search

itchannel / graylognotifications

Graylog Pushover Notification Addon
8 stars 2 forks source link

Configuration within Graylog #2

Closed ebeng closed 1 year ago

ebeng commented 3 years ago

Hi,

I'm running 4.0.7 Graylog. I did copy the provided .jar file into the same folder as other plugins, which were apparently also located in here:

ls -> /usr/share/graylog-server/plugin/
graylog-plugin-aws-4.0.7.jar                graylog-plugin-threatintel-4.0.7.jar
graylog-plugin-collector-4.0.7.jar          graylog-storage-elasticsearch6-4.0.7.jar
graylog-plugin-pushnotifications-1.0.0.jar  graylog-storage-elasticsearch7-4.0.7.jar

I can't find this plugin anywhere in the application, but also from a installation perspective I cant find the following:

Installation
Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

The graylog.conf is now being replaced with server.conf I believe (?) Where do I need to put the API and ID from Pushover?

Really appreciated to have this built!

Thx!

ebeng commented 3 years ago

Can anyone please help us here?

itchannel commented 3 years ago

If the plugin has been loaded correctly, then you will see a pushover option when creating a "notification" in graylog. That is where you enter the details. You can have different pushover id's/app groups per created notification.

ebeng commented 3 years ago

If the plugin has been loaded correctly, then you will see a pushover option when creating a "notification" in graylog. That is where you enter the details. You can have different pushover id's/app groups per created notification.

I do see only the legacy, email and http notification. I have imported the file but still not possible to get pushover as a method. If you could help me out here would be really appreciated.

Could you please try it as explained above with the same version if possible?

ebeng commented 3 years ago

https://docs.graylog.org/en/4.0/pages/plugins.html

here it is also stated to be in the /usr/share/graylog-server/plugin/ but somehow it doesnt recognise it. I'm checking the graylog logs now, after a restarts again Do you see anything out of order or missing anything here?

