Hi, This messages shows received by deleted input on 0de4fb00 / Unknown, as shown in FIG:
<https://lh3.googleusercontent.com/-Bv2lPjtjiBI/WJhMKCO8wmI/AAAAAAAAAAc/O1DE3V7Itvo9RaYfO3FYkioGrNP-yRWDACLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206181601.png> But the normal messages shows received by netsyslog on 0de4fb00 / Unknown,as shown in FIG: <https://lh3.googleusercontent.com/-4pmWgp_vfz4/WJhM8w50ltI/AAAAAAAAAAk/J3VF__snTZs5jOwy8Z-GikbAtEE-rwwkACLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206181912.png> 在 2017年2月6日星期一 UTC+8下午5:11:55,Jochen Schalanda写道: > > Hi, > > when you click on one of these messages, you can see on which input they > were received next to the "Received by" field. > > Once you have identified the input, you can use tools like Wireshark, > tcpdump, or simply lsof to identify where these messages come from. > > Cheers, > Jochen > > > On Monday, 6 February 2017 04:06:00 UTC+1, ql.w...@163.com wrote: >> >> Hi, >> >> I deleted the command that send logs to graylog server in the switch, >> But, graylog can receive the logs of this switch as before. I don't know >> where those logs received by the graylog server come from? >> >> >> <https://lh3.googleusercontent.com/-s1zELVGLS_4/WJfnIXR4eLI/AAAAAAAAAAM/JLr0beJpbmgyHv6RFo_8ZVuVDuW6WNxpgCLcB/s1600/QQ%25E6%2588%25AA%25E5%259B%25BE20170206110452.png> >> >> >> The switch do not send logs to graylog, But, graylog can receive the >> logs of this switch as before. As shown in FIG. >> >> >> >> 在 2017年2月4日星期六 UTC+8下午6:07:06,Jochen Schalanda写道: >>> >>> Hi, >>> >>> please elaborate on your problem. I'm not sure what you're trying to say. >>> >>> What did you expect to happen or retrieve? What did actually happen? >>> As far as I see, the timestamps of the log messages are correct. >>> >>> Cheers, >>> Jochen >>> >>> On Saturday, 4 February 2017 10:48:25 UTC+1, ql.w...@163.com wrote: >>>> >>>> My graylog server always collect expired logs, these logs are generated >>>> long before , and now the switch has no such logs. >>>> [image: image] >>>> <https://www.google.com/url?q=https%3A%2F%2Fcloud.githubusercontent.com%2Fassets%2F24647716%2F22615473%2F4bef9a9a-ead0-11e6-9fc6-16e97d29dc70.png&sa=D&sntz=1&usg=AFQjCNHn4s-cddXkUqyzVtF1SmKgF5blNw> >>>> >>>> The current log's source is 2017, The log whose source is >>>> G1-K115-ACC-SW-48 is very early, but the server is collecting now. >>>> >>>> This problem has troubled me for weeks. How to solve this problem? >>>> >>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/4f350e28-c425-48e0-ab78-5d14ed81ddaa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
