dcecchino / glog Goto Github PK

Hello,

i just wanted to try your Content Pack.
After i imported your Extractor vmware_vcenter_extractors to a separate Input, my Graylog stopped working.
The Process Buffer goes to 100% and the Output goes to 0msg/s

After i deleted the the Extrators from the input and restartet the graylog service, Graylog worked again.
I put you a Screenshot of the Node Details.
For this Problem i found the following: https://community.graylog.org/t/process-buffer-flooding-100-process/14685/11

Therefore i clicked on "Actions" > "Get process-buffer dump".
This dump is in the attachment, too.

Maybe you can find th issue...
Actually i have to deactivate your Content pack otherwise my server goes down.

Thanks!

Regards,

LikeAMader
Process-Buffer Dump.txt

Hi,

I hope you can help me with the JSON Code for the extractor. I got a Syntax error when I am trying to import. This is the issue: SyntaxError: Unexpected token ] in JSON at position 149994

I have no idea where the problem is :(

I've been converting the vmware_vcenter_extractors file in this repo from extractors to pipelines and noticed that there are tons of duplicates that does the same thing.

The file is in desperate need of a cleanup to avoid hogging systems that want to stick with input extractors..

fter switching to a newer version of graylog, a source does not send logs. It only sends the old one. After I removed the logs from the server, I noticed that the error "ERROR [GrokPatternRegistry] Unable to load grok pattern Alert Level" appeared, can someone help me to correct the error

grok pattern.txt

Describe the bug
vmware7_connection_status is in error : max_bytes_length_exceeded_exception

The erros are displayed in Indexer failures.

• Graylog 5.2.1
• Opensearch 2.11.0
• vcenter 8.0.2
• ESXi 7.0.3

Complete error message
OpenSearchException[OpenSearch exception [type=illegal_argument_exception, reason=Document contains at least one immense term in field="vmware7_connection_status" (whose UTF8 encoding is longer than the max length 32766), all of which were skipped. Please correct the analyzer to not produce such terms. The prefix of the first immense term is: '[51, 92, 110, 50, 48, 50, 51, 45, 49, 48, 45, 48, 53, 84, 49, 52, 58, 48, 49, 58, 48, 57, 46, 48, 50, 53, 43, 48, 50, 58]...', original message: bytes can be at most 32766 in length; got 57926]]; nested: OpenSearchException[OpenSearch exception [type=max_bytes_length_exceeded_exception, reason=bytes can be at most 32766 in length; got 57926]];

Extractor configuration
Extractor type: Regular expression
Source field: message
Regular expression: is (.*)]

Hi
We have this error since we have installed Glog.
I'm new to Graylog and even more so with Glog. Perhaps it's normal but I prefer to keep you informed.

Thanks

Hi

Like in #17
but for VMWARE_SEV_CURRENT

Perharps it's because we have vcenter 8 ?

• Graylog 5.2.1
• Opensearch 2.11.0
• vcenter 8.0.2
• ESXi 7.0.3

Complete error message
OpenSearchException[OpenSearch exception [type=illegal_argument_exception, reason=Document contains at least one immense term in field="VMWARE_SEV_CURRENT" (whose UTF8 encoding is longer than the max length 32766), all of which were skipped. Please correct the analyzer to not produce such terms. The prefix of the first immense term is: '[115, 99, 97, 112, 105, 46, 118, 109, 119, 97, 114, 101, 46, 99, 111, 109, 32, 116, 105, 109, 101, 100, 32, 111, 117, 116, 46, 32, 40, 99]...', original message: bytes can be at most 32766 in length; got 63018]]; nested: OpenSearchException[OpenSearch exception [type=max_bytes_length_exceeded_exception, reason=bytes can be at most 32766 in length; got 63018]];

Extractor configuration
Extractor type: Regular expression
Source field: message
Regular expression: to (.*)]

In the Dashboard "VMware Security Events" we can not see any entry in the "Login Failure Past Day username/source ip" widget ?
If we press the "play" Button in the Widget - i get the Error "Unknown field: Query contains unknown field: failure_type"

