Jochen Schalanda
Hi Obie, On Thursday, 25 August 2016 23:03:42 UTC+2, Obie wrote: > > I tried this script: > > > #!/bin/bash > > for shard in $(curl -XGET http://localhost:9200/_cat/shards | grep > UNASSIGNED | awk '{print $2}'); do > curl -XPOST 'localhost:9200/_cluster/reroute' -d '{ > "commands" : [ { >

[graylog2] Re: JSON extractor in 2.0.3, am I missing something?

2016-08-25 Thread Jochen Schalanda
Hi Kostya, the string {subs=57, devs=34} isn't valid JSON. The JSON extractor will only work with a valid JSON payload. Cheers, Jochen On Thursday, 25 August 2016 15:14:38 UTC+2, Kostya Vasilyev wrote: > > Hi, > > I'm new to Graylog, so far so good, but ran into an issue trying to use > the

[graylog2] Re: Issues parsing incomming fields in a good way

2016-08-25 Thread Jochen Schalanda
Thanks for sharing! On Thursday, 25 August 2016 12:32:59 UTC+2, ravedog wrote: > > > Hi, > > Thanks for your answer, I solved this yesterday and i thought I share my > findings here in case anyone else have the same need. > Due to the solution looking like this (parsing being made in the client

[graylog2] Re: Issues parsing incomming fields in a good way

2016-08-24 Thread Jochen Schalanda
Hi, looking at the bash snippet you've posted, it should be fairly easy to iterate over the scanned/infected files and create a separate GELF message for each. If you need to know, which infected files were found by the same scan, you can simply add a unique identifier to the GELF messages

[graylog2] Re: Graylog 2.0.3 recommended MongoDB version

2016-08-24 Thread Jochen Schalanda
Hi Aleksey, while we recommend using the latest stable version of MongoDB for Graylog 2.x, MongoDB 2.6.x from EPEL should also work fine. Cheers, Jochen On Wednesday, 24 August 2016 16:00:33 UTC+2, Aleksey Chudov wrote: > > Hi, > > In accodrance with current documentation >

Re: [graylog2] Graylog 2.0 SSL issue

2016-08-24 Thread Jochen Schalanda
Hi Anant, maybe Midori is using another certificate store than the other web browsers you've mentioned. In any case, if you're using a self-signed certificate, you need to add this certificate to the list of trusted certificates in your web browser or system trust store. On an additional

[graylog2] Re: Graylog Failing jvm Allocation Failure [jvm] [graylog-4e9a7285-48ce-468c-8604-6b2bf613eafd] [gc][old][501][37] duration [38.6s],

2016-08-24 Thread Jochen Schalanda
Hi Ricardo, try configuring *less* heap memory for your JVM, ideally less than 32G. See https://blog.codecentric.de/en/2014/02/35gb-heap-less-32gb-java-jvm-memory-oddities/ for details. Cheers, Jochen On Wednesday, 24 August 2016 15:02:10 UTC+2, Ricardo Ferreira wrote: > > So, we have a 2

[graylog2] Re: Issues parsing incomming fields in a good way

2016-08-24 Thread Jochen Schalanda
Hi, splitting a message into multiple messages according to the pattern you've mentioned is kind of hard. I would (still) recommend changing the generation of the GELF messages at the source and send one GELF message for each infected/found file. If you tell us, how you generate the GELF

Re: [Internet] [graylog2] Re: Quick value failure on field called "status"

2016-08-23 Thread Jochen Schalanda
Please ignore that, I was looking up the wrong resource in the Graylog REST API. On Tuesday, 23 August 2016 18:28:11 UTC+2, Jochen Schalanda wrote: > > Hi Mathieu, > > have you tried using the correct query parameter, i. e. "fields" instead > of "field" in

Re: [Internet] [graylog2] Re: Quick value failure on field called "status"

2016-08-23 Thread Jochen Schalanda
quot;include_upper\":true}}},{\"query_string\":{\"query\":\"streams:55dc68d60cf293c638ddf255\"}}]}},\"aggregations\":{\"gl2_terms\":{\"terms\":{\"field\":\"status\",\"size\":50}},\"missing\":{\"

