I have created a handful of indexes, inputs and streams. Only one of my inputs is duplicating the messages coming in. It is not the SaaS product that is sending the message twice. It is sent once, but Graylog seems to be duplicating it as soon as it gets imported. I have attempted to pause the stream and let them be sent to the default index. Each log entry still gets a duplicate.
I am currently running Graylog 4.3.7 on Ubuntu 20.04. I have removed the input, started over, etc. Any suggestions help. Thanks!
I have a 3 inputs using Syslog UDP, all on different ports. 2 of the 3 are working without issue. Each are different products / machines etc. The one I posted about is a SaaS product. I previously had this dumping into Elk, where only one message was being logged properly.
I also have 1 beats input and another CEF UDP. All except this 1 Syslog UDP are working properly.
This sounds like you are sending the messages twice. but from the message ID being the same this is odd. Have you tired to recreate the third Syslog UDP Input? or is that not a possibility?
I know I tore it down and re-created it, but not sure if I changed associated port…I also attempted to re-build with different names for the Index, Input, and Stream. I could definitely do it again…I know that I was playing around with the extractors during the first setup, but I don’t recall if messages were duplicating before that. Regardless, I had tore everything down and re-built, so I would have imagined that any changes that were made with extractors, were wiped out.
yeah, for a control test, leave the Bad Syslog UDP Input running and create a forth Syslog UDP completely different (i.e., name , port, etc) once up and running start sending logs to it.
Also did a quick search I found this article.
Only time I seen message dups was when they were in two different streams, but from the picture you only have one stream two messages with same ID. something funcky is going on , perhaps configuration of some sort.
For whatever reason, the re-build of the input successfully worked this time. Thanks for making me re-attempt it. We are golden. By the way, I am loving Graylog.
awesome 