I am sending graylog2 UDP syslog messages every second from another server
with:
while true; do sleep 1; echo "THIS IS A TEST" | logger -d -n 10.0.4.103;
done
I know the graylog2 host is receiving them, I see them with tcpdump:
15:02:24.742441 IP (tos 0x0, ttl 60, id 527, offset 0, flags [none], proto
UDP (17), length 72)
blahhost.49241 > graylog2-server.syslog: SYSLOG, length: 44
Facility kernel (0), Severity notice (5)
Msg: Apr 28 15:02:24 wsanders: THIS IS A TEST\0x00
I have set up a raw input on UDP port 514. I can write messages with the
fake http message generator, but none of the incoming stuff on port 514
shows up..
Nothing shows up in the graylog2 log about any messages being received.
2014-04-28 15:06:11,732 DEBUG:
org.graylog2.periodical.ClusterHealthCheckThread - Running inputs found,
disabling notification
2014-04-28 15:06:11,733 DEBUG:
org.graylog2.periodical.DeflectorManagerThread - Number of messages in
<graylog2_0> (120) is lower than the limit (2000000). Not doing anything.
2014-04-28 15:06:14,623 DEBUG: org.graylog2.rest.accesslog - 10.0.4.103 -
[Mon Apr 28 15:06:14 PDT 2014] "GET /system/cluster/nodes"
graylog2-web/0.20.1 200 -1
2014-04-28 15:06:19,629 DEBUG: org.graylog2.rest.accesslog - 10.0.4.103 -
[Mon Apr 28 15:06:19 PDT 2014] "GET /system/cluster/nodes"
graylog2-web/0.20.1 200 -1
2014-04-28 15:06:21,733 DEBUG:
org.graylog2.periodical.DeflectorManagerThread - Number of messages in
<graylog2_0> (120) is lower than the limit (2000000). Not doing anything.
2014-04-28 15:06:24,634 DEBUG: org.graylog2.rest.accesslog - 10.0.4.103 -
[Mon Apr 28 15:06:24 PDT 2014] "GET /system/cluster/nodes"
graylog2-web/0.20.1 200 -1
2014-04-28 15:06:29,639 DEBUG: org.graylog2.rest.accesslog - 10.0.4.103 -
[Mon Apr 28 15:06:29 PDT 2014] "GET /system/cluster/nodes"
graylog2-web/0.20.1 200 -1
2014-04-28 15:06:31,732 DEBUG:
org.graylog2.periodical.ClusterHealthCheckThread - Running inputs found,
disabling notification
2014-04-28 15:06:31,733 DEBUG:
org.graylog2.periodical.DeflectorManagerThread - Number of messages in
<graylog2_0> (120) is lower than the limit (2000000). Not doing anything.
2014-04-28 15:06:34,645 DEBUG: org.graylog2.rest.accesslog - 10.0.4.103 -
[Mon Apr 28 15:06:34 PDT 2014] "GET /system/cluster/nodes"
graylog2-web/0.20.1 200 -1
2014-04-28 15:06:39,650 DEBUG: org.graylog2.rest.accesslog - 10.0.4.103 -
[Mon Apr 28 15:06:39 PDT 2014] "GET /system/cluster/nodes"
graylog2-web/0.20.1 200 -1
2014-04-28 15:06:41,727 DEBUG: org.graylog2.periodical.AlertScannerThread -
Running alert checks.
2014-04-28 15:06:41,727 DEBUG: org.graylog2.periodical.AlertScannerThread -
There are 0 streams with configured alert conditions.
2014-04-28 15:06:41,733 DEBUG:
org.graylog2.periodical.DeflectorManagerThread - Number of messages in
<graylog2_0> (120) is lower than the limit (2000000). Not doing anything.
disown2014-04-28 15:06:44,656 DEBUG: org.graylog2.rest.accesslog -
10.0.4.103 - [Mon Apr 28 15:06:44 PDT 2014] "GET /system/cluster/nodes"
graylog2-web/0.20.1 200 -1
2014-04-28 15:06:49,661 DEBUG: org.graylog2.rest.accesslog - 10.0.4.103 -
[Mon Apr 28 15:06:49 PDT 2014] "GET /system/cluster/nodes"
graylog2-web/0.20.1 200 -1
2014-04-28 15:06:51,732 DEBUG:
org.graylog2.periodical.ClusterHealthCheckThread - Running inputs found,
disabling notification
[etc]
I see a couple fishy things:
- What does this mean in graylog2.conf? I have a standalone host, graylog2
and elasticsearch running on the same host. Do I need to change these?
# we don't want the graylog2 server to store any data, or be master node
#elasticsearch_node_master = false
#elasticsearch_node_data = false
- How can I tell that the graylog2-server is successfully communicating
with elasticsearch? I do see:
2014-04-28 15:16:03,283 INFO : org.graylog2.Core - Started REST API at
<http://127.0.0.1:12900/>
2014-04-28 15:16:03,284 INFO : org.graylog2.Main - Graylog2 up and running.
- I am trying to allow graylog2 and elasticsearch to communicate only on
127.0.0.1, since the elastic search API seems to be unauthenticated. Does
this work? The log entries above seem to indicate it's still trying to
connect on 10.0.4.103 instead of 127.0.0.1.
Any help debugging, or pointers to documentation, is appreciated.
-wsanders
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