2021-06-11T01:39:48.556+02:00 INFO  [GracefulShutdownService] Finished shutdown for <JobWorkerPool>, took 1 ms
2021-06-11T01:39:48.556+02:00 INFO  [GracefulShutdown] Goodbye.
2021-06-11T01:39:48.559+02:00 INFO  [JerseyService] Shutting down HTTP listener at <0.0.0.0:9000>
2021-06-11T01:39:48.571+02:00 INFO  [LogManager] Shutting down.
2021-06-11T01:39:48.573+02:00 INFO  [LookupDataAdapterRefreshService] Stopping 0 jobs
2021-06-11T01:39:48.587+02:00 INFO  [OutputSetupService] Stopping output org.graylog2.outputs.BlockingBatchedESOutput
2021-06-11T01:39:48.591+02:00 INFO  [NetworkListener] Stopped listener bound to [0.0.0.0:9000]
2021-06-11T01:39:48.601+02:00 INFO  [LogManager] Shutdown complete.
2021-06-11T01:39:48.637+02:00 INFO  [JournalReader] Stopping.
2021-06-11T01:39:48.905+02:00 INFO  [ServiceManagerListener] Services are now stopped.
##################################################################################
######################### Pushover plugin is loading #############################
##################################################################################
2021-06-11T01:39:50.331+02:00 INFO  [CmdLineTool] Loaded plugin: Notifications 1.0.0-SNAPSHOT [notifications.NotificationsPlugin]
2021-06-11T01:39:50.334+02:00 INFO  [CmdLineTool] Loaded plugin: AWS plugins 4.0.7 [org.graylog.aws.AWSPlugin]
2021-06-11T01:39:50.334+02:00 INFO  [CmdLineTool] Loaded plugin: Collector 4.0.7 [org.graylog.plugins.collector.CollectorPlugin]
2021-06-11T01:39:50.335+02:00 INFO  [CmdLineTool] Loaded plugin: Threat Intelligence Plugin 4.0.7 [org.graylog.plugins.threatintel.ThreatIntelPlugin]
2021-06-11T01:39:50.335+02:00 INFO  [CmdLineTool] Loaded plugin: Elasticsearch 6 Support 4.0.7+c3e766c [org.graylog.storage.elasticsearch6.Elasticsearch6Plugin]
2021-06-11T01:39:50.335+02:00 INFO  [CmdLineTool] Loaded plugin: Elasticsearch 7 Support 4.0.7+c3e766c [org.graylog.storage.elasticsearch7.Elasticsearch7Plugin]
2021-06-11T01:39:50.507+02:00 INFO  [CmdLineTool] Running with JVM arguments: -Xms1g -Xmx1g -XX:NewRatio=1 -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeCloseNotify=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm
2021-06-11T01:39:50.681+02:00 INFO  [Version] HV000001: Hibernate Validator null
2021-06-11T01:39:52.759+02:00 INFO  [InputBufferImpl] Message journal is enabled.
2021-06-11T01:39:52.774+02:00 INFO  [NodeId] Node ID: ce9ea77c-1a72-4496-a165-2c95e818291c
2021-06-11T01:39:52.934+02:00 INFO  [LogManager] Loading logs.
2021-06-11T01:39:53.031+02:00 INFO  [LogManager] Logs loading complete.
2021-06-11T01:39:53.034+02:00 INFO  [KafkaJournal] Initialized Kafka based journal at /var/lib/graylog-server/journal
2021-06-11T01:39:53.051+02:00 INFO  [cluster] Cluster created with settings {hosts=[localhost:27017], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout='30000 ms', maxWaitQueueSize=5000}
2021-06-11T01:39:53.086+02:00 INFO  [cluster] Cluster description not yet available. Waiting for 30000 ms before timing out
2021-06-11T01:39:53.104+02:00 INFO  [connection] Opened connection [connectionId{localValue:1, serverValue:122}] to localhost:27017
2021-06-11T01:39:53.108+02:00 INFO  [cluster] Monitor thread successfully connected to server with description ServerDescription{address=localhost:27017, type=STANDALONE, state=CONNECTED, ok=true, version=ServerVersion{versionList=[4, 0, 24]}, minWireVersion=0, maxWireVersion=7, maxDocumentSize=16777216, logicalSessionTimeoutMinutes=30, roundTripTimeNanos=2558731}
2021-06-11T01:39:53.120+02:00 INFO  [connection] Opened connection [connectionId{localValue:2, serverValue:123}] to localhost:27017
2021-06-11T01:39:53.289+02:00 INFO  [InputBufferImpl] Initialized InputBufferImpl with ring size <65536> and wait strategy <BlockingWaitStrategy>, running 2 parallel message handlers.
2021-06-11T01:39:53.504+02:00 INFO  [ElasticsearchVersionProvider] Elasticsearch cluster is running v6.8.15
2021-06-11T01:39:53.543+02:00 INFO  [AbstractJestClient] Setting server pool to a list of 1 servers: [http://127.0.0.1:9200]
2021-06-11T01:39:53.544+02:00 INFO  [JestClientFactory] Using multi thread/connection supporting pooling connection manager
2021-06-11T01:39:53.598+02:00 INFO  [JestClientFactory] Using custom ObjectMapper instance
2021-06-11T01:39:53.598+02:00 INFO  [JestClientFactory] Node Discovery disabled...
