graylog-labs / graylog-plugin-riemann Goto Github PK

View Code? Open in Web Editor NEW

7.0 17.0 1.0 28 KB

Graylog2 output plugin to send events to a Riemann instance

License: Apache License 2.0

Java 100.00%

riemann graylog stream graylog-plugin output stream-processing

graylog-plugin-riemann's Introduction

Riemann Plugin for Graylog

An output plugin for integrating Riemann with Graylog.

Required Graylog version: 2.0.0 and later

Installation

Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

Usage

You should now be able to add a Riemann output to your streams through the option Manage outputs.

The important parameters are the host address and port number to successfully establish a connection to Riemann. Additionally the plugin can send the log message as one JSON string or automatically extract every field as a Riemann custom event field.

You will now receive messages from this stream in Riemann.

Build

This project is using Maven 3 and requires Java 8 or higher.

You can build a plugin (JAR) with mvn package.

DEB and RPM packages can be build with mvn jdeb:jdeb and mvn rpm:rpm respectively.

Plugin Release

We are using the maven release plugin:

$ mvn release:prepare
[...]
$ mvn release:perform

This sets the version numbers, creates a tag and pushes to GitHub. Travis CI will build the release artifacts and upload to GitHub automatically.

Credits

Thanks to Henrik Johansen and Region Syddanmark for sponsorship!

graylog-plugin-riemann's People

Stargazers

Watchers

Forkers

isabella232

graylog-plugin-riemann's Issues

Plugin Slowing Graylog Message Processing

I started using the Riemann output plugin to overcome some limitations with Graylog's alerting mechanism and while it works spectacularly for what I need, it also appears to significantly impact the message processing on all Graylog server nodes.

Each of my nodes drops from a maximum of ~2500 messages/second down to at best about 300 per second.

I've tried both TCP and UDP protocols in case there were TCP connections slowing it down, but it doesn't seem to matter at all.

I am still successfully using the plugin in my test environment but the messages per sec is only a tiny proportion of what is in Production (around 100 vs. sustained ~10,000). I first noticed the issue when I had an individual host generating a lot more messages than normal which had up to almost 40,000 messages per second and I noticed the journals growing.

I had the plugin associated with a "catch all" stream so I could send all output to Riemann while I determine what needed to be alerted on. This stream has a single rule determine the presence of the "message" field. I use this stream to assign read privileges to other staff on all messages.

I have 10 Graylog servers on CentOS 6.6 running Graylog 1.1.3. The Java in use is OpenJDK 1.8.0_45 (64 bit). Each Graylog server is running as a VM on top of ESXi 5.5 with 8 vCPU's and 16GB RAM. Java heap size is set to 8GB. I'm using the Riemann plugin version 1.0.2.

When the plugin is enabled I see no load increase or errors logged anywhere, the message processing simply slows dramatically. Increasing processors makes no difference.

There's quite a varied number of messages sent to Graylog including Windows Event logs, IIS and FTP logs, ESXi and other application logs via Syslog, vCenter logs, and so forth.

I have attached some screen dumps of a couple of sample messages, apologies if that's not a good format as I couldn't think of any other way to get them easily.

Let me know any other information you require.

Cheers, Pete

Connection between Graylog and Riemann is established but no event are forwarded

Hi, I am using the 1.1.2 plugin with Graylog 2.0.3 and configured it to communicate with riemann on another server over tcp/5555. I see the established connection (nestat and tcpdump) but no events are forwarded. I can't see any events in the riemann log.
I also tried UDP with the same outcome.
Any sugestions?
Thank you very much in advance.

Problems with UDP

Running the riemann plugin with TCP works fine - switching to UDP yields :

