Cannot load graylog web interface from fresh install

Graylog Central (peer support)
1

Describe your incident:

Trying to setup a siem for my environment. