I am a newbie on LogScape. Apologise in advance for any funny queries. Essentially, have setup a remote server (Linux 2.6.32-220.el6.f5.x86_64) to send the logs to Logscape VM (#35~precise1-Ubuntu). Consequently, we can see the see the port (1468) is open and telnet-able from the remote machine. Moreover, had a tcp-dump in the LogScape machine and that indicates the logs are arriving. However, still cannot see any log in the dashboard for that related server.
Appreciate if you could suggest some further troubleshooting tips on this.
It looks like there isn't a datasource pulling in your syslog data.
1.) To find out if any of the data from 10.1.15.3 has been ingested, execute the following search going back 2 or more days:
| _host.equals(10.1.5.3) _tag.count()
This search returns the data source the system is using. Your data may be coming from a different data source other than Test_log_1. It's important that your search goes back far enough.
2.) If you get nothing coming back in step 1.) the data sources have not been set up correctly. Please send a screenshot of your syslog-server data source and TestLog_1 datasource and I will be able to see if it is a problem with the data source or something else.
Unfortunately, there is an issue came up with it that if we have separate accounts to view the data from various data source respectively, other user can view each others' information through query. Therefore, is there any way we could prevent this or resolve this authorisation issue or is there any development on this in track?
Hi Hyder, If you have upgraded to 2.3.1 you could look at using datagroups. Each datagroup can apply a host filter and you can assign datagroups to individual user accounts.