We have just managed to bring up a working configuration of Graylog, followed the recipe to send windows logs, configured log output to 192.168.1.aa , port 5514, UDP, configured and started the receiver.
Graylog is not seeing any messages.
Running netstat -peanut shows port 5514 is listening.
Running tshark show UDP traffic coming in to port 5514
No events are shown in Graylog - I can’t think of anything else to check right now
Tony
Did you checked a search by “all messages” not only within the default 5 minute period?
Did you see incoming messages in the stats of the input ( System > Inputs )?
Did you checked the Graylog server.log?
Hi Jan,
Search All messages when I try Show Messages for the input hangs Loading, and hangs.
Using the Search menu item, and searching for everything in the last week shows nothing.
There are incoming messages in the stats of the input
There are no warnings or anything else in the server.log now.
There was an issue with SO_RCVBUF size which I resolved by setting the appropriate kernel parameter
To me it looks as if the data is coming in, but not being either stored, or read back.
when you check System > Nodes did you see messages coming in and out or just in the journal?
What does System > Indices show you at the total overview?
We saw messages coming and going in the message count, but not displayed in Show All Message from the inputs
System > Indices shows
1 index, 6,547 documents, 8.4MB
all settings here are defaults.
I am completely puzzled about this, since as far as I can tell, the data is going into elasticsearch, but is not being retrieved from it.
when you run the following curl against Elasticsearch, does it return anything?
curl -XGET 'localhost:9200/_cat/indices?v&pretty'
Did you search also in the future and the past? If your systems are not in sync you might have to deal with different times on the systems.
The curl command shows 127579 documents, occupying 26.2Mb, index name is graylog_0
Health is green, status is open.
I configured a syslog feed form a linux system, which shows the same behavious, still no messages displayed.
I’ve checked the times on alll machines involved, they are all synched using ntp
We had some issues with the original installation, I am beginning to think I should save the configuration, clean out the installation, and try again with a clean install.
What type of input have you created in Graylog?
What’s the complete configuration of that input?
What’s the complete configuration of NXLOG?
OK, we have reinstalled our java environment on the system, and everything works as expected now.
We are running Ubuntu 16.04, and there were some mistakes made with the original java packages which seem to have caused this.
Thanks for your time, and sorry for the bother.
Tony
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.