"Show received messages" says nothing found

I have a weird situation here for which I am at a loss as to how to fix. I have setup a new input for a Cisco SourceFire device which is sending syslog UDP data. The Input screen shows no activity under “Throughput / Metrics”. And yet, if I go to the Sources menu, it is clearly listed as a source. I can even go to the search screen and enter “source:xyz” and it will list messages for that SourceFire device.

So, why does the input screen say it hasn’t received any data?

Thanks,

Francois

What’s in the logs of your Graylog node?
http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

Sorry, I just realized that I didn’t give any details as to my setup.

I’m running Graylog 2.4.3+2c41897 (Oracle Corporation 1.8.0_151 on Linux 4.9.0-4-amd64)

I assume that you mean the log in /var/log/graylog-server/:

2018-01-31T08:27:45.264-06:00 INFO  [InputStateListener] Input [Syslog UDP/5a71d261395a302a74f3b675] is now STARTING
2018-01-31T08:27:45.274-06:00 WARN  [NettyTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=Cisco SourceFire, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} should be 262144 but is 212992.
2018-01-31T08:27:45.280-06:00 INFO  [InputStateListener] Input [Syslog UDP/5a71d261395a302a74f3b675] is now RUNNING

Yes, if that’s the location of the logs in your environment. But the complete logs and not just three arbitrary lines.

Those are not what I would call arbitrary - they were selected because they’re the only lines that talks about the input in question.

Here’s a temporary link to the log file on file.io:
https://file.io/4xzIpz

Due to a combination of things, turns out that I don’t have a problem at all - it’s just that the messages sent to Graylog took longer than what I had expected before they showed up.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.