Recently I’ve noticed that some messages are duplicated several times (the only difference is the RecordNumber field). For example I’m searching for failed logon attempts and a message that account A failed to log on is duplicated ten times in a row, then account B failed to log on comes only once, account C failed to log on comes duplicated 4 times in a row etc.
I’ve created a new index with a single indice for the few streams that I made.
Any ideas?
do you have multiple streams with multiple index sets?
That is the only reason why Graylog itself would duplicate messages. When a message is in mutiple streams that have different index sets as target.
I’ve created one extra index set for a couple streams I’m interested in, the All messages stream is using the default index set. All the streams are using the “Remove matches from ‘All messages’ stream” option.
does one message match on multiple of the streams?
Please check http://docs.graylog.org/en/2.4/pages/streams.html#index-sets
Maybe the sender does send the message multiple times?
Yes, one message can match two streams, and I’d understand it when the message would be duplicated two times because of that. This does not seem to be the case though since sometimes one message gets duplicated ten times or even more.
I also have a suspicion that the windows event log might be badly configured on some of the machines being monitored, since the issue seems to be most visible only on a couple workstations, meaning the messages get duplicated a lot when specific sources send messages, especially one of them. I’ll look into it as soon as I can but for now I wanna make sure it’s not a graylog-sided issue.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.