//github.com/Graylog2/graylog2-server/blob/2.1.1/misc/graylog.conf#L417-L419>
>
> is 60 seconds by default.
>
> You should try increasing that time frame to 2 or 5 minutes in your alert
> conditions.
>
> Cheers,
> Jochen
>
> On Tuesday, 27 September 2016 15:56:31 UTC+
xceeds a
> given threshold.
>
> Kr,
> D.
>
> > On 26.09.2016, at 15:51, Nathan Mace <natha...@gmail.com >
> wrote:
> >
> > Sorry for the delayed reply. I've attached screenshots of the Stream
> rules as well as part of a log entry that
Recently upgraded to 2.1 and just noticed this behavior.
I have a stream that matches against two rules:
EventID = 4625
AND
TargetUserName NOT EXACTLY "XX"
If a log matches both of those, send an email. The emails are not being
sent. Looking into it, if I force a failed login attempt it
I've got a pair of servers, one running ES 2.3.5-1 and one running Graylog
2.0.3. I believe the version of ES I'm running is supported by Graylog
2.1.1, so I'm leaving that be for the time being. What is the exact
process for upgrading Graylog? Simply add the new repo and do a "yum
from within the Graylog web ui.
>
> Cheers,
> Marius
>
>
> On 24 August 2016 at 16:07, Nathan Mace <natha...@gmail.com >
> wrote:
>
>> I'm starting to roll out nxlog / Sidecar to replace our Splunk install.
>> However the Windows Event Logs seem to ma
I'm starting to roll out nxlog / Sidecar to replace our Splunk install.
However the Windows Event Logs seem to make it into Graylog just fine
without Sidecar being installed. What does installing Sidecar add to the
mix?
Nathan
--
You received this message because you are subscribed to the
What is the default retention period of data indexed by Graylog /
Elasticsearch? All I can find is the graylog setting for
"retention_strategy" being set to delete, which is fine. But I can't find
what the time period is for that. Thanks!
Nathan
--
You received this message because you
see
> https://github.com/Graylog2/graylog2-server/issues/466 for a related
> feature request.
>
> Cheers,
> Jochen
>
> On Tuesday, 9 August 2016 22:15:06 UTC+2, Nathan Mace wrote:
>>
>> In Splunk, it is easy to search for all of the events of a specific type
>> acro
In Splunk, it is easy to search for all of the events of a specific type
across all of your servers and then dedup those results based on a field.
Is that available in Graylog? I can't seem to find it if it is.
Nathan
--
You received this message because you are subscribed to the Google
> Cheers,
> Jochen
>
> On Friday, 5 August 2016 17:19:19 UTC+2, Nathan Mace wrote:
>>
>> Changed those two settings and now the web interface is working and I am
>> able to login and configure Inputs. Woot!
>>
>> However none of the data that should be receive
ing_unicast_hosts (so that it's bein set to
> x.x.x.149:9300).
>
> Additionally, your web_endpoint_uri is wrong and should be removed
> completely (or at least point to the public address of the Graylog REST
> API).
>
> Cheers,
> Jochen
>
> On Thursday, 4 August 2016
Per my other thread, I decided to delete the VMs and start over from
scratch. Instead of running ES on two nodes and Graylog on one of those
nodes, I've got two VM. Running ES only and the other running Graylog and
MongoDB only.
ansted -> x.x.x.146 Running Graylog and MongoDB
Usually, the default config file location is
> /etc/elasticsearch/elasticsearch.yml (see
> https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-dir-layout.html#_deb_and_rpm)
>
> and this reproducibly works for me.
>
> Cheers,
> Jochen
>
> On Wednesday,
into weird problems like
this, is it something I want to deal with in a production setting?
Nathan
On Wednesday, August 3, 2016 at 10:18:15 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Nathan,
>
> On Wednesday, 3 August 2016 16:10:55 UTC+2, Nathan Mace wrote:
>>
>> I'm ed
9:16,064][INFO ][transport ] [Invisible Woman]
>> publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {
>> 127.0.0.1:9300}
>
>
> I suggest you double check the configuration files and do the changes I
> suggested in the numerous mails before.
>
On Tuesday, August 2, 2016 at 11:10:49 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Nathan,
>
> please post the *complete* log files of your Elasticsearch and Graylog
> nodes.
>
> Cheers,
> Jochen
>
> On Tuesday, 2 August 2016 16:56:58 UTC+2, Nathan Mace wrote:
>>
quot;active" and will be obeyed:
>
> cluster.name: graylog
>
>
> Maybe you've only copy & pasted your configuration files in a strange way
> (which is why I would always recommend to send them as attachments), but
> that's how it looks like.
>
> Cheers,
>
ch/reference/2.3/modules-network.html#common-network-settings
>
> for details.
>
> Cheers,
> Jochen
>
> On Monday, 1 August 2016 22:15:32 UTC+2, Nathan Mace wrote:
>>
>> Primary node (MonoDB, Graylog, and ES): IP Address: x.x.x.146
>> Secondary Node (ES Only): IP A
ps://www.elastic.co/guide/en/elasticsearch/reference/2.3/modules-network.html#common-network-settings
>
> for details.
>
> Cheers,
> Jochen
>
> On Monday, 1 August 2016 22:15:32 UTC+2, Nathan Mace wrote:
>>
>> Primary node (MonoDB, Graylog, and ES): IP Address: x.x.x.146
> http://docs.graylog.org/en/2.0/pages/configuration/elasticsearch.html#configuration
>
> for further details.
>
> Cheers,
> Jochen
>
> On Thursday, 28 July 2016 16:52:16 UTC+2, Nathan Mace wrote:
>>
>> I just installed Graylog + Mongo DB + Elastic Search on a Cent OS V
I'm looking to replace a small Splunk instance with Graylog. One of things
that sends logs into Splunk now is many remote field offices' worth of
routers and switches. All via UDP 514. I had originally thought once I
got everything configured I could simply shut down the Splunk server and
uration
>
> for further details.
>
> Cheers,
> Jochen
>
> On Thursday, 28 July 2016 16:52:16 UTC+2, Nathan Mace wrote:
>>
>> I just installed Graylog + Mongo DB + Elastic Search on a Cent OS VM,
>> following the Graylog official documentation. Working great.
>>
AM UTC-4, Jochen Schalanda wrote:
>
> Hi Nathan,
>
> On Thursday, 14 July 2016 19:38:20 UTC+2, Nathan Mace wrote:
>>
>> That said, how do I add the Raw/Plaintext input? I understand how to add
>> an input generally, but not one that is specifically for plain tex
ract the information you want to record with extractors
> on that input.
>
> Cheers,
> Jochen
>
> On Tuesday, 12 July 2016 20:11:25 UTC+2, Nathan Mace wrote:
>>
>> I've got Graylog up and running on the OVA. I'm having trouble getting
>> syslog messages into it
I've got Graylog up and running on the OVA. I'm having trouble getting
syslog messages into it. I've got a Synology NAS setup to send syslog
messages to the OVA's IP address on port 514 via UDP. I can send a test
message but it never shows up in the web console.
I have the following input
25 matches
Mail list logo