Appliance - See inputs, but nothing routed into feeds

jlavigne · 2017-10-01 16:02:27 UTC

I recently built an appliance using the OVA file, and seem to have configured it successfully, as I can see the logs from my servers populating when I look at the System|Inputs page. I can follow my syslog entries, search, etc. But nothing is routed into ANY of the streams, be it the pre-configured, or any new ones I try to build.

When I test against the log entries I want in the streams, the test is successful, and graylog reports that the message would be routed, but none ever is.

I’m guessing that I am missing something pretty obvious in the config, but I’m getting rather frustrated. Any ideas on where to look, what I am missing?

Thanks!

jochen · 2017-10-01 20:37:46 UTC

Is there anything in the “All messages” stream?
What are the stream rules and what are the messages they should match?

jlavigne · 2017-10-01 21:27:49 UTC

No, even the “All Messages” stream shows 0 messages. The rules are quite simple, such as if ‘ovpn’ is in ‘message’ to monitor my outgoing vpn connection, but with nothing feeding in to “All Messages”, nothing else is going to get placed…

jochen · 2017-10-01 21:30:48 UTC

Is your Elasticsearch cluster healthy and can Graylog connect to it?
What’s in the logs of your Graylog and Elasticsearch nodes?

jlavigne · 2017-10-01 21:36:05 UTC

I have no clue on this. I am expecting that this is where the disconnect is, in my reading, but I do not see anything in the documentation for configuration or troubleshooting of elasticsearch. I have checked the logs in /var/log/graylog/elasticsearch/ , but haven’t found any errors. Is there a resource you can point me to to ensure the elasticsearch configuration is correct?

jan · 2017-10-02 07:02:29 UTC

@jlavigne

did your Graylog server.log contain some string that indicates it is connected to Elasticsearch?

Is in your Graylog Webinterface in ‘System > Overview’ all green?

jlavigne · 2017-10-02 14:12:50 UTC

Ok, I think I got it. After our last exchange, I tried rebooting the server and saw messages going in to all messages for a bit, until the server hit 4G of memory usage (which was the recommended amount for the VM). At that point, messages got very spotty. I bumped the RAM to 8G on the Virtual Machine, and now it is ingesting entries like a champ.

Thanks for your help!

And, no, the ElasticSearch is not Green, as I only have one server, so no cluster. It is, however, working now!

system · 2017-10-16 14:13:02 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.