"Show received messages" says nothing found

I have a weird situation here for which I am at a loss as to how to fix. I have setup a new input for a Cisco SourceFire device which is sending syslog UDP data. The Input screen shows no activity under “Throughput / Metrics”. And yet, if I go to the Sources menu, it is clearly listed as a source. I can even go to the search screen and enter “source:xyz” and it will list messages for that SourceFire device.

So, why does the input screen say it hasn’t received any data?



What’s in the logs of your Graylog node?

Sorry, I just realized that I didn’t give any details as to my setup.

I’m running Graylog 2.4.3+2c41897 (Oracle Corporation 1.8.0_151 on Linux 4.9.0-4-amd64)

I assume that you mean the log in /var/log/graylog-server/:

2018-01-31T08:27:45.264-06:00 INFO  [InputStateListener] Input [Syslog UDP/5a71d261395a302a74f3b675] is now STARTING
2018-01-31T08:27:45.274-06:00 WARN  [NettyTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=Cisco SourceFire, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} should be 262144 but is 212992.
2018-01-31T08:27:45.280-06:00 INFO  [InputStateListener] Input [Syslog UDP/5a71d261395a302a74f3b675] is now RUNNING

Yes, if that’s the location of the logs in your environment. But the complete logs and not just three arbitrary lines.

Those are not what I would call arbitrary - they were selected because they’re the only lines that talks about the input in question.

Here’s a temporary link to the log file on file.io:

Due to a combination of things, turns out that I don’t have a problem at all - it’s just that the messages sent to Graylog took longer than what I had expected before they showed up.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.