If we search for "Authentication failure" we find this entry

{
"gl2_accounted_message_size": 257,
"level": 5,
"gl2_remote_ip": "xxx.xxx.xxx.xxx",
"gl2_remote_port": 61862,
"streams": [
"000000000000000000000001"
],
"gl2_message_id": "01GSCN6SJ0DPXCRWMNVA9PFJJZ",
"source": "esxi-34",
"message": "esxi-34 DCUI[2100792]: pam_unix(dcui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root",
"gl2_source_input": "63eb861cfca7a04742945d27",
"facility_num": 10,
"gl2_source_node": "0b63ce27-e340-4f38-bcd7-ddc91dc5b514",
"_id": "5d494120-add3-11ed-921a-005056973ded",
"facility": "security/authorization",
"timestamp": "2023-02-16T08:24:43.000Z"
}

Hi. It's not quite clear to me how to install the content_pack.json under System/Content Packs, mentioned as the first step to do.

It's a .json file, yet the contents are html, and when I upload it to graylog I get this error:

Please help.

Hi

Like in #17 and #18
but for vmware_release

Graylog 5.2.1
Opensearch 2.11.0
vcenter 8.0.2
ESXi 7.0.3

Complete error message
OpenSearchException[OpenSearch exception [type=illegal_argument_exception, reason=Document contains at least one immense term in field="vmware_release" (whose UTF8 encoding is longer than the max length 32766), all of which were skipped. Please correct the analyzer to not produce such terms. The prefix of the first immense term is: '[82, 101, 108, 101, 97, 115, 101, 92, 110, 47, 73, 110, 118, 101, 110, 116, 111, 114, 121, 83, 116, 97, 116, 115, 47, 80, 114, 111, 112, 101]...', original message: bytes can be at most 32766 in length; got 64267]]; nested: OpenSearchException[OpenSearch exception [type=max_bytes_length_exceeded_exception, reason=bytes can be at most 32766 in length; got 64267]];

Extractor configuration
Extractor type: Regular expression
Source field: message
Regular expression: option=(.*)

Hello,

I wanted to follow your steps in "Tune your esxi syslog configuration via ssh" but unfortunately my esxi is missing some of your metioned files.
You described some sed commands for the following files:

• /etc/vmware/vpxa/vpxa.cfg
• /etc/vmware/hostd/config.xml
• /etc/vmware/rhttpproxy/config.xml
• /etc/opt/vmware/fdm/fdm.cfg
• /etc/vmware/hostd/probe-config.xml

But my esxi has only the following files:

• /etc/vmware/rhttpproxy/config.xml
• /etc/opt/vmware/fdm/fdm.cfg

My ESXi Version is:

• VMware ESXi, 7.0.3, 18825058

Do I miss something or how can I generate those files.
Or is there an alternative way to set those log levels globally?

Thanks in advanced
Best regards

Hansi

I'm not very familiar with Graylog, but I have imported your extractors but one of them provides this message;

2020-04-22T13:07:16.394-04:00 ERROR [ExtractorFilter] Could not apply extractor "VMware SSH Logins Authentication Failure" (id=0e204ba9-8402-11ea-921b-005056ab1066) to message b7b318a0-84bb-11ea-bca4-005056ab1066
java.lang.RuntimeException: java.lang.IllegalArgumentException: No definition for key 'username' found, aborting

2020-04-22T13:07:16.396-04:00 ERROR [GrokPatternRegistry] Unable to load grok pattern authentication failure; logname= uid=%{BASE10NUM:vmware_uid_number} euid=%{BASE10NUM:vmware_euid_number} tty=ssh ruser= rhost=%{IPV4:ip_address}  user=%{username} into cache
java.lang.IllegalArgumentException: No definition for key 'username' found, aborting

Is this looking for a username with access to the ESX hosts or is it something else entirely?

This is occurring in Graylog 3.2.4+a407287 on Ubuntu 18.0.4.

Revision 3 fails to install on Graylog v 3.1.3

It appears to have multiple copies of each component included.

Describe the bug
VMware Last resort extractor marks non VMWare log messages.

To Reproduce
Steps to reproduce the behavior:

1. Install extractors on SyslogUDP input
2. Find message not comming from VMWare
3. You can see "VMware_EventID"

Expected behavior
In log messages comming from NON VMWare you should not find "VMware_EventID" ...

Screenshots