Stream not getting messages

I have a weird issue with Graylog 2.5.

Messages are not getting matched into a stream, even though when I test the stream rules it says it matches.

They all end up default “all messages” stream.

Here is the screenshot of the message

gl1.png1406×559 37.4 KB

And the screenshot of me testing the stream rules. It clearly says that " This message would be routed to this stream." Yet, the message is ending up in default stream.

gl2.png1884×876 59.1 KB

Note that that only go to “All messages”, I don’t have a problem of duplicate.

Please help! Any advice is greatly appreciated.

did you use the processing pipelines for processing of your messages?

if yes, what is your process order in system > configuration ?

Hi Jan. Thanks for you response.

We do use pipeline rules, but none of them apply to these messages. Also, pipeline are processed after streams the way we have it setup:
|1|GeoIP Resolver
|2|Message Filter Chain
|3|Pipeline Processor
|4|AWS Instance Name Lookup

But, in the meantime I’ve found the root of the problem. Not sure if this is intended behavior or possibly a bug.

It seems if the filed doesn’t exists in the massage inverted match will not work.
In our case, this was the problem:
“Field program must not contain httpd”

Any messages that had field “program” were sorted to a proper stream (no matter the value). But any massage that did not even have the field “program” went to “All Messages” stream.

The workaround that seems to work, weirdly enough is using regex.
“Field program must not match regular expression .httpd.”

This behavior seems counter intuitive to me. If the field doesn’t exist, inverted match should still function as expected. Especially because testing the stream shows the rules match.

if you feel that this is a bug, please open an issue over at Github:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.