Hi Guys I've deployed Graylog to use for a syslog solution. Currently using Sidecar to do the collections of winlogs only.
Been running a week and started loading some more hosts ... Then Pooooooof, graylog fell over. Initially I was clueless as to whats going on. After a bit of digging, I found the dreaded elasticsearch error which seems to be quite common ( bytes can be at most 32766 in length) I have found a few articles where people say update the analyser, some others that mention setting index to not_analyzed or Index No. Another post mentioned to set ignore_above => 256. Thing is ... I have no clue where to even try setting these things ? Can anybody shed some light please? I have managed to find the actual message that is too large on the originating server which is causing the failure. Turns out to be a HP WBEM Dump Event (Id 1001). If anyone knows how I can prevent this from happening, or define some sort of "exclude" for this message that would be a great help. Perhaps, I could instruct sidecar collector to ignore this message ? Is that possible ? Would any know? PS - I have tried this with Graylog 2.1 and just tried with 2.2 as well. Both doing the same thing... Appreciate your help guys :) Thanks Paul. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/efbdfc18-f1e1-4084-be9a-0297da880de6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
