Hi All,
I installed a basic Graylog 3.1 instance, with Graylog, elasticsearch and mongodb all running on the same server. The server is running CentOS (not sure if relevant), and was originally configured with only one network interface (10.67.115.120). We only have a handful of servers and network devices sending logs but everything has been running fantastically for over a year and I’ve been very happy.
I now need to receive logs from some new servers, which needed a new network interface to be added with an IP address in a different subnet (10.67.114.120) to the original NIC. Once I added the new NIC and restarted the server, I stopped receiving logs from some of my servers. Weirdly, if I bring down the new interface then the logs start appearing immediately in Graylog.
The input for the logs from the affected servers is set to the correct address (10.67.115.120), although I’ve also tried replacing it with 0.0.0.0 to no avail.
My server.conf is configured as follows:
http_bind_address = 10.67.115.120:9000
…
http_publish_uri = 10.67.115.120:9000
I’ve tried using 0.0.0.0:9000 for the http_bind_address and restarting Graylog, but I still don’t receive the messages unless I bring down the new NIC.
I’ve also tried adding 2 lines with http_bind_address (one line per IP I’m using), but although I could start the graylog-server.service successfully I couldn’t then access the log in page.
Do I need to define the IP addresses of both NICs I want to bind inputs to in server.conf, and if so can you advise the correct syntax I should be using?
Many thanks,
Gareth