Tips for Posting Questions that Get Answers

TIPS for Posting Questions that Get Answers:

*The following is a compendium of tips to help you organize your question and have better success for getting a solution to the incident you are having. First, a short list, then some detail on how to pull and post information from your systems.

When you create a new Topic for the community to review with you:

  1. Search Graylog Documentation, the Graylog community forum, Google … the answer may be out there!
  2. Have a short informative subject such as: “Post new message via RestAPI with Python
  3. Describe your environment and incident in detail in the body of the message
  4. Use the forum tools when you are posting code or text to help with parsing
  5. Don’t forget to ALWAYS use “optional tags” to help index your post’s topic!

Guidelines for Describing the incident and environment:

  • What is the incident you are trying to work out? We can only see the parts you tell us so post relevant information. When posting code or logs as text (preferred) use the forum tools like </> shown below so it is formatted nicely. Screen shots are helpful for non-text information.

  • Helpful commands shown below to easily retrieve settings and diagnostic data.

  • What have you done to try to solve your problem? Describe all steps you have already taken to resolve the incident.

  • Tell a little about your environment, is it a single instance? Docker? Show the versions of Graylog/Mongo/ElasticSearch you are using.

                 * Graylog 4.2.0
                 * MongoDB v4.0.27
                 * Elasticsearch 7.10.2

Here are some cool shortcut commands that will give you information about your environment.
The results can be posted in your question to give more detail on your question and it’s environment:

Find out what versions you have:

dpkg -l | grep -E ".*(elasticsearch|graylog|mongo).*"
yum list installed | grep -E ".*(elasticsearch|graylog|mongo).*"

Watch Log files:

tail -f /var/log/graylog-server/server.log
tail –f /var/log/mongodb/mongod.log

List all lines in a conf/yml file (removing comments):

cat /etc/graylog/server/server.conf         | egrep -v "^\s*(#|$)"
cat /etc/elasticsearch/elasticsearch.yml    | egrep -v "^\s*(#|$)"
cat /etc/graylog/sidecar/sidecar.yml        | egrep -v "^\s*(#|$)"

Check health of your ElasticSearch instance:
curl -XGET http://localhost:9200/_cluster/health?pretty=true

This will help explain why if there is a health issue:
curl -XGET http://localhost:9200/_cluster/allocation/explain?pretty

List ElasticSearch indicies:
curl -XGET http://localhost:9200/_cat/indices?pretty

Throw a test message at your Graylog server:
curl -v http://<ServerName>:12201/gelf -p0 -d '{"short_message":"Hello there", "host":"", "facility":"test", "foo":"bar","WorkstationName":"zippo","winlog_event_data_TargetUserName":"BorisKarloff ","this_field: ":"test text inside the this_field" }'

Receiving messages are stopping when running set_fields in pipeline
Drop few words from Logs
Uneven distribution of unprocessed messages in graylog nodes
Just installed graylog but i cannot start it!
Sidecar 1.1.0 with winlogbeat file lock issue
Graylog ssl certificate problem, works only in firefox
Configuration of an Extractor on a WAF
Timestamp extractor error
CVE-2021-45046 / Log4J Mitigation
ATT home modem is going to syslog
Not receiving TCP messages
Traffic load balance
Palo Alto Networks Input
Graylog can not show event Definitions on web
What web server does graylog use for its work? I mean Apache, nginx, etc
Rsyslog cannot connect - Permission denied 2027 on Graylog server
Azure OIDC with Graylog non root path
Docker-compose config for running as a specific user with persisted data
Fail to import Content Packs from ver Graylog 2.4.3 to Graylog 4.2.1
Graylog Randomly Stops Processing
Test echo message is not send to raw tcp input and not show in Search
Tips document on how to ask questions in the Community
WARNING: sun.reflect.Reflection.getCallerClass is not supported
Slack Webhook the message is the event name and the source is incorrect
Server Always Starts with Graylog service running, Elasticsearch status: dead
Using a cert to connect graylog to a mongodb cluster
Can you use regex to match patterns in KQL in graylog
Email notifications are behind by one
Can't start inputs
Graylog 4.1.x high CPU usage after updating for log4j
Extracting string from a mesage
Graylog and mail server
Recovering a corrupted mongodb database
Upgrade options for Graylog Enterprise 4.2.5 running on arm64
Question pour la mise en place de Graylog
No more messages flowing inbound? Started over twice now... what am I doing wrong?
Just installed Graylog on a Ubuntu VM, Not Working
Just installed Graylog on a Ubuntu VM, Not Working
Grok Extractor Try succeeds, but not fields in search
The Graylog-server service is not running
(Solved) Graylog Stream shows 12hours ago only
Upgrading from Docker image 4.2.1 to 4.2.2 crash
[Graylog Coommunity 4.2.5] Need help with a regex pipeline
Log from other place
Regular expression ignored in search
Implementing Graylog from Security point of view
How do I send Logdata of HP-UX OS
Reduce size of daily logs from different devices
Export graylog logs into CSV format
Graylog API for frontend
Graylog Empty - Elastic Search Problem Deflector is pointing to [graylog_729], not the newest one: [graylog_730]. Re-pointing
Graylog and Gmail
New AD/LDAP users not synched with Graylog
Graylog.jar version low
How to check log size of all my devices send to graylog daily?
UI stops automatic refresh very often, saying "not updating"
2021-12-09 09:05:40,063 WARN : org.graylog2.lookup.LookupTableService - Lookup table <abuse-ch-ransomware-ip> does not exist
Logs are not shipped to graylog4.3.2 by filebeat
How to search for literal plus and colon, timezone search
I installed graylog free version but can Enterprise version plugin
Different search results via GUI/REST API
Bug when adding license for small business
High Error Rate and TCP RSTs (oh my!)
What's the process for filing certain messages into a different stream?
The Graylog-server service is not running
Cannot see log messages in the graylog received messages
Cannot see log messages in the graylog received messages
Graylog-sidecar filebeat file name
Grok pattern makes output processing stop
Monitoring a docker container
Java problem in startup
Sidecar Cannot Connect To Server
Strange index time ranges
Incomplete CSV export
Searching on a remote server
Reset admin password in docker container
Graylog-Installation does not work anymore
Slf4j 1.7.28 doesn`t work correctly with Java 11 and gelfj-1.1.14
Importing Content Pack from Version 3.1.3 to 4.2.6 Failure
Graylog can only display 1 page of data
"Couldn't refresh data adapter..." logged, but lookup table works fine
How to collect CLF logs with proper fields and timestamps?
Azure Event Hub help
Rename SNMP input fields
Graylog Server not receiving messages from sidecar
Re-indexing data for graylog & elasticsearch upgrade
Complete novice needs help with setting up filters / query
Edit Event Definition page not show
Graylog to nucool integration issue (Error: PKIX path building failed: unable to find valid certification path to requested target)
Rsyslog and logs from Ubuntu to graylog
Default Sidecar collector in configuration? -- features request
Boolean conditions on pipeline rules conditions - Need help, not working
Graylog not found any syslog
Replacing UID with Username using lookup table
Integrating swagger with graylog
Setting up HTTPS connection error - Unreadable or missing HTTP private key
Elasticsearch configuration for graylog action.auto_create_index: false throwing error
Iptables rules for graylog
Sonicwall Syslog
No Message after upgrade to Graylog 4.2.9+f0d8298 - Broken Version?
Watchguard and Graylog
Fetch asset details in a particular graylog stream
Save Data LOG external storage
Log are not display in my input
Alarm through applocker
Graylog set up and working, but trying to move data directory
Graylog can only display 1 page of data

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.