[graylog2] Re: filter message logstash

2016-08-23 Thread Jochen Schalanda
Hi Rafael, you can simply use conditionals (see https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals) and the drop filter (see https://www.elastic.co/guide/en/logstash/current/plugins-filters-drop.html) to match the messages you want to process and

[graylog2] Re: Graylog2 LDAP settings disappear

2016-08-23 Thread Jochen Schalanda
Hi Robin, make sure that there is only 1 entry in the ldap_settings collection in MongoDB. Additionally make sure, that all Graylog nodes are using the exact same password_secret . Cheers, Jochen On Thursday,

[graylog2] Re: Quick value failure on field called "status"

2016-08-23 Thread Jochen Schalanda
Hi Mathieu, the Graylog REST API changed between Graylog 1.x and Graylog 2.x. What should the request, you've posted, exactly do? Cheers, Jochen On Tuesday, 23 August 2016 14:14:13 UTC+2, Mathieu Grzybek wrote: > > Hello, > > I have found that since my upgrade to 2.0 I cannot compute the

[graylog2] Re: Time (Daylight saving time) Issue

2016-08-23 Thread Jochen Schalanda
Hi Jorg, as Eric already mentioned, the best practice is to run all servers and all network appliances on UTC and not a local timezone which is prone to DST. This being said, you could probably write Drools rules to adjust the timestamps/timezone of those devices:

[graylog2] Re: No inputs running on newly added graylog server

2016-08-23 Thread Jochen Schalanda
Hi Avdhoot, if you think this is a bug, please create an issue for it at https://github.com/Graylog2/graylog2-server/issues. Cheers, Jochen On Thursday, 18 August 2016 18:21:10 UTC+2, Avdhoot Dendge wrote: > > This is very weird. > > I have added new graylog node. Web console showing input is

[graylog2] Re: message routed to stream but e-mail notification did not fire

2016-08-17 Thread Jochen Schalanda
Hi Rob, which version of Graylog are you using? Are there any messages in the stream you've created? Did you create a proper alert condition (and if so, what is it)? Cheers, Jochen On Tuesday, 16 August 2016 20:25:33 UTC+2, Rob Reinhardt wrote: > > I have OpenNMS writing all events to syslog

[graylog2] Re: CSV to field converter using whitespace delimiter

2016-08-17 Thread Jochen Schalanda
Hi Julio, use Grok. Cheers, Jochen On Tuesday, 16 August 2016 17:28:21 UTC+2, juli...@gmail.com wrote: > > Hi, > > > So it seems the CSV to field converter doesn't work with whitespace > delimiters? > > Sample log: > 2016-08-16 15:14:20 192.168.20.100 POST /Clients - 80 DOMAIN\user >

Re: [graylog2] Re: syslog to graylog

2016-08-17 Thread Jochen Schalanda
Hi Sam, why would you try to send syslog messages directly into Elasticsearch on port 9300, 9350, or 9200? You have to create a syslog input in Graylog and send data there, see https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md for details. Cheers, Jochen On

Re: [graylog2] Re: syslog to graylog

2016-08-17 Thread Jochen Schalanda
Hi Sam, it looks like there is no Syslog input running on port 5140 on this machine. Cheers, Jochen On Tuesday, 16 August 2016 20:21:41 UTC+2, sam wrote: > > Hi Ha, > > below is the output for netstat -tulpen: where my graylog address is : > 162.20.100.27 > > Active Internet connections

[graylog2] Re: Steps to upgrade to Graylog 2.0 and ElasticSearch 2.3 (from 1.3 and 1.7 respectively)

2016-08-17 Thread Jochen Schalanda
Hi Jimmy, you have to stop processing on all Graylog nodes (so that messages are being written into the disk journal but not into Elasticsearch), upgrade your Elasticsearch cluster, stop all Graylog nodes, upgrade all Graylog nodes, then start all Graylog nodes again. for more details please

[graylog2] Re: ERROR: org.glassfish.jersey.server.ServerRuntime$Responder - An I/O error has occurred while writing a response message entity to the container output stream.