2021-06-11T01:39:53.598+02:00 INFO  [JestClientFactory] Idle connection reaping disabled...
2021-06-11T01:39:53.920+02:00 INFO  [ProcessBuffer] Initialized ProcessBuffer with ring size <65536> and wait strategy <BlockingWaitStrategy>.
2021-06-11T01:39:54.121+02:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2021-06-11T01:39:54.128+02:00 INFO  [OutputBuffer] Initialized OutputBuffer with ring size <65536> and wait strategy <BlockingWaitStrategy>.
2021-06-11T01:39:54.143+02:00 INFO  [connection] Opened connection [connectionId{localValue:3, serverValue:124}] to localhost:27017
2021-06-11T01:39:54.168+02:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2021-06-11T01:39:54.188+02:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2021-06-11T01:39:54.207+02:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2021-06-11T01:39:54.229+02:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2021-06-11T01:39:54.620+02:00 INFO  [ServerBootstrap] Graylog server 4.0.7+c3e766c starting up
2021-06-11T01:39:54.621+02:00 INFO  [ServerBootstrap] JRE: Red Hat, Inc. 1.8.0_282 on Linux 3.10.0-1062.el7.x86_64
2021-06-11T01:39:54.621+02:00 INFO  [ServerBootstrap] Deployment: rpm
2021-06-11T01:39:54.621+02:00 INFO  [ServerBootstrap] OS: Red Hat Enterprise Linux Server 7.7 (Maipo) (rhel)
2021-06-11T01:39:54.621+02:00 INFO  [ServerBootstrap] Arch: amd64
2021-06-11T01:39:54.652+02:00 INFO  [PeriodicalsService] Starting 30 periodicals ...
2021-06-11T01:39:54.653+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.ThroughputCalculator] periodical in [0s], polling every [1s].
2021-06-11T01:39:54.655+02:00 INFO  [Periodicals] Starting [org.graylog.plugins.pipelineprocessor.periodical.LegacyDefaultStreamMigration] periodical, running forever.
2021-06-11T01:39:54.658+02:00 INFO  [PeriodicalsService] Not starting [org.graylog2.periodical.AlertScannerThread] periodical. Not configured to run on this node.
2021-06-11T01:39:54.659+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.BatchedElasticSearchOutputFlushThread] periodical in [0s], polling every [1s].
2021-06-11T01:39:54.660+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.ClusterHealthCheckThread] periodical in [120s], polling every [20s].
2021-06-11T01:39:54.660+02:00 INFO  [PeriodicalsService] Not starting [org.graylog2.periodical.ContentPackLoaderPeriodical] periodical. Not configured to run on this node.
2021-06-11T01:39:54.660+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.GarbageCollectionWarningThread] periodical, running forever.
2021-06-11T01:39:54.661+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.IndexerClusterCheckerThread] periodical in [0s], polling every [30s].
2021-06-11T01:39:54.661+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.IndexRetentionThread] periodical in [0s], polling every [300s].
2021-06-11T01:39:54.664+02:00 INFO  [connection] Opened connection [connectionId{localValue:4, serverValue:125}] to localhost:27017
2021-06-11T01:39:54.667+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.IndexRotationThread] periodical in [0s], polling every [10s].
2021-06-11T01:39:54.670+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.NodePingThread] periodical in [0s], polling every [1s].
2021-06-11T01:39:54.670+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.VersionCheckThread] periodical in [300s], polling every [1800s].
2021-06-11T01:39:54.670+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.ThrottleStateUpdaterThread] periodical in [1s], polling every [1s].
2021-06-11T01:39:54.671+02:00 INFO  [Periodicals] Starting [org.graylog2.events.ClusterEventPeriodical] periodical in [0s], polling every [1s].
2021-06-11T01:39:54.671+02:00 INFO  [Periodicals] Starting [org.graylog2.events.ClusterEventCleanupPeriodical] periodical in [0s], polling every [86400s].
2021-06-11T01:39:54.671+02:00 INFO  [LegacyDefaultStreamMigration] Legacy default stream has no connections, no migration needed.
2021-06-11T01:39:54.671+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.ClusterIdGeneratorPeriodical] periodical, running forever.
2021-06-11T01:39:54.671+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.IndexRangesMigrationPeriodical] periodical, running forever.
2021-06-11T01:39:54.673+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.IndexRangesCleanupPeriodical] periodical in [15s], polling every [3600s].
