I followed the instructions on the website and have Graylog running on Ubuntu. I created a simple tcp/udp input for PFSense to send logs to. I configured PFSense to send everything to Graylog. All of this was validated and mirrors at least (6) YouTube videos and website docs.
I see the Network I ticking away on the Input. However, when I click “Show Received Messages” I get nothing in the dashboard. In fact the Message Count graph is empty at set to Jan 2000. Server time is set correct to UTC-6 at the OS and in the graylog server conf.
I don’t get why there are no messages showing up when it appears like their is clearly activity going on. Any ideas?
So, I went to bed last night and went to Graylog this morning to try to get the info you requested.
There are now messages in graylog. So WTF. I then created another input for HAProxy and started it. No messages and input ticking away on the Input screen. Apparently there is lag between when the mesage start flowing into the journal and them being processed and displayed. Don’t know how long that takes but it certainly seems take a while.
I am running graylog in an LXC container on Proxmox with (2) cores/4GB ram/ & 250GB HD. I only am getting logs from PFSense and the HAPRorxy service running on PFSense. Also, it is sort of in line with the OVA version of graylog that is downloadable.
So is this lag normal? Is there a specific level of resources I need to have to climate this lag. Is there something going on in ES and Mongo that takes a while to be completed when inputs, indicies, and streams are created? I just was not expecting that graylog would be this unresponsive when setting up to collect logs from a source.
Also here is the response from the curl command,
{
“cluster_name” : “graylog”,
“status” : “green”,
“timed_out” : false,
“number_of_nodes” : 1,
“number_of_data_nodes” : 1,
“active_primary_shards” : 28,
“active_shards” : 28,
“relocating_shards” : 0,
“initializing_shards” : 0,
“unassigned_shards” : 0,
“delayed_unassigned_shards” : 0,
“number_of_pending_tasks” : 0,
“number_of_in_flight_fetch” : 0,
“task_max_waiting_in_queue_millis” : 0,
“active_shards_percent_as_number” : 100.0
}
The lag you taked about would probably be from either your INPUT, OUTPUT and PROCESSOR buffers. This really depends on your enviroment, like how many log are you processing per hour or day? Sometime you will get a log spike depending on the the devices sending the logs.
Can you increase your CPU from 2 to 4 to see if that helps.
Can you show how you configured you graylog.conf file?
Lag or messages showed later than generated is sometimes problem with timestamps. If graylog save timestamp in future value, it is also shown after that time. It seem, that it is delayed, but they are still saved in ElasticSearch, but showed by graylog after the timestamp match with real time. So check that all server and devices have NTP synchronized time and correct timezone setup.
