Hello, I’m new on Graylog but my problem seems very strange.
I’ve configured five Cisco ASA appliance to send logs to the Graylog machine but I see only one of them in the Sources and in the Search interface. I can see the logs coming on the server using the tcpdump but on the Graylog interface only one ASA seems working fine. the other ASA are not visibile.
How I can troubleshooting this issue?
Thx
Have you checked /var/log/graylog-server/server.log?
Yes … the only WARN message is regarding the receivebuffersize that “should be 262144 but is 425984” - Tried to modify the buffesrize in the input without success. Any other check?
I would check iptables configuration, then disable/enable your Cisco devices one by one and carefully compare TCP/IP headers in the tcpdump, try to change listen port
I have a similar issue using Linux servers with syslog-ng.
Only one server is showing up in sources list.
That’s being said, logging are coming in. The TCP Input / output gauge is flying up and down but no logs are visible from new sources in search section…
I can’t find any relevant error from graylog-server logs.
Looks like I found the root cause… In my Graylog VM I have configured two interfaces. One is for management, while the other is for log capture. The log capture interface is on the same network as the only source I can receive. Despite the fact that the logs from the devices of other networks arrive correctly, they are not processed (and not even inserted in the incoming queue) by the Graylog. Deleting one of the two interfaces I can now see all the logs of all the sources.
I think that this is a limitation of Graylog that should be corrected.
I found my problem… It was due to a timezone issue with the other sources.
Sources which were not showing up were running on a GMT+5 timezone while the Graylog and the other server were on GMT+2.
The timezone is not passed with the Syslog message. Graylog was saving logs from these GMT+5 with a date in the future. Hence the reason why I was not seeing these new sources.
Changing the timezone everywhere with the same value fixed this problem.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
