Beats and nxlog input does not work

Graylog Central (peer support)
,
1

Graylog v2.4.4+4659dbe

Syslog UDP works
RAW AMQP works
After configure collector-sidebar on a CentOS client, then create a Beats input on graylog, there is nothing shown when click ‘Show received message’. However, incomingMessages and processedMessages keeps growing around 3 message per second. The same applies to nxlog input.

curl using elastic search API, I get the same result as GUI: syslog input contents OK, but zero results return for beats and nxlog.

tcpdump port 5044 on graylog server box shows that packets coming in every second.
tcpdump port 12021 also shows packets keeps coming in.

What should I check now?

2

update:

this should be timestamp related.
when using elasticsearch API without timestamp filter, it works.

[root@localhost etc]# curl -X POST http://127.0.0.1:9200/graylog_2/_search?pretty -d '
> {
>   "from": 0,
>   "size": 1,
>   "query": {
>     "bool": {
>       "must": {
>         "query_string": {
>           "query": "gl2_source_input:5b051384ff41c96f8b9f37f8",
>           "allow_leading_wildcard": false
>         }
>       }
>     }
>   },
>   "sort": [
>     {
>       "timestamp": {
>         "order": "desc"
>       }
>     }
>   ]
> }
> '
{
  "took" : 40,
  "timed_out" : false,
  "_shards" : {
    "total" : 4,
    "successful" : 4,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 68916,
    "max_score" : null,
    "hits" : [
      {
        "_index" : "graylog_2",
        "_type" : "message",
        "_id" : "5f25c270-5f2c-11e8-9188-5254005add67",
        "_score" : null,
          "gl2_source_collector" : "d79ba8da-4113-40bd-b51b-c7b474998be5",
          "offset" : 1939,
          "collector_node_id" : "graylog-collector-sidecar",
          "gl2_remote_ip" : "10.10.90.100",
          "gl2_remote_port" : 51256,
          "streams" : [
            "000000000000000000000001"
          ],
          "source" : "localhost.localdomain",
          "message" : "10.10.251.146 - - [25/May/2018:16:26:19 +0800] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, lik
e Gecko) Chrome/66.0.3359.170 Safari/537.36\" \"-\"",
          "type" : "log",
          "gl2_source_input" : "5b051384ff41c96f8b9f37f8",
          "tags" : [
            "linux",
            "apache"
          ],
          "file" : "/var/log/nginx/access.log",
          "name" : "localhost.localdomain",
          "gl2_source_node" : "0db88440-2197-4994-97eb-665b5acd2563",
          "facility" : "filebeat",
          "timestamp" : "2018-05-25 08:26:27.200"
        },
        "sort" : [
          1527236787200
        ]
      }
    ]
  }
}

when using graylog generated query with timestamp, nothing is returned.

curl -X POST http://127.0.0.1:9200/graylog_2/_search?pretty -d '
{
  "from": 0,
  "size": 1,
  "query": {
    "bool": {
      "must": {
        "query_string": {
          "query": "gl2_source_input:5b051384ff41c96f8b9f37f8",
          "allow_leading_wildcard": false
        }
      },
      "filter": {
        "bool": {
          "must": {
            "range": {
              "timestamp": {
                "from": "1970-01-01 00:00:00.000",
                "to": "2018-05-24 09:42:38.073",
                "include_lower": true,
                "include_upper": true
              }
            }
          }
        }
      }
    }
  },
  "sort": [
    {
      "timestamp": {
        "order": "desc"
      }
    }
  ]
}
'
3

The message in your example has a timestamp from 2018-05-25, while your search only covered until 2018-05-24. :thinking:

4

oh, I figure out the issue. The date on the other box 1 day earlier. What a issue!

5

thanks a lot for pointing it out .:grinning:

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.