Hi, I haved stopped input, the graylog should not receive all logs, BUT the abnormal message can be received as before.
在 2017年2月6日星期一 UTC+8下午6:40:50,Jochen Schalanda写道: > > Hi, > > are you sure that these messages are ingested right now and don't simply > have a timestamp "in the future" (e. g. because of timezone issues) and > have been ingested some hours ago? > > Cheers, > Jochen > > On Monday, 6 February 2017 11:17:19 UTC+1, [email protected] wrote: >> >> Hi, >> This messages shows received by deleted input on 0de4fb00 / Unknown, as >> shown in FIG: >> >> >> <https://lh3.googleusercontent.com/-Bv2lPjtjiBI/WJhMKCO8wmI/AAAAAAAAAAc/O1DE3V7Itvo9RaYfO3FYkioGrNP-yRWDACLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206181601.png> >> >> But the normal messages shows received by netsyslog on 0de4fb00 / >> Unknown,as shown in FIG: >> >> >> <https://lh3.googleusercontent.com/-4pmWgp_vfz4/WJhM8w50ltI/AAAAAAAAAAk/J3VF__snTZs5jOwy8Z-GikbAtEE-rwwkACLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206181912.png> >> >> >> 在 2017年2月6日星期一 UTC+8下午5:11:55,Jochen Schalanda写道: >>> >>> Hi, >>> >>> when you click on one of these messages, you can see on which input they >>> were received next to the "Received by" field. >>> >>> Once you have identified the input, you can use tools like Wireshark, >>> tcpdump, or simply lsof to identify where these messages come from. >>> >>> Cheers, >>> Jochen >>> >>> >>> On Monday, 6 February 2017 04:06:00 UTC+1, [email protected] wrote: >>>> >>>> Hi, >>>> >>>> I deleted the command that send logs to graylog server in the switch, >>>> But, graylog can receive the logs of this switch as before. I don't know >>>> where those logs received by the graylog server come from? >>>> >>>> >>>> <https://lh3.googleusercontent.com/-s1zELVGLS_4/WJfnIXR4eLI/AAAAAAAAAAM/JLr0beJpbmgyHv6RFo_8ZVuVDuW6WNxpgCLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206110452.png> >>>> >>>> >>>> The switch do not send logs to graylog, But, graylog can receive the >>>> logs of this switch as before. As shown in FIG. >>>> >>>> >>>> >>>> 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道: >>>>> >>>>> Hi, >>>>> >>>>> please elaborate on your problem. I'm not sure what you're trying to >>>>> say. >>>>> >>>>> What did you expect to happen or retrieve? What did actually happen? >>>>> As far as I see, the timestamps of the log messages are correct. >>>>> >>>>> Cheers, >>>>> Jochen >>>>> >>>>> On Saturday, 4 February 2017 10:48:25 UTC+1, [email protected] wrote: >>>>>> >>>>>> My graylog server always collect expired logs, these logs are >>>>>> generated long before , and now the switch has no such logs. >>>>>> [image: image] >>>>>> <https://www.google.com/url?q=https%3A%2F%2Fcloud.githubusercontent.com%2Fassets%2F24647716%2F22615473%2F4bef9a9a-ead0-11e6-9fc6-16e97d29dc70.png&sa=D&sntz=1&usg=AFQjCNHn4s-cddXkUqyzVtF1SmKgF5blNw> >>>>>> >>>>>> The current log's source is 2017, The log whose source is >>>>>> G1-K115-ACC-SW-48 is very early, but the server is collecting now. >>>>>> >>>>>> This problem has troubled me for weeks. How to solve this problem? >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e840d133-4d6c-4dfd-adbc-aa90eb2dd6ba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
