Simple splitting of server logs

Graylog Central (peer support)
1

I can no longer create streams based on source

1. Describe your incident:
I have 5 servers dumping into one beats input
Before switching to Graylog 5 I could set up a simple stream to pull all logs based on server source host name Has this changed ?

2. Describe your environment:

  • OS Information:
    Ubuntu 20.04
  • Package Version:
    Fresh install Graylog 5 and Opensearch
  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hello @Thorzeen

This is odd, so can you show how the stream setting supposed to to look and gl5 looks?

3

Here is my gl5
Veeam two

Here is the stream
Veeam one

Here is conf file

bill@graylog:~$  cat /etc/graylog/server/server.conf         | egrep -v "^\s*(#|$)"
is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret = <kept secret>
root_password_sha2 = <also secret>
root_email = ""
root_timezone = America/New_York
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 10.0.80.220:9000
stream_aware_field_types=false
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_disable_version_check = true
elasticsearch_version=7
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000

Thanks

4

Is it stream_aware_field_typs = false ?

I just caught this as I posted :=/

Based on the description I would say no
So I have not changed it

In order to move ahead I have just made separate inputs/port numbers and is working as expected

Unless I have forgotten (very possible) the stream posted above should work ?

5

hey,

Yeah is should have, I also noticed a while back Copy & Paste or white space had a inpacked on the stream rules.

6

I have copy and pasted 28 gl2_source ID’s and all have worked
I manually typed in source names and none have worked.

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.