Hello,
I set up a new Graylog server yesterday. My experiences with Linux and Graylog are not very high, because I come from the Windows world.
Now I have set up the Graylog according to these instructions:
So far everything runs fine with the server, but if I activate the rsyslog with the specify IP of the graylog, I get the following error message from the graylog:
- Deflector exists as an index and is not an alias
On the other hand, I did the following:
-
input configured incl. Extractors of Sophos UTM
<font color=#38B0DE>-=https://github.com/habibmbacfou/graylogzeus/blob/master/Graylog=- Proudly Presents -
syslog enabled on Sophos UTM
-> The data comes in - but cannot be interpreted.
Section of the log:
2019-06-15T13:56:41.152+02:00 ERROR [AbstractRotationStrategy] Could not find current deflector target of index set . Aborting.
org.graylog2.indexer.NoTargetIndexException: Couldn’t get newest index number for indices [graylog_deflector]
at org.graylog2.indexer.MongoIndexSet.getNewestIndexNumber(MongoIndexSet.java:170) ~[graylog.jar:?]
at org.graylog2.indexer.MongoIndexSet.getNewestIndex(MongoIndexSet.java:146) ~[graylog.jar:?]
at org.graylog2.indexer.rotation.strategies.AbstractRotationStrategy.rotate(AbstractRotationStrategy.java:61) ~[graylog.jar:?]
at org.graylog2.periodical.IndexRotationThread.checkForRotation(IndexRotationThread.java:113) ~[graylog.jar:?]
at org.graylog2.periodical.IndexRotationThread.lambda$doRun$0(IndexRotationThread.java:77) ~[graylog.jar:?]
at java.lang.Iterable.forEach(Iterable.java:75) [?:1.8.0_212]
at org.graylog2.periodical.IndexRotationThread.doRun(IndexRotationThread.java:73) [graylog.jar:?]
at org.graylog2.plugin.periodical.Periodical.run(Periodical.java:77) [graylog.jar:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_212]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_212]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_212]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_212]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_212]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_212]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
2019-06-15T13:56:41.447+02:00 WARN [IndexFieldTypePollerPeriodical] Active write index for index set “Default index set” (5d0394653e02981bf218c7f6) doesn’t exist yet
2019-06-15T13:56:41.878+02:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=a3c77450-8f64-11e9-b6d1-5a16cebbffb5, journalOffset=3753, codec=syslog, payloadSize=890, timestamp=2019-06-15T11:56:41.877Z, remoteAddress=/192.168.20.1:59968} on input <5d040f613e0298045a49bf88>.
2019-06-15T13:56:41.878+02:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=a3c77450-8f64-11e9-b6d1-5a16cebbffb5, journalOffset=3753, codec=syslog, payloadSize=890, timestamp=2019-06-15T11:56:41.877Z, remoteAddress=/192.168.20.1:59968}
Two questions:
- why do I get this error message “Deflector exists as an index and is not an alias”? How can I solve the problem? Please a little instruction, because I am absolutely no Linux professional, thank you very much.
- why are the logs not interpreted?
Thank you very much for your help.
Best regards