Hi Graylog Community Team,
I am experiencing an issue where my Graylog server is not successfully ingesting or displaying forwarded logs. I am currently trying to set up two parallel ingestion streams: Syslog for network devices and Windows Event Logs via Winlogbeat and the Graylog Sidecar.
Environment Details:
-
OS: Ubuntu 22.04.5 LTS
-
Graylog Version: 4.3.15
-
Elasticsearch: 6.8.23
-
MongoDB: 4.4.30
Current Symptoms: Neither the Syslog data nor the Windows Event Logs are populating in the Search interface. The Windows Sidecar service is installed and running, and the Syslog forwarders are active, but the data is either being dropped or not correctly parsed by the inputs.
Troubleshooting Steps Already Completed:
-
Service Bindings: Confirmed via
ss -lptnthat the web interface is successfully bound to0.0.0.0:9000and Elasticsearch is correctly restricted to127.0.0.1. -
Input Configuration: Created global inputs in the UI (Beats on port 5044 and Syslog TCP/UDP). The inputs show a “RUNNING” state.
-
Firewall: Verified that the specific ingestion ports (5044, 514/1514) are open through UFW on the Ubuntu host.
-
Time Synchronization: Installed and configured
chrony. Verified viachronyc trackingthat the system time is perfectly synced (Leap status: Normal) with zero significant offset, so logs are not being dropped due to future/past timestamp rejections. -
Sidecar Configuration: The Windows Sidecar is using the correct API token and pointing to the
/apiendpoint.
Could you please advise on the best way to trace these packets once they hit the Ubuntu server to determine if the blockage is happening at the Beats/Syslog input layer, or if Elasticsearch is rejecting the indices?
Thank you,
Ahnaf Tahmeed