Syslog not getting processed after update without errors

1. Describe your incident:
After updating from version 5.2.0 to 5.2.1, one of my syslog inputs stopped functioning.

2. Describe your environment:

  • OS Information:
    The virtual machines are running the latest version of Ubuntu 22.04 server.
    The stack is deployed on Docker Swarm across two VMs. The first VM hosts Graylog and MongoDB, while the second one only hosts OpenSearch. Each container has a single replica.
  • Package Version:
    Graylog version is 5.2.1, MongoDB version is 5.0.23, and OpenSearch version is 2.4.0.

3. What steps have you already taken to try and solve the problem?

  • I attempted to restore a backup from the previous day, but the issue persisted.
  • Other logs are functioning correctly. Only the logs from one source reach the VM (as confirmed by firewall tests), but they do not appear in Graylog.
  • These logs were functioning properly prior to the update and before the backup.
  • I’ve checked the logs for each container and didn’t find any anomalies.
  • I’ve tried restarting all services and VMs.
  • I’ve tested sending other logs using the same port, and they arrived without any issues.

4. How can the community help?
I’m encountering the same issue with two separate clusters receiving logs from two different sources. Does anyone have any insights on what could be causing this problem?

Are the problem logs from the same vendor (ie using the same format) syslog problems most often seen to be related to being rejected because the input doesn’t think it confirms to the syslog spec.

The first step I always take in these situations is to place a raw input on that port and see what I get, to first confirm data arrives and then second to capture the format it arrives in.

Also does anything appear in server.log?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.