Can't see logs in the gui

Graylog Central (peer support)
1

Hi All

I send syslogs from two test Check Point firewalls. I can see logs for one of them but can not see for the other one. I checked if I get syslogs from source via tcpdump and I saw that graylog server received the logs.

root@graylog:/home/kasimg# tcpdump -i any -nnnA host 192.168.10.86
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

11:47:39.297789 ens160 In IP 192.168.10.86.42927 > 192.168.164.102.514: SYSLOG auth.notice, length: 70
E…b.[@.?.1"…
V…f…N…<37>Mar 25 14:49:15 GW httpd2: HTTP login from 192.168.10.199 as admin
11:47:39.320047 ens160 In IP 192.168.10.86.42927 > 192.168.164.102.514: SYSLOG daemon.notice, length: 87
E…s.r@.?.0…
V…f…_…<29>Mar 25 14:49:15 GW xpand[11200]: Configuration changed from localhost by user admin
11:47:40.636263 ens160 In IP 192.168.10.86.42927 > 192.168.164.102.514: SYSLOG daemon.info, length: 76

I can’t see this device (GW) in the source list.

Capture
Capture876×346 25.4 KB

=====

You can see my installed components as below.

sudo apt list --installed | grep ‘mongo|elasticsearch|opensearch|graylog’

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

graylog-5.2-repository/stable,now 1-2 all [installed]
graylog-server/stable,now 5.2.5-1 amd64 [installed]
mongodb-database-tools/jammy,now 100.9.4 amd64 [installed,automatic]
mongodb-mongosh/jammy,now 2.1.5 amd64 [installed,upgradable to: 2.2.1]
mongodb-org-database-tools-extra/jammy,now 6.0.13 amd64 [installed,upgradable to: 6.0.14]
mongodb-org-database/jammy,now 6.0.13 amd64 [installed,upgradable to: 6.0.14]
mongodb-org-mongos/jammy,now 6.0.13 amd64 [installed,upgradable to: 6.0.14]
mongodb-org-server/jammy,now 6.0.13 amd64 [installed,upgradable to: 6.0.14]
mongodb-org-shell/jammy,now 6.0.13 amd64 [installed,upgradable to: 6.0.14]
mongodb-org-tools/jammy,now 6.0.13 amd64 [installed,upgradable to: 6.0.14]
mongodb-org/jammy,now 6.0.13 amd64 [installed,upgradable to: 6.0.14]
opensearch/stable,now 2.12.0 amd64 [installed]

====

I changed port and protocol but still same. I didn’t need to do anything for the working one. On the sourece side configurations are same.

Do you guys have any idea?

Thanks.

2

The first thing to check is that the messages arent future dated, set you search time from yesterday to a few days in thr future and see if they show in the search.

1 Like
3

Hi Joel,

I can see the logs now. I think indexing took longer than expected.

Thanks.

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.