WARN [2015-02-26 21:17:26,568] defaultEventExecutorGroup-2-1 - riemann.transport.udp - UDP handler caught
io.netty.handler.codec.DecoderException: com.google.protobuf.InvalidProtocolBufferException: While parsing a protocol message, the input ended unexpectedly in the middle of a field. This could mean either than the input has been truncated or that an embedded message misreported its own length.
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:99)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
at riemann.transport.proxy$io.netty.handler.codec.MessageToMessageDecoder$ff19274a.channelRead(Unknown Source)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787)
at io.netty.channel.nio.AbstractNioMessageChannel$NioMessageUnsafe.read(AbstractNioMessageChannel.java:93)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116)
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.google.protobuf.InvalidProtocolBufferException: While parsing a protocol message, the input ended unexpectedly in the middle of a field. This could mean either than the input has been truncated or that an embedded message misreported its own length.
at com.google.protobuf.InvalidProtocolBufferException.truncatedMessage(InvalidProtocolBufferException.java:70)
at com.google.protobuf.CodedInputStream.pushLimit(CodedInputStream.java:651)
at com.google.protobuf.CodedInputStream.readMessage(CodedInputStream.java:307)
at com.aphyr.riemann.Proto$Msg.(Proto.java:3931)
at com.aphyr.riemann.Proto$Msg.(Proto.java:3847)
at com.aphyr.riemann.Proto$Msg$1.parsePartialFrom(Proto.java:3970)
at com.aphyr.riemann.Proto$Msg$1.parsePartialFrom(Proto.java:3965)
at com.google.protobuf.AbstractParser.parsePartialFrom(AbstractParser.java:141)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:176)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:182)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:49)
at io.netty.handler.codec.protobuf.ProtobufDecoder.decode(ProtobufDecoder.java:119)
at io.netty.handler.codec.protobuf.ProtobufDecoder.decode(ProtobufDecoder.java:63)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:89)
... 15 more
WARN [2015-02-26 21:17:26,576] defaultEventExecutorGroup-2-1 - riemann.transport.udp - UDP handler caught
io.netty.handler.codec.DecoderException: com.google.protobuf.InvalidProtocolBufferException: While parsing a protocol message, the input ended unexpectedly in the middle of a field. This could mean either than the input has been truncated or that an embedded message misreported its own length.
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:99)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
at riemann.transport.proxy$io.netty.handler.codec.MessageToMessageDecoder$ff19274a.channelRead(Unknown Source)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787)
at io.netty.channel.nio.AbstractNioMessageChannel$NioMessageUnsafe.read(AbstractNioMessageChannel.java:93)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116)
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.google.protobuf.InvalidProtocolBufferException: While parsing a protocol message, the input ended unexpectedly in the middle of a field. This could mean either than the input has been truncated or that an embedded message misreported its own length.
at com.google.protobuf.InvalidProtocolBufferException.truncatedMessage(InvalidProtocolBufferException.java:70)
at com.google.protobuf.CodedInputStream.pushLimit(CodedInputStream.java:651)
at com.google.protobuf.CodedInputStream.readMessage(CodedInputStream.java:307)
at com.aphyr.riemann.Proto$Msg.(Proto.java:3931)
at com.aphyr.riemann.Proto$Msg.(Proto.java:3847)
at com.aphyr.riemann.Proto$Msg$1.parsePartialFrom(Proto.java:3970)
at com.aphyr.riemann.Proto$Msg$1.parsePartialFrom(Proto.java:3965)
at com.google.protobuf.AbstractParser.parsePartialFrom(AbstractParser.java:141)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:176)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:182)
at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:49)
at io.netty.handler.codec.protobuf.ProtobufDecoder.decode(ProtobufDecoder.java:119)
at io.netty.handler.codec.protobuf.ProtobufDecoder.decode(ProtobufDecoder.java:63)
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:89)
... 15 more

Error while trying to build jar package

root@hosting-mon01:/graylog2-plugin-output-riemann-master# java -version
java version "1.7.0_75"
OpenJDK Runtime Environment (IcedTea 2.5.4) (7u75-2.5.4-1trusty1)
OpenJDK 64-Bit Server VM (build 24.75-b04, mixed mode)

root@hosting-mon01:/graylog2-plugin-output-riemann-master# mvn package
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building graylog2-plugin-output-riemann 1.0.2-SNAPSHOT
[INFO] ------------------------------------------------------------------------
Downloading: http://clojars.org/repo/com/aphyr/riemann-java-client/0.3.1/riemann-java-client-0.3.1.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.128s
[INFO] Finished at: Wed Feb 11 14:23:35 CET 2015
[INFO] Final Memory: 13M/216M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project graylog2-plugin-output-riemann: Could not resolve dependencies for project org.graylog2:graylog2-plugin-output-riemann:jar:1.0.2-SNAPSHOT: Failed to collect dependencies for [org.graylog2:graylog2-plugin:jar:1.0.0-beta.3 (provided), com.aphyr:riemann-java-client:jar:0.3.1 (compile)]: Failed to read artifact descriptor for com.aphyr:riemann-java-client:jar:0.3.1: Could not transfer artifact com.aphyr:riemann-java-client:pom:0.3.1 from/to clojars.org (http://clojars.org/repo): Access denied to: http://clojars.org/repo/com/aphyr/riemann-java-client/0.3.1/riemann-java-client-0.3.1.pom , ReasonPhrase:Forbidden. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
root@hosting-mon01:/graylog2-plugin-output-riemann-master#

What am i doing wrong? Any suggestions? Thanks in advance (Ubuntu 14.04.1 LTS).

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.