Skip to main content

Hi,

I have a very basic setup which has:

Cribl stream leader node, 2 cribl workers, 1 admin node

source: syslog tcp port 1514

destination:filesystem

route filter:__inputId.startsWith('syslog:')

route pipeline: main

route output: filesystem

pipeline: main and CriblSyslog routes attached

I have a test machine that has it's rsyslog sending to remote location (a worker node) and also a script that randomly generates syslog data and sends to the same worker node every 1 second.

I can see the data come in using tcpdump, I can see the received messages coming into the worker in the Sources → Syslog → Status menu but nothing is being processed. Outside of the status menu, none of the metrics show the incoming messages and no files are being written to the filesystem. I've confirmed the connection between the test host and worker node is open with telnet and netcat.

Tried tailing Cribl log files, system log files, anything to find why it's showing as receiving the messages but not processing in the pipeline. It's a very basic syslog setup but I'm lost as to what I'm missing!

Appreciate any tips for troubleshooting!

  1. Try using the Live Data tab included in the source configuration UI. Here you'll be able to confirm that the data is received by the source. You can save the data you see here in the capture as a sample file to use in the next step.
855_43204fa5564445c59f23ec02e3b1dc5c.png

2. If you see the data coming in, the next step is to move to the route. In the right pane, select the capture file that you just created and click the simple link next to the capture file name.

855_548d168156df45ee8dbb55639234ea1c.png


Here you can view the data and see if it is flowing using the IN or OUT tabs at the top of the simple preview window.

855_31a0a68e615e4cc086da99fa248aa7fc.png

Does Cribl have permissions to write to the file location you're wanting to store?

Reply


Terms & ConditionsCookie settings