Open thefaxe opened 9 months ago
s0p4L1n3
commented
9 months ago Hello,
Thanks I forgot to add the file in the README !
Download the file and place it on your target folder of your graylog server and edit the Data adapter on System > Lookup Tables > Data Adapter
thefaxe
commented
9 months ago Thanks for the file. I added the data adapter and I did the job after a complete system reboot.
Another hint for documentation. Before installing the content pack you need to replace all source-entries in json file with the names, using wildcards, of the esxi servers.
s0p4L1n3
commented
9 months ago Thanks for the hint, I will update the documentation :)
thefaxe
commented
9 months ago Thank you for your quick replies and solution. Dashboard is working like a charm.
pankajgeek
commented
5 months ago Hello,
Thanks I forgot to add the file in the README !
Download the file and place it on your target folder of your graylog server and edit the Data adapter on System > Lookup Tables > Data Adapter
Hello,
Thanks I forgot to add the file in the README !
Download the file and place it on your target folder of your graylog server and edit the Data adapter on System > Lookup Tables > Data Adapter
Hello,
Thanks I forgot to add the file in the README !
Download the file and place it on your target folder of your graylog server and edit the Data adapter on System > Lookup Tables > Data Adapter
Hi, I created the Data adapter but it throws an error :
I am using graylog version 6.0.2
s0p4L1n3
commented
5 months ago I will try to update on Graylog 6.X to see if I have the same errors. I've tested only with Graylog 5.X for now.
s0p4L1n3
commented
5 months ago @pankajgeek I've upgraded from 5.2.7 to 6.0.2, nothing change, no errors on my side. Could you describe the steps you did to reproduce the issue?
deeprain279
commented
5 months ago I had the same error today. I use Graylog 6.0.2 in a Docker container. If this is also the case here, you have to pay attention to the path of the CSV file. /srv does not exist in the Docker context. My Graylog data, which I have persistently in the file system of the host, I simply put the CSV file here. I then have the path in the container: /usr/share/graylog/data/RFC_log_level.csv Otherwise, follow the instructions in the image from the first answer.
Maybe that helps?
pankajgeek
commented
5 months ago I am not using Docker my graylog server is running behind Nginx
pankajgeek
commented
5 months ago @pankajgeek I've upgraded from 5.2.7 to 6.0.2, nothing change, no errors on my side. Could you describe the steps you did to reproduce the issue? <img width="1481"
I just deleted and created the Data Adapter again, it disappeared now. I have added Cache and Data lookup table. I hope this is the correct configuration ?
pankajgeek
commented
5 months ago Also, I don't see any data difference though w.r.t logs. For example. according to CSV, Warning should be displayed as level 4 but I am seeing level 6 for everything. Is this expected?
Another issue that has started poping up from yesterday is :
Could you please guide me to fix these problems
s0p4L1n3
commented
5 months ago If you recreated the lookup table, make sure that the pipelines rules related to this lookup table is correct with the correct name.
As I explained on the requirements before importing the content pack, if you do not use /srv as the folder path for your csv files, it can be changed by editing the data adapter.
Not a problem if you you Nginx instead of docker.
The lookup table for log level is only here to enrich data visualisation and add a new field matching the log level value sent by Vcenter/esxi. If you receive only level 6 you should look onto the vcenter setting to increase log level.
For the new error, could you find the message id related to this error and copy the message and I will test it to see if there is anything to change/fix on the content pack.
pankajgeek
commented
5 months ago Hi,
I created the pipeline rule as below: `rule "VMWare Vcenter and ESXi: Level lookup with Level Category"
when has_field("level") then let update_source = lookup_value("rfc_5424_log_level",$message.level); set_field("level", update_source);
end`
Could you please let me know, which pipeline and stage I should attach this ?
s0p4L1n3
commented
5 months ago Why don’t you use the content pack I’ve provided. You’ve created a pipeline rule without knowing how to attach it ?
You want create a new field level but it already exist.
You need to change the set field(''level'',) to set field(''level_description'',)
You need to attach the pipeline rule to the vcenter stream, the stage depends if you have multiple rules.
I can not help further if you don’t use something from the content pack. If you have any issue on something you created and not related to this content pack, please open an issue on the community forum.
pankajgeek
commented
5 months ago I am sorry to bug you. I am using your content pack and it has been very useful to me having so much of information and data. It's just that i am new to Graylog and have started using it for 2 weeks. In the mean time I am looking at all the stuff that it can do, that's where I had found out that data adapter had a problem. BTW your solution has worked like charm. Have a good day!
Hi,
in pipeline "Pipeline rule Syslog - VMWARE - log_level lookup" the function "let new_level_severity = lookup_value("rfc_log_level", to_string($message.level));"
is flooding the server.log with this message: "[LookupTableService] Lookup table does not exist"
Graylog-Version 5.2