I have green state (curl _cluster/health, curl _cat/indices?v, system overview) on the graylog multi node setup.
I have 10 hosts which send his logging activity (SSH) to a TCP Syslog Input.
I see it on the right top page (In/out eps) but when I search it, no result.
2 methods:
With the classic research request;
With the Input search button (with gl2_source_input:ID).
When I force the new event, I check with curl _cat/indices?v, I see the docs.count up (example: 3639, generate SSH event on one host, 3650 after.)
one possibility is that the timestamp value is interpreted wrongly and the messages are not in your search interval; you could try to search in all messages. The syslog input can be picky; you might need to make a raw input to parse the timestamps yourself.
I’ve updated the greaylog cluster into 2.4 version to try if it resolv the search bug.
The master node have an error LookupDataAdapter : Couldn't start data adapter abuse-ch-ransomware-domains and the slaves nodes have NodePingThred Did not find meta info of this node. Re-registering.
The master node have an error LookupDataAdapter : Couldn’t start data adapter abuse-ch-ransomware-domains and the slaves nodes have NodePingThred Did not find meta info of this node. Re-registering.
This errors are resolved.
I send logs on the second node.
Now, if I search events into WebUI Node 01 (master) or slaves, I’ve no results.
In tcpdump or top right WebUI, I see incoming logs.
