I've got my production Graylog-1.3.4 cluster online this week, primarily intaking logs via Syslog-TCP and Syslog-UDP Inputs. I'm running extractors for source / destination IP, and requested hostname thus far. Extraction works like a charm on my Syslog-TCP Input, but seems very hit or miss on my UDP input. Now, the message inflow rate on the UDP Input is significantly higher than TCP, 100 - 1,100 msgs/s. I have 3 CentOS 6.7 VM's (on beefy Vmware clustered hosts) running graylog-server/web and MongoDB, and a pair (3rd on order) of HP DL380 Gen9 Elasticsearch servers online, with everything flowing through a HA pair of Kemp Lm2600 balancers.
I am using "replace with regular expression" for hostname extraction, which performs flawlessly in the Create/Edit Extractor screen, but seemingly only occasionally on the live flow of messages. I am using one of the GROK patterns to pull source and destination IP addresses. Again, my extraction success rate on the Syslog-TCP Input appears to be 100%, but hardly 10% on Syslog-UDP. Log source(s) for TCP are 2 HA pair of F5 BIGIP ASM modules, for UDP a pair of Cisco SourceFire IPS boxes. Thanks much John -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/b3fe22cc-3ae5-4247-87ee-68f4bf029e35%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
