Issue with Graylog inputs behind loadbalancer

Hi all,

yesterday I tried to put a hardware loadbalancer (f5) in front of our 2 GL servers for a TCP input.

On the LB I set the virtual server with the correct TCP port (5555) and configured the GL nodes as backend with their corresponding global input on port 5555 with roundrobin.
I could see the open port with netstat and see incoming traffic with tcpdump on the LB.
On one node I could see traffic from the LB to the port (checked with tcpdump), but not on the other node.

On the input in the GL web interface I was able to see incoming traffic, but no messages were indexed.
We used a device which normally logs on a different input on our GL server.

Our setup:
1 GL server (want to put a second node in the cluster to distribute traffic)
3 node ES cluster
3 node MongoDB replica set
All servers are running CentOS7, version is “Graylog 2.5.1+34194da”, ES is still on 5.6.14, installed with RPMs

I hope someone can help us, I was only able to find “how to’s” with the GL web interface behind a LB.

Best,
Sascha

When you use TCP you need to configure your LB in the correct way - if both nodes are “alive” new incoming connections should be distributed. When the sending client holds the TCP connection the backend will always be the same that gets everything.

Okay, understood that.
But what about not seeing any indexed messages? I can see incoming traffic in the input detail, but when I click on “Show received messages”, nothing is shown.

is your journal raising or are the message ingested into elasticsearch?

• check the journal
• check the Graylog server.log
• recalculate index range “System > indices > Index name > maintenance > recalculate index range”

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.