Only Receiving Logs From 1 Host

[hillhealthcenter]

Not sure why the number of hosts incrementing.

[eloyd]

I've noticed that it takes a while for the number to actually increase, even though logs are showing up. Go to the "top sources" dashboard or the default search dashboard and you should be able to look at "logsource" in the list of terms to confirm that your hosts are actually logging.

If they're not, ensure that firewall ports are set properly to allow port 5544 traffic into your log host.

[tmcdonald]

A few other users have seen this behavior as well. I'll talk to the devs and see if I can get an explanation.

[hillhealthcenter]

Thanks, Eric and Trevor!

My hosts do appear in the Top Sources section.

[tmcdonald]

The answer I got was pretty confusing. Basically it boils down to logstash taking its time indexing the new logs when they first come in. I suggested altering our setup script for the remote machines to ping back or "phone home" to an API that will immediately register.

[eloyd]

I just don't pay attention to the number. It's pretty irrelevant for us anyway, since the number of hosts we're monitoring isn't as important as the number of log files (web, syslog, sql, VoIP, etc) across the hosts. So as long as the rsyslog.d/*.conf file gets created properly on the monitored host, and as long as the logsources show up in the searches, I think doing something to get the count to update faster is much lower priority than getting dark to work in the dashboard!!!

[sreinhardt]

I suppose that is a valid point on importance. We might just have to see what comes about from tmcdonalds request.