So, I turned off the RAW input and turned on the syslog input, adding this to the end of my /etc/rsyslog.conf file:
*.* @graylog_server_ip:514 I'm on ubuntu (Linux node1-qa-api 3.5.0-44-generic #67-Ubuntu SMP Tue Nov 12 19:36:14 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux) and just forwarding messages along without some intermediate script... And I'm still not getting messages. Any ideas? org.graylog2.inputs.syslog.udp.SyslogUDPInput.250e3b5e-34e1-4c3a-b992-fea3132ac74b.incomingMessages (http://65.61.160.11:9000/system/metrics/c85ce130-6825-4291-92bd-782514106d66?prefilter=org.graylog2.inputs.syslog.udp.SyslogUDPInput.250e3b5e-34e1-4c3a-b992-fea3132ac74b#) Meter Total: 108 events Mean: 0.17 events/sec 1 minute avg: 0.22 events/sec 5 minute avg: 0.16 events/sec 15 minute avg: 0.16 events/sec org.graylog2.inputs.syslog.udp.SyslogUDPInput.250e3b5e-34e1-4c3a-b992-fea3132ac74b.incompleteMessages (http://65.61.160.11:9000/system/metrics/c85ce130-6825-4291-92bd-782514106d66?prefilter=org.graylog2.inputs.syslog.udp.SyslogUDPInput.250e3b5e-34e1-4c3a-b992-fea3132ac74b#) Meter Total: 108 events Mean: 0.17 events/sec 1 minute avg: 0.22 events/sec 5 minute avg: 0.16 events/sec 15 minute avg: 0.16 events/sec org.graylog2.inputs.syslog.udp.SyslogUDPInput.250e3b5e-34e1-4c3a-b992-fea3132ac74b.parsingFailures (http://65.61.160.11:9000/system/metrics/c85ce130-6825-4291-92bd-782514106d66?prefilter=org.graylog2.inputs.syslog.udp.SyslogUDPInput.250e3b5e-34e1-4c3a-b992-fea3132ac74b#) Meter Total: 0 events Mean: 0 events/sec 1 minute avg: 0 events/sec 5 minute avg: 0 events/sec 15 minute avg: 0 events/sec org.graylog2.inputs.syslog.udp.SyslogUDPInput.250e3b5e-34e1-4c3a-b992-fea3132ac74b.processedMessages (http://65.61.160.11:9000/system/metrics/c85ce130-6825-4291-92bd-782514106d66?prefilter=org.graylog2.inputs.syslog.udp.SyslogUDPInput.250e3b5e-34e1-4c3a-b992-fea3132ac74b#) Meter Total: 0 events Mean: 0 events/sec 1 minute avg: 0 events/sec 5 minute avg: 0 events/sec 15 minute avg: 0 events/sec -- Jeff Schoolcraft On Thursday, January 2, 2014 at 7:44 PM, Lennart Koopmann wrote: > Great to hear it worked! :) Just ping the mailing list if any more > questions should arise. > > On Fri, Jan 3, 2014 at 1:33 AM, Jeff Schoolcraft > <[email protected] (mailto:[email protected])> wrote: > > Hi Lennart, > > > > Thanks, "Raw/Plaintext UDP" listening on 514 did the trick, I see messages! > > > > Now to go from syslog to GELF without throwing away 1/2 GB RAM using > > logstash :) > > > > -- > > Jeff Schoolcraft > > > > On Thursday, January 2, 2014 at 6:09 PM, Lennart Koopmann wrote: > > > > Hey Jeff, > > > > from what I can see you spawned UDP syslog inputs. Those inputs expect > > syslog RFC compliant messages. Do you send such messages from your > > script? All 530 messages you sent were rejected as incomplete > > (non-compliant). > > > > I suggest you try this: Start a "Raw/Plaintext UDP" input and point > > your script to it. Those inputs do not expect any specific format and > > just store any text they get until the first newline delimiter (\n). I > > am pretty sure this will show the messages. They won't have any > > information extracted to fields though. There are several ways to > > address that and the easiest might be: > > > > * Send GELF from your script. It is easy to construct GELF messages > > in your favorite language: http://graylog2.org/gelf#libraries > > * Keep sending raw/plaintext messages and use the Graylog2 > > extractors to extract data to fields. > > > > Thanks for attaching the metrics. This made debugging this really > > easy. Awesome! :) > > > > Cheers, > > Lennart > > > > On Thu, Jan 2, 2014 at 11:11 PM, Jeff Schoolcraft > > <[email protected] (mailto:[email protected])> > > wrote: > > > > I have a newly installed graylog2 server (The stats from the rsyslog > > listener: graylog2-web-interface v0.20.0-preview.8) and I've set up 2 > > listeners udp gelf and udp rsyslog. > > > > I used a small script to pipe output from an nginx access log to the graylog > > server over udp and it's getting messages but not storing them. > > > > I also switched a running app currently logging messages to a v0.11.0 server > > to the new graylog server, it too shows up in stats but isn't storing any > > events. > > > > How can I debug this? > > > > Here are the metrics from the syslog parser. > > > > > > > > org.graylog2.inputs.syslog.udp.SyslogUDPInput.3bd9b418-3441-4bdd-b1aa-125a2ffa04c8.incomingMessages > > > > Meter > > > > > > Total:530 eventsMean:0.09 events/sec1 minute avg:0.1 events/sec5 minute > > avg:0.13 events/sec15 minute avg:0.13 events/sec > > > > org.graylog2.inputs.syslog.udp.SyslogUDPInput.3bd9b418-3441-4bdd-b1aa-125a2ffa04c8.incompleteMessages > > > > Meter > > > > > > Total:530 eventsMean:0.09 events/sec1 minute avg:0.1 events/sec5 minute > > avg:0.13 events/sec15 minute avg:0.13 events/sec > > > > org.graylog2.inputs.syslog.udp.SyslogUDPInput.3bd9b418-3441-4bdd-b1aa-125a2ffa04c8.parsingFailures > > > > Meter > > > > > > Total:0 eventsMean:0 events/sec1 minute avg:0 events/sec5 minute avg:0 > > events/sec15 minute avg:0 events/sec > > > > org.graylog2.inputs.syslog.udp.SyslogUDPInput.3bd9b418-3441-4bdd-b1aa-125a2ffa04c8.processedMessages > > > > Meter > > > > > > Total:0 eventsMean:0 events/sec1 minute avg:0 events/sec5 minute avg:0 > > events/sec15 minute avg:0 events/sec > > > > -- > > Jeff Schoolcraft > > > > -- > > You received this message because you are subscribed to the Google Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] > > (mailto:[email protected]). > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] > > (mailto:[email protected]). > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] > > (mailto:[email protected]). > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > (mailto:[email protected]). > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
