Search results show logs from Elasticsearch & MongoDB


If I simply search for “%SYS-5-CONFIG_I:” I get results which seem like logs from Elasticsearch and MongoDB, see below. The syslog I am interested in is listed after the Elasticsearch and MongoDB logs. I have been able to eliminate these extra logs by changing my search to “%SYS-5-CONFIG_I:” AND NOT (source:elasticsearch OR source:mongodb)

Is there a way to set a default to eliminate the Elasticsearch and MongoDB logs? Not sure why this is happening.

Thnak You,

Ex: form Elasticsearch:

Caused by: org.apache.lucene.queryparser.classic.ParseException: Cannot parse '%SYS-5-CONFIG_I:': 
Encountered "<EOF>" at line 1, column 16.


2018-04-23T09:17:20.794-0400 I COMMAND  [conn8] command graylog.$cmd command: update { update: "saved_searches", ordered: true, updates: [ { q: { _id: ObjectId('5adddce0d0ac29033714a614') }, u: { creator_user_id: "admin", created_at: new Date(1524489440495), title: "Configured from console by", query: { rangeType: "relative", fields: "message,source", relative: 432000, query: ""%SYS-5-CONFIG_I:" AND NOT source:elasticsearch" }, _id: ObjectId('5adddce0d0ac29033714a614') }, upsert: true } ] } numYields:0 reslen:110 locks:{ Global: { acquireCount: { r: 3, w: 3 } }, Database: { acquireCount: { w: 2, W: 1 } }, Collection: { acquireCount: { w: 2 } } } protocol:op_query 178ms

(Jochen) #2

You can either stop ingesting these logs (recommended) or drop these messages in a pipeline rule.


Ok, I stopped the appliance-gelf-udp input and that has corrected it.

(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.