2016-08-17 Thread Jochen Schalanda
Hi Julio, some HTTP client cut off the connection to the Graylog REST API before the complete response could be sent. Nothing to worry about. Cheers, Jochen On Tuesday, 16 August 2016 22:30:59 UTC+2, juli...@gmail.com wrote: > > So what is this and what caused this?? My guess is something to

[graylog2] Re: Debian/Ubuntu SHA1Removal causing error when updating package list from graylog repo

2016-08-16 Thread Jochen Schalanda
Hi Stefan, please create a GitHub issue for this at https://github.com/Graylog2/fpm-recipes/issues/ and make sure to link to https://github.com/Graylog2/fpm-recipes/issues/58 in your comment. Cheers, Jochen On Tuesday, 16 August 2016 13:12:10 UTC+2, Stefan Ioan wrote: > > Hello, > > Please

[graylog2] Re: Graylog collector (depricated) for graylog 2.0 connecting issues

2016-08-16 Thread Jochen Schalanda
Hi Sam, make sure that there is not packet filter or firewall blocking access to the host 162.20.100.27 on port 12201/tcp and that packets to 162.20.100.27 can be routed correctly by the machine running Graylog Collector. Cheers, Jochen On Tuesday, 16 August 2016 06:59:30 UTC+2, sam wrote: >

[graylog2] Re: Graylog rest api not positioning widgets on dashboard

2016-08-16 Thread Jochen Schalanda
Hi Alex, how exactly are you using the Graylog REST API and which requests do you send to it? Cheeres, Jochen On Monday, 15 August 2016 22:19:03 UTC+2, Alex Stanek wrote: > > Hello, > I am currently trying to position dashboard widgets using Graylog 2.0 rest > api with no such luck on the

[graylog2] Re: Graylog and switch Alcatel Lucent

2016-08-16 Thread Jochen Schalanda
Hi Jordan, please make sure that you have started a matching Syslog input (UDP or TCP) in Graylog and that your network appliances have access to the provided IP address. Additionally, it is possible that the output of your network appliances is not conforming to RFC 3164 or RFC 5424. In this

[graylog2] Re: Redirect python print output to graylog2

2016-08-16 Thread Jochen Schalanda
Hi Jan, you have to provide the specific IP address or host name of Graylog to the Docker daemon with the gelf-address configuration setting. "0.0.0.0" is not a specific IP address but is evaluated as a "wildcard" which has to be resolved somehow. Cheers, Jochen On Sunday, 14 August 2016

[graylog2] Re: Local graylog users but getting password auth from ldap ?

2016-08-16 Thread Jochen Schalanda
Hi, if Graylog has been configured with the necessary LDAP settings, it will sync user information from the directory service to the local user database and re-sync information on every login. So in the end, it's already working the way you want it to. Cheers, Jochen On Friday, 12 August

[graylog2] Re: Deleting Source from Graylog2

2016-08-11 Thread Jochen Schalanda
Hi Marvin, delete-by-query has been moved into a separate Elasticsearch plugin, which you need to install first (at least with Graylog 2.x and Elasticsearch 2.x): https://www.elastic.co/guide/en/elasticsearch/plugins/2.3/delete-by-query-usage.html Other than that, you can use wildcards in the

[graylog2] Re: send catalina.out graylog

2016-08-11 Thread Jochen Schalanda
Hi Rafael, there are various Java GELF appenders for different logging frameworks on the Graylog Marketplace: https://marketplace.graylog.org/addons?tag=java Those can be used to configure the Apache Tomcat logging subsystem in a way, so that messages are directly sent to Graylog:

[graylog2] Re: Retention Period

2016-08-11 Thread Jochen Schalanda
Hi Nathan, the rotation strategy defines, how many or how long messages will be retained, see System -> Indices -> Settings. Cheers, Jochen On Wednesday, 10 August 2016 22:37:00 UTC+2, Nathan Mace wrote: > > What is the default retention period of data indexed by Graylog / > Elasticsearch?

