Assigning New Default Index Set Not Working

Hello Graylog Community,
I have been working diligently over the past several weeks trying to stand up two Graylog servers on CentOS7 boxes in our VM environment. Everything has gone relatively smoothly, except for when it comes to modifying the Graylog Default Index Set.

My problem is that I built out one of the servers, got it configured to my liking, and then cloned the VM. When I stood up the second one, I now have two Graylog servers with the same naming convention for the Default Index Set prefix. Ideally, I wanted to be able to assign a different prefix to default index.

I have tried changing the prefix in the /etc/graylog/server/server.conf, ElasticSearch settings section, but it seems to just be ignoring that change when I restart the services and ask it to rotate or rebuild the index.

Additionally, I’ve also created a new index directly within Graylog WEB and assigned it the role of ‘Default Index’, but the server still seems to ignore this and continues to write to the original Default Index Set.

I tried to close the default index, rotate it, point the All messages stream to the new index, all to no avail.

I read the articles outlined by Graylog on the Index and Stream model here:
http://docs.graylog.org/en/2.2/pages/configuration/index_model.html
http://docs.graylog.org/en/2.2/pages/streams.html#index-sets

No where does it really talk about changing this default index set— but if it isn’t possible, then why give us the option of setting another index as the ‘Default’ within the Web GUI? Is this still just a work in progress, or is there something that I’m missing in order to get it to actually use the new index?

Any help that you lovely folks could provide would be greatly welcomed.

Thanks!

Hey @unilogger,

just as a quick question to understand your problem. You cloned the VM, and are you using the Graylog Servers in a Cluster or are they independent systems?

Greetings - Phil

Hey there @derPhlipsi,
Thanks for your reply. Currently, these two are separate systems with no link to one another. For all intents and purposes at the moment, while the idea of Load Balancing and Clustered Elasticsearch Indexes sounds appealing, we would just like to have two separate locations that we can point logs to, depending on geographical location. Simply having an Output/Input stream between the two is good enough for our purpose.

I am just having a hard time wrapping my head around the ES settings in the server.conf and why changing certain settings, such as the primary Index Set, result in no changes upon restarting the cluster. At this point, the only way I could get items to stop going into the ‘All messages > Default Index Set’ is by creating multiple Input Streams and telling them to match ‘gl2_source_input’ strings and parse them to their own Index. This is not by any means ideal and seems like more of a workaround than a fix.

Thanks.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.