Both groups are definded as a TEAM with respective rights.
If I log in with a user from the admin-group, I see data in the streams, if I take a user from the ReadOnly-group, I can open the streams - as I shared them - but there is no data there. It is just empty.
What right to I have to give to the group, so that the read-only-users can see data in the streams, searches, dashboards?
2. Describe your environment:
OS Information: Ubuntu 20.04
Package Version: Graylog 4.2.10+37fbc90 on graylog (Private Build 1.8.0_312 on Linux 5.4.0-121-generic)
Service logs, configurations, and environment variables:
?
3. What steps have you already taken to try and solve the problem?
Well, login, logout, trigger AD-sync
4. How can the community help?
Did anybody solve this?
I finally found the problem, and it was an error configuration of mine.
The stream rule was incorrect. Thus, the messages were redirected to the default index. Consequently, a reader user could not see any message simply because they were stored in an index not belonging to that particular stream.
Thank you very much for you confirming the issue.
A workmate change the “+Share” to “Everyone” and now, things are visible to users, which are in the “ReadOnly”-Group.
Ok, I read through the Graylog Permissions and the Streams and the Index model.
I checked our setup. There are 5 streams, which of only two are relevant: “All messages” and “VPN messages”. The others seems to be Graylog default streams not accessable for me.
Yeah, but Ill tell you something, this is way simpler to setup/configure then ELK stack.
Things to check.
1.insure messages are arriving On Time with correct Time Zone on those message. This is the number one issue when user/s state “I cant see any message in the stream”.
2. I gave a simple example above, Create 2 users and 1 admin. Create a group for read only. for the two users.
3. Execute a share for those users on a stream
4. insured the Time Zone on Users, Server && messages were correct. This was why I didn’t see messages at first as shown above
5. like @Bruno stated his issue was a rule that was prevent this to work.
Stream " All Message" will be default , by Default which there is another default that you are using now called VPN messages, I would have just made rules for VPN messages stream and left the Default settings alone. This may be an issue, not 100% sure. Best way to find out is by testing.
Graylog uses the Default “all Messages” to dump incoming logs there, after that create a another stream to filter out those messages.
You can also use the remove from all messages settings.
Perhaps this now brings me back to a configuration issue
EDIT: this suggestion does not pertain to this issue but I seen you have Field type refresh interval set for 5 seconds. Sometimes this will be a concern for resource. I had to set mine for 30 seconds.