[graylog2] Re: /var/log/graylog/graylog.log

2016-08-10 Thread Jochen Schalanda
Hi Julio, On Wednesday, 10 August 2016 17:34:35 UTC+2, juli...@gmail.com wrote: > > So what is the point of the log4j2.xml file then if logs are configured > with svlogd (on the OVA image at least)? What log does it create? > The log4j2.xml file is only being used to configure Graylog's

[graylog2] Re: /var/log/graylog/graylog.log

2016-08-10 Thread Jochen Schalanda
log file settings and svlogd.conf is for > other internal logs. > > > On Wednesday, August 10, 2016 at 6:25:40 AM UTC-4, Jochen Schalanda wrote: >> >> Hi Julio, >> >> the file you've mentioned is being generated by Elasticsearch and can be >> configure

[graylog2] Re: sidecar-collector feature

2016-08-10 Thread Jochen Schalanda
For reference: https://github.com/Graylog2/collector-sidecar/issues/44 On Wednesday, 10 August 2016 06:09:16 UTC+2, Werner van der Merwe wrote: > > Currently in our setup we use a lot of Execs inside an input block. > Is the only way to have execs currently to rather create snippets? > > Would it

[graylog2] Re: My squid drool is not working

2016-08-10 Thread Jochen Schalanda
Hi Daniel, maybe using a normal Grok extractor would be sufficient for your needs, e. g. https://gist.github.com/MiteshShah/6879e09b6999d5c8e77c. Regarding your Drools rules file, please check the logs of your Graylog node for errors. Cheers, Jochen On Tuesday, 9 August 2016 18:31:44 UTC+2,

[graylog2] Re: /var/log/graylog/graylog.log

2016-08-10 Thread Jochen Schalanda
Hi Julio, the file you've mentioned is being generated by Elasticsearch and can be configured in its logging configuration. See https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-configuration.html#logging for further details. Cheers, Jochen On Tuesday, 9 August 2016

[graylog2] Re: Use Graylog To Dedup Events?

2016-08-10 Thread Jochen Schalanda
Hi Nathan, deduplication of messages is currently not supported by Graylog, see https://github.com/Graylog2/graylog2-server/issues/466 for a related feature request. Cheers, Jochen On Tuesday, 9 August 2016 22:15:06 UTC+2, Nathan Mace wrote: > > In Splunk, it is easy to search for all of the

[graylog2] Re: send logs GRAYLOG

2016-08-09 Thread Jochen Schalanda
Hi Rafael, all of the mentioned programs would work. Please take a look at https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md#sending-syslog-from-linux-systems-into-graylog for instructions for configuring rsyslog and syslog-ng. Cheers, Jochen On Tuesday, 9 August

[graylog2] Re: Netflow v9

2016-08-09 Thread Jochen Schalanda
Hi Aldo, feel free to subscribe to https://github.com/Graylog2/graylog-plugin-netflow/issues/1 and https://github.com/Graylog2/graylog-plugin-netflow/issues/2 to stay up-to-date about support for those 2 protocols. Other than that, there's no ETA for those features and to be honest, they're

[graylog2] Re: Separate VMs Running Graylog & Elastic Search Not Connecting

2016-08-08 Thread Jochen Schalanda
ve attached the > log file. > > Thanks! > > Nathan > > On Saturday, August 6, 2016 at 4:42:40 AM UTC-4, Jochen Schalanda wrote: >> >> Hi Nathan, >> >> those errors hint to Graylog not being able to connect to the >> Elasticsearch cluster. Check the logs

Re: [graylog2] Re: stuck to install graylog to our VPS Linux CentOS 6

2016-08-08 Thread Jochen Schalanda
t; > 2016-08-08T10:36:19.154Z INFO [SessionsResource] Invalid username or > password for user "admin" > > 2016-08-08T10:36:25.006Z INFO [SessionsResource] Invalid username or > password for user "admin" > > > > > > Do you have any idea or d

<    2   3   4   5   6   7   8   9   10   11   >