Hi,
My graylog version is 2.4 today after a bit of troubleshooting I arrived at the following conclusion:
one of my pipelines is silently dropping messages after processing them
I have written a pipeline for parsing and enriching BGP messages I receive on my server,
the messages are first extracted for custom cisco fields, and afterwards matched in the pipeline if field cisco_mnemonic equals ADJCHANGE
this is the basic flow of it:
- Lab device generates a neighbor shutdown message
- tcpdump shows messages being received
- debug statements for at least one rule in every stage of the pipeline shows up in the server log
- the last stage is executed, with a route_to_stream statement to a dedicated stream
- none of these messages show up in the web interface
The same behaviour is observed it the route_to_stream statement is absent,
The debug messages include fields I specifically set in the pipeline, so I assume my rules are doing what I expect ( I don’t have any drop_message statement )
- the server logs do not show any processing error
- only rules belonging to this pipeline appear to show this behaviour
- there are no elasticsearch indexing errors
I have my server logging set to debug,
this is a pastebin log dump with a few examples
can anyone help me with understanding why this is happening?
EDIT
Upon further troubleshooting, I managed to find the cause of the problem
I was using the to_ip function inside a call to set_field, the former was the cause of the problem, after I replaced it with to_string things started working normally again,
I guess graylog didn’t like the field type being set to IP address and that’s probably my fault for trying, but still it’s at least strange that the whole 5 stage pipeline ran, and the problem was in the second stage
So the behaviour is still buggy IMO