I have a weird situation here for which I am at a loss as to how to fix. I have setup a new input for a Cisco SourceFire device which is sending syslog UDP data. The Input screen shows no activity under “Throughput / Metrics”. And yet, if I go to the Sources menu, it is clearly listed as a source. I can even go to the search screen and enter “source:xyz” and it will list messages for that SourceFire device.
So, why does the input screen say it hasn’t received any data?
Sorry, I just realized that I didn’t give any details as to my setup.
I’m running Graylog 2.4.3+2c41897 (Oracle Corporation 1.8.0_151 on Linux 4.9.0-4-amd64)
I assume that you mean the log in /var/log/graylog-server/:
2018-01-31T08:27:45.264-06:00 INFO [InputStateListener] Input [Syslog UDP/5a71d261395a302a74f3b675] is now STARTING
2018-01-31T08:27:45.274-06:00 WARN [NettyTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=Cisco SourceFire, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} should be 262144 but is 212992.
2018-01-31T08:27:45.280-06:00 INFO [InputStateListener] Input [Syslog UDP/5a71d261395a302a74f3b675] is now RUNNING
Due to a combination of things, turns out that I don’t have a problem at all - it’s just that the messages sent to Graylog took longer than what I had expected before they showed up.