Graylog processes messages, but I can't see them


#1

I am sending messages to my graylog cluster using GELF HTTP over port 12229. The client is receiving 202 responses indicating the logs are processed. In the “Input” tab, I’m looking at “Throughput / Metrics” > “Network IO”, and that is filling up as I send messages (I have been sending the example test message, same as the documentation). However, when I go to “Show Received Messages”, nothing is there. I have tried changing from relative to absolute time and searching all messages, but still nothing shows up.

What is going on here? Am I missing something, or could this be a bug? Any help is greatly appreciated.

I am using version 2.1.2+50e449a

Thank you,
Wells


#2

Is the system time still accurate? I’ve experienced issues before where ntpd died and my search results became skewed/nonexistent. The data was being filed away routinely in elasticsearch, but a search using the browser couldn’t retrieve the proper time range.


#3

Yeah, the system time seems to be accurate within 1 minute. I should have said, I have a few other inputs that work just fine with indexing / searching. It is just the new GELF HTTP input that isn’t working properly.


(Jochen) #4

The GELF HTTP input pretty much always responds with HTTP status 202. It doesn’t mean that the messages were valid and were processed.

What payload are you sending to the GELF HTTP input?


#5

hi,

you could look at the logs of graylog server. The could be some java exceptions that help to understand.

Very often the timestamp field has a space between date and time, and Graylog requires it to be the letter T instead. You can see if this is the case By looking at the logs. If it is, you can fix it By adding an extractor to the timestamp that contains a date converter.


#6

I see…dang, that’s misleading.

I’m sending the example payload to my server:
curl -XPOST http://graylog.example.org:12202/gelf -p0 -d '{"short_message":"Hello there", "host":"example.org", "facility":"test", "_foo":"bar"}'


(Jochen) #7

You said you’ve started the GELF HTTP input on port 12229, but that cURL command is sending the payload to port 12202.


#8

yeah, sorry, that’s because I copied it directly from the docs. in my tests I’m using the correct host/port. As I said before, it’s hitting the server, which is filling up the input and returning a 202, I just can’t see any messages.


#9

I am finally able to see messages using curl…not sure what changed. I’m going to do some investigating and will report back.


(Kris) #10

I had this same issue, but I think mine was more to do with sending incorrectly formatted logs through the TCP syslog. Once I sent in through TCP plaintext, it worked fine.