Skip to content
This repository has been archived by the owner on Oct 19, 2023. It is now read-only.

Graylog indexes? #40

Open
mzac opened this issue Sep 13, 2018 · 0 comments
Open

Graylog indexes? #40

mzac opened this issue Sep 13, 2018 · 0 comments

Comments

@mzac
Copy link

mzac commented Sep 13, 2018

Expected Behavior

Trying to get this module to work with Graylog indexes without any success... Could it be because Graylog creates indexes differently with @timestamp or timestamp? When I try the same query manually with Insomnia it works.

Current Behavior

I am getting an error 400

Possible Solution

None

Steps to Reproduce (for bugs)

My config files:

instances.ini

[esearch1.lab.local]
uri = "http://esearch1.lab.local:9200"
user = ""
password = ""
ca = ""
client_certificate = ""
client_private_key = ""

eventtypes.ini

[graylog]
instance = "esearch1.lab.local"
index = "graylog_*"
filter = "source={host.name}"
fields = "message"

Context

Example of what I see in a packet capture:

GET /graylog_*/_search HTTP/1.1
User-Agent: ipl/1.0.0 curl/7.29.0 PHP/7.1.8
Transfer-Encoding: chunked
Content-Type: application/json
Host: esearch1.lab.local:9200

{
	"_source": [
		"@timestamp",
		"message"
	],
	"query": {
		"match": {
			"source": "vpn.lab.local"
		}
	},
	"from": 0,
	"size": 25,
	"sort": {
		"@timestamp": "desc"
	}
}

HTTP/1.1 400 Bad Request
content-type: application/json; charset=UTF-8
content-length: 941

{
	"error": {
		"root_cause": [
			{
				"type": "query_shard_exception",
				"reason": "No mapping found for [@timestamp] in order to sort on",
				"index_uuid": "qLEVdPI1Sru5_ijeWsZRHQ",
				"index": "graylog_273"
			},
			{
				"type": "query_shard_exception",
				"reason": "No mapping found for [@timestamp] in order to sort on",
				"index_uuid": "gvJp7c2qR9ma9ZT3ymr2MA",
				"index": "graylog_274"
			}
		],
		"type": "search_phase_execution_exception",
		"reason": "all shards failed",
		"phase": "query",
		"grouped": true,
		"failed_shards": [
			{
				"shard": 0,
				"index": "graylog_273",
				"node": "0h89v-qXTauJznrwfT3N9g",
				"reason": {
					"type": "query_shard_exception",
					"reason": "No mapping found for [@timestamp] in order to sort on",
					"index_uuid": "qLEVdPI1Sru5_ijeWsZRHQ",
					"index": "graylog_273"
				}
			},
			{
				"shard": 0,
				"index": "graylog_274",
				"node": "0h89v-qXTauJznrwfT3N9g",
				"reason": {
					"type": "query_shard_exception",
					"reason": "No mapping found for [@timestamp] in order to sort on",
					"index_uuid": "gvJp7c2qR9ma9ZT3ymr2MA",
					"index": "graylog_274"
				}
			}
		]
	},
	"status": 400
}

Your Environment

  • Module version (System - About): 1.0.0
  • Icinga Web 2 version and modules (System - About): 2.6.1
  • Icinga 2 version (icinga2 --version): 2.9.1
  • Elasticsearch version (curl http://localhost:9200): 5.6.11
  • Operating System and version: Redhat 7
  • Webserver, PHP versions: Apache 2.4.6, PHP 7.1.8 (fpm)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mzac