Hi Lennart, Thanks, "Raw/Plaintext UDP" listening on 514 did the trick, I see messages!
Now to go from syslog to GELF without throwing away 1/2 GB RAM using logstash :) -- Jeff Schoolcraft On Thursday, January 2, 2014 at 6:09 PM, Lennart Koopmann wrote: > Hey Jeff, > > from what I can see you spawned UDP syslog inputs. Those inputs expect > syslog RFC compliant messages. Do you send such messages from your > script? All 530 messages you sent were rejected as incomplete > (non-compliant). > > I suggest you try this: Start a "Raw/Plaintext UDP" input and point > your script to it. Those inputs do not expect any specific format and > just store any text they get until the first newline delimiter (\n). I > am pretty sure this will show the messages. They won't have any > information extracted to fields though. There are several ways to > address that and the easiest might be: > > * Send GELF from your script. It is easy to construct GELF messages > in your favorite language: http://graylog2.org/gelf#libraries > * Keep sending raw/plaintext messages and use the Graylog2 > extractors to extract data to fields. > > Thanks for attaching the metrics. This made debugging this really > easy. Awesome! :) > > Cheers, > Lennart > > On Thu, Jan 2, 2014 at 11:11 PM, Jeff Schoolcraft > <[email protected] (mailto:[email protected])> wrote: > > I have a newly installed graylog2 server (The stats from the rsyslog > > listener: graylog2-web-interface v0.20.0-preview.8) and I've set up 2 > > listeners udp gelf and udp rsyslog. > > > > I used a small script to pipe output from an nginx access log to the graylog > > server over udp and it's getting messages but not storing them. > > > > I also switched a running app currently logging messages to a v0.11.0 server > > to the new graylog server, it too shows up in stats but isn't storing any > > events. > > > > How can I debug this? > > > > Here are the metrics from the syslog parser. > > > > > > > > org.graylog2.inputs.syslog.udp.SyslogUDPInput.3bd9b418-3441-4bdd-b1aa-125a2ffa04c8.incomingMessages > > > > Meter > > > > > > Total:530 eventsMean:0.09 events/sec1 minute avg:0.1 events/sec5 minute > > avg:0.13 events/sec15 minute avg:0.13 events/sec > > > > org.graylog2.inputs.syslog.udp.SyslogUDPInput.3bd9b418-3441-4bdd-b1aa-125a2ffa04c8.incompleteMessages > > > > Meter > > > > > > Total:530 eventsMean:0.09 events/sec1 minute avg:0.1 events/sec5 minute > > avg:0.13 events/sec15 minute avg:0.13 events/sec > > > > org.graylog2.inputs.syslog.udp.SyslogUDPInput.3bd9b418-3441-4bdd-b1aa-125a2ffa04c8.parsingFailures > > > > Meter > > > > > > Total:0 eventsMean:0 events/sec1 minute avg:0 events/sec5 minute avg:0 > > events/sec15 minute avg:0 events/sec > > > > org.graylog2.inputs.syslog.udp.SyslogUDPInput.3bd9b418-3441-4bdd-b1aa-125a2ffa04c8.processedMessages > > > > Meter > > > > > > Total:0 eventsMean:0 events/sec1 minute avg:0 events/sec5 minute avg:0 > > events/sec15 minute avg:0 events/sec > > > > -- > > Jeff Schoolcraft > > > > -- > > You received this message because you are subscribed to the Google Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] > > (mailto:[email protected]). > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > (mailto:[email protected]). > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