2021-06-11T01:39:54.677+02:00 INFO  [connection] Opened connection [connectionId{localValue:6, serverValue:126}] to localhost:27017
2021-06-11T01:39:54.677+02:00 INFO  [connection] Opened connection [connectionId{localValue:5, serverValue:127}] to localhost:27017
2021-06-11T01:39:54.766+02:00 INFO  [PeriodicalsService] Not starting [org.graylog2.periodical.UserPermissionMigrationPeriodical] periodical. Not configured to run on this node.
2021-06-11T01:39:54.769+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.ConfigurationManagementPeriodical] periodical, running forever.
2021-06-11T01:39:54.784+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.IndexFailuresPeriodical] periodical, running forever.
2021-06-11T01:39:54.785+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.TrafficCounterCalculator] periodical in [0s], polling every [1s].
2021-06-11T01:39:54.785+02:00 INFO  [Periodicals] Starting [org.graylog2.indexer.fieldtypes.IndexFieldTypePollerPeriodical] periodical in [0s], polling every [3600s].
2021-06-11T01:39:54.785+02:00 INFO  [Periodicals] Starting [org.graylog.scheduler.periodicals.ScheduleTriggerCleanUp] periodical in [120s], polling every [86400s].
2021-06-11T01:39:54.786+02:00 INFO  [Periodicals] Starting [org.graylog2.periodical.ESVersionCheckPeriodical] periodical in [0s], polling every [30s].
2021-06-11T01:39:54.786+02:00 INFO  [Periodicals] Starting [org.graylog.plugins.sidecar.periodical.PurgeExpiredSidecarsThread] periodical in [0s], polling every [600s].
2021-06-11T01:39:54.787+02:00 INFO  [Periodicals] Starting [org.graylog.plugins.sidecar.periodical.PurgeExpiredConfigurationUploads] periodical in [0s], polling every [600s].
2021-06-11T01:39:54.788+02:00 INFO  [Periodicals] Starting [org.graylog.plugins.views.search.db.SearchesCleanUpJob] periodical in [3600s], polling every [28800s].
2021-06-11T01:39:54.788+02:00 INFO  [Periodicals] Starting [org.graylog.events.periodicals.EventNotificationStatusCleanUp] periodical in [120s], polling every [86400s].
2021-06-11T01:39:54.788+02:00 INFO  [Periodicals] Starting [org.graylog.plugins.collector.periodical.PurgeExpiredCollectorsThread] periodical in [0s], polling every [3600s].
2021-06-11T01:40:20.227+02:00 INFO  [NetworkListener] Started listener bound to [0.0.0.0:9000]
2021-06-11T01:40:20.228+02:00 INFO  [HttpServer] [HttpServer] Started.
2021-06-11T01:40:20.228+02:00 INFO  [JerseyService] Started REST API at <0.0.0.0:9000>
2021-06-11T01:40:20.229+02:00 INFO  [ServiceManagerListener] Services are healthy
2021-06-11T01:40:20.230+02:00 INFO  [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2021-06-11T01:40:20.230+02:00 INFO  [ServerBootstrap] Services started, startup times in ms: {InputSetupService [RUNNING]=15, UrlWhitelistService [RUNNING]=15, JournalReader [RUNNING]=16, GracefulShutdownService [RUNNING]=16, KafkaJournal [RUNNING]=17, JobSchedulerService [RUNNING]=21, OutputSetupService [RUNNING]=21, BufferSynchronizerService [RUNNING]=31, EtagService [RUNNING]=90, MongoDBProcessingStatusRecorderService [RUNNING]=121, LookupTableService [RUNNING]=125, ConfigurationEtagService [RUNNING]=138, PeriodicalsService [RUNNING]=159, StreamCacheService [RUNNING]=183, JerseyService [RUNNING]=25586}
2021-06-11T01:40:20.234+02:00 INFO  [ServerBootstrap] Graylog server up and running.
2021-06-11T01:40:20.418+02:00 INFO  [InputStateListener] Input [Syslog UDP/609500a4c3651832ca02b70b] is now STARTING
2021-06-11T01:40:20.424+02:00 INFO  [InputStateListener] Input [NetFlow UDP/60950308c3651832ca02b9a6] is now STARTING
2021-06-11T01:40:20.499+02:00 INFO  [InputStateListener] Input [NetFlow UDP/60950308c3651832ca02b9a6] is now RUNNING
2021-06-11T01:40:20.505+02:00 INFO  [InputStateListener] Input [Syslog UDP/609500a4c3651832ca02b70b] is now RUNNING
2021-06-11T01:40:20.506+02:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=Syslog UDP - 5140, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=ce9ea77c-1a72-4496-a165-2c95e818291c} (channel [id: 0x811fdcbc, L:/0:0:0:0:0:0:0:0%0:5140]) should be 262144 but is 425984.
2021-06-11T01:40:20.514+02:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input NetFlowUdpInput{title=Netflow UDP - 2055, type=org.graylog.plugins.netflow.inputs.NetFlowUdpInput, nodeId=ce9ea77c-1a72-4496-a165-2c95e818291c} (channel [id: 0x4e075c4a, L:/0:0:0:0:0:0:0:0%0:2055]) should be 262144 but is 425984.
itchannel commented 3 years ago

