1. Describe your incident:
I currently have a Stream that shows the blocked traffic from our firewall. Currently, I am seeing more messages in the stream (~24m count) that are in the index the stream uses (~11.7m count). I do have the stream set to remove messages that match the default stream.
2. Describe your environment:
-
OS Information: Ubuntu 22.04 Server LTS. Not running in a docker container
-
Package Version: Graylog Version 6.0.5+3ef5be7, codename Noir (Single-Node)
-
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
For background, I did clear the index around 3 weeks after I had created the stream, since I didn’t have my rules correct and wanted a clean slate on the stream/index. This seemed to work temporarily, and then the old messages seemed to reappear in the past couple of weeks.
I have tried changing the stream rule from matching the gl2_source_input to using the built in “match input” type, but this didn’t seem to work.
4. How can the community help?
I would like to make it to where the stream and the index match in count.