hi,
I installed Graylog for small business 6.1 using docker compose.
I created an input for receiving syslog messages:
allow_override_date: true
bind_address: 0.0.0.0
charset_name: UTF-8
expand_structured_data: true
force_rdns: false
number_worker_threads: 4
override_source: <empty>
port: 514
recv_buffer_size: 262144
store_full_message: false
timezone: NotSet
I created an extractor to extract the source from the message.
Now there are two sources sending to this input, both using the same format. For one of them, the extractor extract the source correctly. For the other, nothing happens.
- OS Information:
Raspberry pi 5
-
Graylog version
6.1.3 -
Service logs, configurations, and environment variables:
Logging to journalctl
3. What steps have you already taken to try and solve the problem?
I tried with two types of extractor: regex and split&index. When it did not work, I created a pipeline, where the condition is that all messages where gl2_source_input must contain 674627ad0e7c2b0f148bc121
and I created an extractor pipeline rule. The same results.
Then I noticed, that only messages from mone of the senders are sent to the stream, while the other one stays on the default stream.
I added “add a static field” to the input - and now consistently only the one source for which the extractors work, gets the added field, while the messages from the other sender will not get any static field.
The input is currently the only input there is on the system.
There are not any debug messages in the journal
Any ideas on how to debug and find out what is happening to the messages that evade all processing in the input?