Streams Share: messages are not correctly displayed 2

1. Describe your incident:
My question has been posted before: Streams Share: messages are not correctly displayed

@Bruno Did you find a solution?

I have 2 active directory groups:

  • GG_CL_Graylog-Admin
  • GG_CL_Graylog-ReadOnly

Both groups are definded as a TEAM with respective rights.

If I log in with a user from the admin-group, I see data in the streams, if I take a user from the ReadOnly-group, I can open the streams - as I shared them - but there is no data there. It is just empty.

What right to I have to give to the group, so that the read-only-users can see data in the streams, searches, dashboards?

2. Describe your environment:

  • OS Information: Ubuntu 20.04

  • Package Version: Graylog 4.2.10+37fbc90 on graylog (Private Build 1.8.0_312 on Linux 5.4.0-121-generic)

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
Well, login, logout, trigger AD-sync

4. How can the community help?
Did anybody solve this?

Hello && Welcome

Test this in the lab. The following is what I did from the statement above, think I got it right.

Create Group added user.

Shared stream.


Shared Dashboard and Stream with User in Group.

Nothing, think this is what you have?

Working on a solution to see if this is a bug or configuration error. It should work as expected.

EDIT: Ok I see what happened its a configuration error.
My user “some.user” did not have Time zone set.

I’m good over here now.

I finally found the problem, and it was an error configuration of mine.
The stream rule was incorrect. Thus, the messages were redirected to the default index. Consequently, a reader user could not see any message simply because they were stored in an index not belonging to that particular stream.

Many thanks,


Hi @gsmith

Thank you very much for you confirming the issue.
A workmate change the “+Share” to “Everyone” and now, things are visible to users, which are in the “ReadOnly”-Group.

@Bruno thank you for your hint. Could you share a screenshot? Where do I configure stream-index-things?

best regards,

1 Like

Here are a couple links , if you haven’t see them yet.

To be honest you shouldn’t have to use “Everyone” for user to see data in a stream. I believe its a configuration issue.

Hi @gsmith,

thank you for those links. I will rtfm. :slight_smile:

Any hints, what could be the miss-configuration?

Ok, I read through the Graylog Permissions and the Streams and the Index model.
I checked our setup. There are 5 streams, which of only two are relevant: “All messages” and “VPN messages”. The others seems to be Graylog default streams not accessable for me.

Both streams are set to the “Default index set”.

This is the index: (due to forum limitations: screenshot in next post.)

Both streams are shared with the ReadOnly-Group. Do I need to share indices as well? Or do I need to set access rights on e.g. the sidecars?

I did some more testing/configuring. I am not fully sure, but I think I slowly get my head around Graylog.

It is a mixture of not (yet) sharing pre-defined searches, streams without content, sharing of streams - and me having a steep learning curve. :slight_smile:

:laughing: Yeah, but Ill tell you something, this is way simpler to setup/configure then ELK stack.

Things to check. messages are arriving On Time with correct Time Zone on those message. This is the number one issue when user/s state “I cant see any message in the stream”.
2. I gave a simple example above, Create 2 users and 1 admin. Create a group for read only. for the two users.
3. Execute a share for those users on a stream
4. insured the Time Zone on Users, Server && messages were correct. This was why I didn’t see messages at first as shown above
5. like @Bruno stated his issue was a rule that was prevent this to work.

Stream " All Message" will be default , by Default :smiley: which there is another default that you are using now called VPN messages, I would have just made rules for VPN messages stream and left the Default settings alone. This may be an issue, not 100% sure. Best way to find out is by testing.
Graylog uses the Default “all Messages” to dump incoming logs there, after that create a another stream to filter out those messages.
You can also use the remove from all messages settings.

Perhaps this now brings me back to a configuration issue :thinking:
EDIT: this suggestion does not pertain to this issue but I seen you have Field type refresh interval set for 5 seconds. Sometimes this will be a concern for resource. I had to set mine for 30 seconds.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.