New Install Indexes are not showing any incoming logs

1. Describe your incident:
I have a new installation. A three Graylog Cluster, MongoDB and three OpenSearch servers.

Installation was via:

Everything went fine and everything seems up.
Nodes look good on in /system/nodes
Elasticsearch cluster graylog is green. Shards: 15 active, 0 initializing, 0 relocating, 0 unassigned
No failed indexing attempts in the last 24 hours.

I added an index and set up for Raw UDP on port 1512. Nodes show running.

When I run sudo lsof -i -P -n | grep LISTEN
[sudo] password for netadmin:
systemd-r 971 systemd-resolve 14u IPv4 33049 0t0 TCP (LISTEN)
mongod 1002 mongodb 14u IPv4 22676 0t0 TCP xx.xx.xx.111:27017 (LISTEN)
mongod 1002 mongodb 15u IPv4 22677 0t0 TCP (LISTEN)
sshd 1046 root 3u IPv4 20810 0t0 TCP *:22 (LISTEN)
sshd 1046 root 4u IPv6 20812 0t0 TCP *:22 (LISTEN)
sshd 3627 admin 7u IPv6 46004 0t0 TCP [::1]:6011 (LISTEN)
sshd 3627 admin 9u IPv4 46005 0t0 TCP (LISTEN)
java 3842 graylog 165u IPv4 60692 0t0 TCP xx.xx.xx.:9000 (LISTEN)

It does not seem to be lisening on the port I set up in the index and no traffic is passing from devices I set up to test.

Devices on the backend are standard asa with IP and port UDP/1514 destination.

2. Describe your environment:

  • OS Information:
    Ubuntu 22.04.2

  • Package Version:
    5.0.6+51f2df8, codename Noir
    PID 4334, Eclipse Adoptium 17.0.6 on Linux 5.15.0-70-generic

  • Service logs, configurations, and environment variables:
    is_leader = true
    node_id_file = /etc/graylog/server/node-id
    password_secret =
    root_username =
    root_password_sha2 =
    root_timezone = UTC
    bin_dir = /usr/share/graylog-server/bin
    data_dir = /var/lib/graylog-server
    plugin_dir = /usr/share/graylog-server/plugin
    http_bind_address = :9000
    trusted_proxies = x.0.0.0/8
    elasticsearch_hosts = http://<open search node 1 IP>:9200,http://<open search node 1 IP>:9200,http://<open search node 1 IP>:9200

3. What steps have you already taken to try and solve the problem?
Review configurations multiple times. Same results. Added load balancers to from end and pointed directly at the Graylog servers with same result.

4. How can the community help?

  1. Should the server have a port open and set to listen for a proper configuration?
  2. Are there any other troubleshooting techniques I could try to test the index
  3. Did I miss something where the index and not creating a port to listen to?

thank you in advance for any guidance.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Does the input show as running on the inputs page, does it show any traffic, rejected messages etc. Have you tried using curl or something to just send some random data at the port to see if anything shows up, a raw port will except pretty much anything.

Also dumb question, but the firewall on the server, if its on, has been opened on that port.

I did have the firewall on, with appropriate ports open but turned off firewall for testing. Same results either way.

The index shows as up and all nodes in cluster running. The traffic is 0 b in and 0 b out. I have one TCP and one UDP set up. The TCP does show active connections, but zero messages. New to CURL but that was me next undertaking.

Thank you!

Found this issue. Looks like the source I was testing with was the culprit. Curl test worked and additional sources worked fine.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.