Service logs, configurations, and environment variables:
All standard config but some passwords
3. What steps have you already taken to try and solve the problem?
Access the old GL and check the client IP → see they match with the real client IP
Access the new GL and check the client IP → see they are shown as 127.0.0.1 all the time
it is quite possible that however you are parsing the incoming messages, it is picking up the wrong field? may looking at the path the message takes through your extractors and/or pipeline? you would need to provide a sample message and some detail on how you are breaking out fields… specifically the loopback and the required IP field and it’s placement in the message.
Also, did you upgrade Elasticsearch or switch to OpenSearch? To what version if you did? Did you upgrade Sidecar?
Sorry if I sound too blonde here but I don’t see the relationship between parsing messages and where users login from… O_o You can see which users are logged in the system without ingesting a single line of logs…
FYI - we use OpenSearch 1.3.3 + GL 4.3.3 from day #1.
I didn’t upgrade.
Both GL servers run in parallel and we’re in the process of configuring the new one to offer the same services as the old one…
Once the new GL-cluster is finished, we’ll sunset the old server…