Hello,
I have a little problem on my Graylog server.
Messages are received around 6 to 7 minutes later in Graylog and I would like it to be faster.
I have not found any solution and I’m a beginner so I prefer ask here hoping that someone have an idea of which parameter can change that, or if it’s due to the server capacity.
Storage, RAM and CPU are not looking fully used.
Thanks and have a great day !
It can be because your time is off somewhere, look under System/Overview/Time Configuration to make sure those are in sync. If your system is overloaded, you can usually see it under System/Nodes and click on the node to see Memory, buffers and journal utilization. Post (obfuscated) pics if anything looks odd…
Thanks for your answer.
Time configuration sync is ok on Graylog. User, browser and server have the same time.
The system is not overloaded. Memory is around 50% of use, buffers 0% and journal 1%.
After searching on my VM, I found that all logs had wrong time too so the problem is probably due to a configuration error on my Debian.
Something like that
$ tail /var/log/xxx
Sep 28 09:42:57 xxx
Sep 28 09:42:57 xxx
Sep 28 09:42:57 xxx
Sep 28 09:42:57 xxx
$ date
Wed 28 Sep 2022 09:49:40 AM CEST
When I restart rsyslog service, this delay is reduce to 1 or 2 minutes but it increase again gradually to 6/7 in less than an hour.
You may need to turn on ntp or the equiv on the machine. Here is a link that talks about checking and setting ntp…
I activated it this morning after seeing that it was not already done.
I don’t understand how to solve this problem.
Hmmm… I found another article that goes through several troubleshooting steps with rsyslog. In their case it was sending to console and rate limited to 4k/sec. This may or may not be your issue but the steps therein may help you to track yours.
I may be missing somethin in Graylog but for right now is seems like an rsyslog configuration issue.
Hello @Stanislas
Chiming in,
Does the GUI under “System/Overview” look something like this. All 3 are the same I assume?
Thanks, it looks interesting since their problem looks similar to mine, I’ll try that solution
Yes, all 3 are the same :
That looks really better : Screen at 09:06, it’s in real time.
I keep it under observation for few hours but I think that’s the solution.
Thank you very much !
Edit 12:22 : It’s still in real time, thank you !
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
