Hi, are you sure that these messages are ingested right now and don't simply have a timestamp "in the future" (e. g. because of timezone issues) and have been ingested some hours ago?
Cheers, Jochen On Monday, 6 February 2017 11:17:19 UTC+1, [email protected] wrote: > > Hi, > This messages shows received by deleted input on 0de4fb00 / Unknown, as > shown in FIG: > > > <https://lh3.googleusercontent.com/-Bv2lPjtjiBI/WJhMKCO8wmI/AAAAAAAAAAc/O1DE3V7Itvo9RaYfO3FYkioGrNP-yRWDACLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206181601.png> > > But the normal messages shows received by netsyslog on 0de4fb00 / > Unknown,as shown in FIG: > > > <https://lh3.googleusercontent.com/-4pmWgp_vfz4/WJhM8w50ltI/AAAAAAAAAAk/J3VF__snTZs5jOwy8Z-GikbAtEE-rwwkACLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206181912.png> > > > 在 2017年2月6日星期一 UTC+8下午5:11:55,Jochen Schalanda写道: >> >> Hi, >> >> when you click on one of these messages, you can see on which input they >> were received next to the "Received by" field. >> >> Once you have identified the input, you can use tools like Wireshark, >> tcpdump, or simply lsof to identify where these messages come from. >> >> Cheers, >> Jochen >> >> >> On Monday, 6 February 2017 04:06:00 UTC+1, [email protected] wrote: >>> >>> Hi, >>> >>> I deleted the command that send logs to graylog server in the switch, >>> But, graylog can receive the logs of this switch as before. I don't know >>> where those logs received by the graylog server come from? >>> >>> >>> <https://lh3.googleusercontent.com/-s1zELVGLS_4/WJfnIXR4eLI/AAAAAAAAAAM/JLr0beJpbmgyHv6RFo_8ZVuVDuW6WNxpgCLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206110452.png> >>> >>> >>> The switch do not send logs to graylog, But, graylog can receive the >>> logs of this switch as before. As shown in FIG. >>> >>> >>> >>> 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道: >>>> >>>> Hi, >>>> >>>> please elaborate on your problem. I'm not sure what you're trying to >>>> say. >>>> >>>> What did you expect to happen or retrieve? What did actually happen? >>>> As far as I see, the timestamps of the log messages are correct. >>>> >>>> Cheers, >>>> Jochen >>>> >>>> On Saturday, 4 February 2017 10:48:25 UTC+1, [email protected] wrote: >>>>> >>>>> My graylog server always collect expired logs, these logs are >>>>> generated long before , and now the switch has no such logs. >>>>> [image: image] >>>>> <https://www.google.com/url?q=https%3A%2F%2Fcloud.githubusercontent.com%2Fassets%2F24647716%2F22615473%2F4bef9a9a-ead0-11e6-9fc6-16e97d29dc70.png&sa=D&sntz=1&usg=AFQjCNHn4s-cddXkUqyzVtF1SmKgF5blNw> >>>>> >>>>> The current log's source is 2017, The log whose source is >>>>> G1-K115-ACC-SW-48 is very early, but the server is collecting now. >>>>> >>>>> This problem has troubled me for weeks. How to solve this problem? >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/93a66e9b-0d7a-4290-8883-7b945b660925%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
