search

MHMDhub / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

Logs loading but no results in Web UI #7

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
I now have logs loading and can see them in the syslog and syslog_data tables.  
But nothing I have tried shows any results in the Web UI so far.

I see there is data being parsed into some fields properly but just nothing 
coming back to the Web UI.

I have tried to query for stuff that I know is in the syslogs_index_1 table and 
I get nothing back.

What information is needed to help troubleshoot this?

Original issue reported on code.google.com by edavi...@gmail.com on 13 Feb 2012 at 10:58

GoogleCodeExporter commented 8 years ago 
Can I bug you with a related question: If I do a search for "class=none", I see 
a few events that include the string attackaler.  They are generated by a 
script.  If I search for "attackalert", I don't see anything.  Same for "test" 
but, when I search for "MAC", I get iptables firewall events.

Original comment by jerrysh...@gmail.com on 9 Mar 2012 at 7:47

GoogleCodeExporter commented 8 years ago 
Info on the difference between temp and perm indexes is here: 
http://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#In
dex_Configuration .  Searches for class= with no other terms are going to use 
temp indexes, so check out that section of the docs.  Is "attackaler" a 
type-oh, or is it really missing the "t?"  Searches are by keyword, and 
keywords are alphanumeric plus hyphen, dot, at-sign, and underscore.

Original comment by mchol...@gmail.com on 9 Mar 2012 at 7:58

GoogleCodeExporter commented 8 years ago 
The "attackaler" is a typo - if finds attackalert if I spell the whole word out 
but it doesn't find "attack".  I'll check out those docs - thanks.

Original comment by jerrysh...@gmail.com on 9 Mar 2012 at 8:08

GoogleCodeExporter commented 8 years ago 
Right, no wildcard support.  However, if you're feeling adventurous and really 
want wildcards, there is a way to do it.  It won't scale as well and is 
completely untested in ELSA, but Sphinx supports wildcard searches as of recent 
versions.  If you were interested in trying to make it work, the relevant 
Sphinx doc is here: http://sphinxsearch.com/docs/2.0.4/conf-dict.html .  You 
would change your /usr/local/etc/sphinx.conf to add the dict=keywords directive 
to the "temporary" and "permanent" template indexes and re-index everything 
with /usr/local/sphinx/bin/indexer --config /usr/local/etc/sphinx.conf --all 
--rotate.

Original comment by mchol...@gmail.com on 9 Mar 2012 at 8:20

GoogleCodeExporter commented 8 years ago 
Some of my "testing" might be failing because I'm using improper syslog syntax. 
 It seems that the first word (space delimiters...perhaps there are other 
separators) gets dropped so, if I type test, nothing gets stored but if I type 
test test, test gets stored and I can then find that in ELSA.

By not supporting wildcards, I guess that means that every search must be for 
the full "word" - seems like delimiters are space, slash, semicolon, colon, 
perhaps all punctuation.

What's your feeling on "won't scale well" - Something like: 10 EPS will 
probably be ok but 500 EPS will probably fail....depending on hardware I 
suppose.

Original comment by jerrysh...@gmail.com on 9 Mar 2012 at 8:34

GoogleCodeExporter commented 8 years ago 
I recommend using the loggen utility (/usr/local/syslog-ng/bin/loggen) for test 
messages.

Keywords for searching are alphanumeric plus hyphen, underscore, at-sign, and 
period.

The Sphinx docs say 10-30% indexing performance penalty, but the real problem 
will be if user search on just a few characters or so with a wildcard, which 
could expand to many keywords and make the search take forever.  Check out the 
keyword expansion limit in the Sphinx docs for details.  The scaling factor for 
events per second will only apply to indexing speed, so I suppose if you're not 
butting up against the 30k sustained events/sec limit I've observed, then 
there's plenty of room to grow.

Original comment by mchol...@gmail.com on 9 Mar 2012 at 8:54

GoogleCodeExporter commented 8 years ago 
Well, that worked pretty well.  I also needed to add "min_prefix_len = 3".  
There is a link to that in the Sphinx documentation page.  I think I'm gonna go 
with that on this server.  The load on this server is VERY low - probably 
looking at 30 EPM (minute!) to start.  They'll probably (hopefully) want to add 
more and might get to a sustained 2 or 3 EPS....I can't imaging it hitting a 
sustained 10 EPS.

Original comment by jerrysh...@gmail.com on 9 Mar 2012 at 9:35

GoogleCodeExporter commented 8 years ago 
Great!  Glad this worked for you.  I'll add something to the docs when I get a 
chance, as I'm sure a lot of folks will get additional benefit out of this 
setup.

Original comment by mchol...@gmail.com on 10 Mar 2012 at 3:18

GoogleCodeExporter commented 8 years ago

Original comment by mchol...@gmail.com on 30 Apr 2012 at 1:53