TIPS for Posting Questions that Get Answers:
*The following is a compendium of tips to help you organize your question and have better success for getting a solution to the incident you are having. First, a short list, then some detail on how to pull and post information from your systems.
When you create a new Topic for the community to review with you:
- Search Graylog Documentation, the Graylog community forum, Google … the answer may be out there!
- Have a short informative subject such as: “Post new message via RestAPI with Python”
- Describe your environment and incident in detail in the body of the message
- Use the forum tools when you are posting code or text to help with parsing
- Don’t forget to ALWAYS use “optional tags” to help index your post’s topic!
Guidelines for Describing the incident and environment:
-
What is the incident you are trying to work out? We can only see the parts you tell us so post relevant information. When posting code or logs as text (preferred) use the forum tools like </> shown below so it is formatted nicely. Screen shots are helpful for non-text information.
-
Helpful commands shown below to easily retrieve settings and diagnostic data.
-
What have you done to try to solve your problem? Describe all steps you have already taken to resolve the incident.
-
Tell a little about your environment, is it a single instance? Docker? Show the versions of Graylog/Mongo/ElasticSearch you are using.
* Graylog 4.2.0 * MongoDB v4.0.27 * Elasticsearch 7.10.2
Here are some cool shortcut commands that will give you information about your environment.
The results can be posted in your question to give more detail on your question and it’s environment:
Find out what versions you have:
dpkg -l | grep -E ".*(elasticsearch|graylog|mongo).*"
yum list installed | grep -E ".*(elasticsearch|graylog|mongo).*"
Watch Log files:
tail -f /var/log/graylog-server/server.log
tail –f /var/log/mongodb/mongod.log
List all lines in a conf/yml file (removing comments):
cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
cat /etc/elasticsearch/elasticsearch.yml | egrep -v "^\s*(#|$)"
cat /etc/graylog/sidecar/sidecar.yml | egrep -v "^\s*(#|$)"
Check health of your ElasticSearch instance:
curl -XGET http://localhost:9200/_cluster/health?pretty=true
This will help explain why if there is a health issue:
curl -XGET http://localhost:9200/_cluster/allocation/explain?pretty
List ElasticSearch indicies:
curl -XGET http://localhost:9200/_cat/indices?pretty
Throw a test message at your Graylog server:
curl -v http://<ServerName>:12201/gelf -p0 -d '{"short_message":"Hello there", "host":"example.org", "facility":"test", "foo":"bar","WorkstationName":"zippo","winlog_event_data_TargetUserName":"BorisKarloff ","this_field: ":"test text inside the this_field" }'