Raised in Community Forum Instead : https://community.graylog.org/t/beats-input-bytes-can-be-at-most-32766-in-length/147
On Monday, 20 February 2017 12:57:38 UTC, Paul Pretorius wrote: > Hi Guys > > I've deployed Graylog to use for a syslog solution. Currently using > Sidecar to do the collections of winlogs only. > > Been running a week and started loading some more hosts ... Then > Pooooooof, graylog fell over. Initially I was clueless as to whats going > on. > > After a bit of digging, I found the dreaded elasticsearch error which > seems to be quite common ( bytes can be at most 32766 in length) > > I have found a few articles where people say update the analyser, some > others that mention setting index to not_analyzed or Index No. Another > post mentioned to set ignore_above => 256. > > Thing is ... I have no clue where to even try setting these things ? Can > anybody shed some light please? > > > I have managed to find the actual message that is too large on the > originating server which is causing the failure. Turns out to be a HP WBEM > Dump Event (Id 1001). > > If anyone knows how I can prevent this from happening, or define some sort > of "exclude" for this message that would be a great help. > > > Perhaps, I could instruct sidecar collector to ignore this message ? Is > that possible ? Would any know? > > > PS - I have tried this with Graylog 2.1 and just tried with 2.2 as > well. Both doing the same thing... > > Appreciate your help guys :) > > Thanks > > Paul. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/41cc9585-89bf-4d34-a508-725cb602cde2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
