Hi All,
We have an instance of Graylog that is on version 2.4.6. It has two streams on, that run regex on the timestamp field, one stream matches messages with the seconds value from 0-4 seconds and the other stream matches 5-9 seconds, as this allows us to crudely load balance our outputs.
Since the clocks changed here in the UK, we noticed that the streams only now work on logs from Windows hosts, has anyone had any similar issues?
Cheers,
g
Is there is special reason for you to do it this way?
The streams could be used for so much more…
Here are the information about the load balancer on graylog 2.4:
http://docs.graylog.org/en/2.4/pages/configuration/load_balancers.html
Yes. When sending traffic via TCP, load balancers do not split the traffic evenly as only one connection session is created.
Do you mean incoming traffic or outgoing traffic?
Sorry I should have been more clear initially.
We have a single node Graylog instance on site and want to send the logs to a cluster in the cloud. I found that sending via TCP + TLS to a load balancer in the cloud just sent all the logs to one node. I then created two streams that use regex to match the single digit seconds portion of the timestamps in every log. The first stream matches 0-4 seconds i.e. 09:32:14 whereas the other stream matches 5-9 seconds i.e. 09:43:49. Each of the streams has an output that points towards the load balancer and the load balancer is set up to send one connection onto one node of the cluster and the other connection to the other node, with failover configured.
I have now found that since the clocks changed her in the UK, both streams do not work for firewall logs and Linux hosts, but still works on Windows logs. I have tested various different things, but cannot find a solution.
Ah, okay, that’s what I was thinking you were trying to do - the thing is, the time changed, and your regex operates on time, so chances are the regex no longer works either because your timestamp has a different time zone attached now (sometimes you can get things like CET and CEST when it’s summer time).
Other than that I’d have no ideas unfortunately 
I thought the same, however we are just looking at the built in Graylog ‘timestamp’ field, here is an example:
2019-04-15T08:57:53.230Z
and here are the two regex rules we use to match this:
\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d(0|1|2|3|4).\d{3}Z
\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d(5|6|7|8|9).\d{3}Z
It is very odd how the regex works, but only for Windows hosts, I have a feeling that there is an underlying issue, as there is no reason for the regex not to work.
Cheers,
g
I have no fixed the issue.
In the logs themselves, the ‘timestamp’ field appears as below:
2019-04-15T08:57:53.230Z
In quick values the ‘timestamp’ field appears without the ‘Z’ on the end.
2019-04-15 10:15:38.000
I changed my regex rules to:
\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d(5|6|7|8|9).\d{3}
The streams now work. I am still unsure why the regex worked on the Windows logs, as they appear no different from the other log sources timestamp fields.
I’m… just as stumped as you are as to why it works for one and not the other - but still, it works now so… shh… be very quiet, we don’t want to scare it… 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
