[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

Hi, On Monday, 6 February 2017 12:16:12 UTC+1, ql.w...@163.com wrote: > > I haved stopped input, the graylog should not receive all logs, BUT the > abnormal message can be received as before. > Please verify with Wireshark or tcpdump, that these messages are indeed being received by Graylog

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

Hi, I haved stopped input, the graylog should not receive all logs, BUT the abnormal message can be received as before. 在 2017年2月6日星期一 UTC+8下午6:40:50，Jochen Schalanda写道： > > Hi, > > are you sure that these messages are ingested right now and don't simply > have a timestamp "in the future"

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

Hi, are you sure that these messages are ingested right now and don't simply have a timestamp "in the future" (e. g. because of timezone issues) and have been ingested some hours ago? Cheers, Jochen On Monday, 6 February 2017 11:17:19 UTC+1, ql.w...@163.com wrote: > > Hi, > This messages

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

Hi, This messages shows received by deleted input on 0de4fb00 / Unknown, as shown in FIG: But the normal messages shows

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

Hi, when you click on one of these messages, you can see on which input they were received next to the "Received by" field. Once you have identified the input, you can use tools like Wireshark, tcpdump, or simply lsof to identify where these messages come from. Cheers, Jochen On Monday, 6

[graylog2] Re: Graylog server always collect expired logs, these logs are generated long before , and now the switch has no such logs.

Hi, I deleted the command that send logs to graylog server in the switch, But, graylog can receive the logs of this switch as before. I don't know where those logs received by the graylog server come from?