Paul Pretorius
2017-02-20 12:57:38 UTC
Hi Guys
I've deployed Graylog to use for a syslog solution. Currently using
Sidecar to do the collections of winlogs only.
Been running a week and started loading some more hosts ... Then Pooooooof,
graylog fell over. Initially I was clueless as to whats going on.
After a bit of digging, I found the dreaded elasticsearch error which seems
to be quite common ( bytes can be at most 32766 in length)
I have found a few articles where people say update the analyser, some
others that mention setting index to not_analyzed or Index No. Another
post mentioned to set ignore_above => 256.
Thing is ... I have no clue where to even try setting these things ? Can
anybody shed some light please?
I have managed to find the actual message that is too large on the
originating server which is causing the failure. Turns out to be a HP WBEM
Dump Event (Id 1001).
If anyone knows how I can prevent this from happening, or define some sort
of "exclude" for this message that would be a great help.
Perhaps, I could instruct sidecar collector to ignore this message ? Is
that possible ? Would any know?
PS - I have tried this with Graylog 2.1 and just tried with 2.2 as well.
Both doing the same thing...
Appreciate your help guys :)
Thanks
Paul.
I've deployed Graylog to use for a syslog solution. Currently using
Sidecar to do the collections of winlogs only.
Been running a week and started loading some more hosts ... Then Pooooooof,
graylog fell over. Initially I was clueless as to whats going on.
After a bit of digging, I found the dreaded elasticsearch error which seems
to be quite common ( bytes can be at most 32766 in length)
I have found a few articles where people say update the analyser, some
others that mention setting index to not_analyzed or Index No. Another
post mentioned to set ignore_above => 256.
Thing is ... I have no clue where to even try setting these things ? Can
anybody shed some light please?
I have managed to find the actual message that is too large on the
originating server which is causing the failure. Turns out to be a HP WBEM
Dump Event (Id 1001).
If anyone knows how I can prevent this from happening, or define some sort
of "exclude" for this message that would be a great help.
Perhaps, I could instruct sidecar collector to ignore this message ? Is
that possible ? Would any know?
PS - I have tried this with Graylog 2.1 and just tried with 2.2 as well.
Both doing the same thing...
Appreciate your help guys :)
Thanks
Paul.
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/efbdfc18-f1e1-4084-be9a-0297da880de6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/efbdfc18-f1e1-4084-be9a-0297da880de6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.