Graylog 5.0.6 Getting Some logs but not All

Graylog Central (peer support)
1

1. Describe your incident:
Graylog Server gets some log messages but not all messages from a windows server

Ex. We get login events but no messages from event id 5136. Event ID 5136 does show up in the windows event viewer

2. Describe your environment:

  • OS Information:
    Red Hat 7.9

  • Package Version:
    Graylog Server: 5.0.6
    Mongodb: 5.0
    Opensearch: 2.5
    Graylog Sidecar 1.4

3. What steps have you already taken to try and solve the problem?

Tried changing the Nxlog Config to have a query list to only grab the Application, system and security logs

4. How can the community help?
Has anyone seen this issue before

2

You said you are sending these logs via nxlog? Are you using graylog sidecar or are you using nxlog directly?

Can you share your nxlog config?

Also can you confirm you don’t see any indexing errors on the system/overview page?

Here is an example:

image
image782×238 14.7 KB

3

So there does appear to be indexing errors. illegal argument exception total fields reached we fixed this before I will go back through our tech volumes and see what was done.

4

Usually Windows logs ingested in Graylog are in JSON/GELF format with an automatic JSON/GELF extractor so it creates many fields. The best way to handle this is to put Windows logs in a dedicated index. Moreover you can increase the limit of 1000 fields (1500 or 2000 should be fine).

1 Like
5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.