Do you see a number of Java files in "/usr/share/graylog-server/plugin/". This folder should contain the other plugins that are being loaded. I can't see in your log the pushover plugin being loaded at all which makes me think your config may use a different location for plugins.

Unfortunately I don't have acces to my graylog dev instances at the moment but will try and take a look this weekend to confirm.

ebeng commented 3 years ago

Isnt that "notification" the pushover plugin?

And yes, as above mentioned, all the other plugins are loaded. 

[plugin]$ ls -latrhZ
-rw-r--r--. root root system_u:object_r:usr_t:s0       graylog-storage-elasticsearch6-4.0.7.jar
-rw-r--r--. root root system_u:object_r:usr_t:s0       graylog-plugin-threatintel-4.0.7.jar
-rw-r--r--. root root system_u:object_r:usr_t:s0       graylog-plugin-collector-4.0.7.jar
-rw-r--r--. root root system_u:object_r:usr_t:s0       graylog-plugin-aws-4.0.7.jar
-rw-r--r--. root root system_u:object_r:usr_t:s0       graylog-storage-elasticsearch7-4.0.7.jar
drwxr-xr-x. root root system_u:object_r:usr_t:s0       ..
-rw-r--r--. root root system_u:object_r:usr_t:s0       graylog-plugin-pushnotifications-4.0.7.jar
drwxr-xr-x. root root system_u:object_r:usr_t:s0       .
[plugin]$ pwd
/usr/share/graylog-server/plugin
ebeng commented 3 years ago

Do you see a number of Java files in "/usr/share/graylog-server/plugin/". This folder should contain the other plugins that are being loaded. I can't see in your log the pushover plugin being loaded at all which makes me think your config may use a different location for plugins.

Unfortunately I don't have acces to my graylog dev instances at the moment but will try and take a look this weekend to confirm.

Any luck :) ?

ebeng commented 3 years ago

Tried also on another ubuntu, still no luck here. You any chance still on the dev?

ebeng commented 2 years ago

I would really appreciate if you could have a look on it.

itchannel commented 2 years ago

Hi @ebeng I have rewritten the plugin to suport the latest graylog and have tested it on a dev instance. It's been a while and forgot how hard it is to compile :)

If you grab the jar in the new release you should be good to go.

2.0 Release

ebeng commented 2 years ago

WOW!!! Did you rewrite all of the code? I see like around the few hunderds of code line changes?!! Was it really that necessary to get it to work??

I will immediately try it out Tuesday when I have access to the server where it is installed!!

You ROCK!!!

itchannel commented 2 years ago

I wrote a lot of that code nearly a year ago when they changed how alert callbacks worked and had it in my private repo. However finally got round to fixing it up and getting it to compile before I put it on this public repo. Let me know how it goes, I tested it on my private servers and it's working so should be good for you.

ebeng commented 2 years ago

Like I said, you ROCK !!! The test just got through :) Now I have to setup the rest. This really helps!! Seriously a big big big THANKS for this!! If you have a Chia account I would like to send some :) drop in a dm if you can.

image

ebeng commented 2 years ago

Update: the events are triggered and Im seeing in the event definition that the message will be send through, but within Pushover I dont see the message. It show as the same above.

image

itchannel commented 2 years ago

Ok so the template has changed slightly in 4.0 hence the Stream fields are no longer avaliable however swap your template with this 

${event_definition_title}

${foreach backlog message}
${message.message}
\n${end}

Event definition title is optional as it is already the notification title.

Also make sure when setting up the event, you select the following to actually include messages.

image

ebeng commented 2 years ago

Nice Bro! even the test is now showing some more data in it! Let's see when the real event will trigger (!!) cant wait for it haha !!