Source shows hits but no messages shown

Graylog Central (peer support)
1

1. Describe your incident:
I have 2 kind of linux hosts sending in logs but I notice that I am missing logs, not getting any messages at all.
Other hosts show only part of the messages in /var/log/syslog (systemd for example but no sshd).

Source showing hits:
pic
Search query executed, no results:
pic

2. Describe your environment:

  • OS Information: Debian 10
  • Package Version: Docker graylog/graylog:4.3.3
  • Service logs, configurations, and environment variables:
graylog:
    image: graylog/graylog:4.3.3
    environment:
      - GRAYLOG_PASSWORD_SECRET
      - GRAYLOG_ROOT_PASSWORD_SHA2
      - GRAYLOG_HTTP_EXTERNAL_URI
      - GRAYLOG_TRANSPORT_EMAIL_ENABLED
      - GRAYLOG_TRANSPORT_EMAIL_HOSTNAME
      - GRAYLOG_TRANSPORT_EMAIL_PORT
      - GRAYLOG_TRANSPORT_EMAIL_USE_AUTH
      - GRAYLOG_TRANSPORT_EMAIL_USE_TLS
      - GRAYLOG_TRANSPORT_EMAIL_FROM_EMAIL
      - GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    volumes:
      - "graylog_data:/usr/share/graylog/data"
    networks:
      - graylog
    restart: always
    depends_on:
      - mongo
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog UDP Hotspot & Servers
      - 514:1514/udp

3. What steps have you already taken to try and solve the problem?
I have tried other hosts and other configuration options of the host but no resolution has been found.
My rsyslog folder looks like this:

:/etc/rsyslog.d$ ls -la
total 88
drwxr-xr-x   2 root root  4096 Jul 13 08:31 .
drwxr-xr-x 117 root root 12288 May 10 23:42 ..
-rw-r--r--   1 root root  1156 Sep  2  2021 10-rules.conf
-rw-r--r--   1 root root    83 Jul 13 08:31 11-graylog.conf
-rw-r--r--   1 root root   235 Sep  2  2021 15-crit.conf
-rw-r--r--   1 root root   412 Sep 18  2021 20-clagd.conf
-rw-r--r--   1 root root   762 Sep 15  2021 22-linkstate.conf
-rw-r--r--   1 root root   427 Sep 15  2021 25-switchd.conf
-rw-r--r--   1 root root   459 Sep 11  2021 30-chassis-mgr.conf
-rw-r--r--   1 root root   415 Sep 15  2021 30-csmgrd.conf
-rw-r--r--   1 root root   403 Jul 15  2021 30-ptmd.conf
-rw-r--r--   1 root root   419 Jul 15  2021 35-rdnbrd.conf
-rw-r--r--   1 root root   403 Sep  9  2021 40-netd.conf
-rw-r--r--   1 root root   410 Jul 15  2021 42-nvued.conf
-rw-r--r--   1 root root  1443 Sep 16  2021 45-frr.conf
-rw-r--r--   1 root root   451 May 28  2021 50-netq-agent.conf
-rw-r--r--   1 root root   411 May 28  2021 50-netqd.conf
-rw-r--r--   1 root root   433 Sep 10  2021 55-dhcpsnoop.conf
-rw-r--r--   1 root root   411 Sep  2  2021 66-ptp4l.conf
-rw-r--r--   1 root root  1194 Sep  2  2021 99-syslog.conf

My graylog config on the host is this:

$ cat 11-graylog.conf 
action(type="omfwd" Target="10.10.8.121" Device="mgmt" Port="5002" Protocol="udp")

For this host I receive some messages visible in my syslog but not all of them like mentioned above.

4. How can the community help?
Any advice on expected behaviour?

2

Hello && Welcome @33Fraise33

I see your sending messages UDP, What kind of INPUT are you using?

Did you used tcpdump to insure the Linux host is sending messages and are they arriving at Graylog. I’m assuming you check log files and Date/Time is correct?
EDIT: can you show your full YAML file? I’m not 100% sure but it seams you missing some configuration.

3

It must be something timezone related. Both the graylog server and hosts configured with rsyslog are running Europe/Brussels as timezone. But now I notice that message I expected yesterday are visible today but at a later time than they actually happened.

I tried setting my graylog server to Etc/UTC without any luck.

4

Resolved by setting the timezone on the tranmitting hosts to Etc/UTC

5

Good Catch :+1:

Awesome , Thx for posting your resolve.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.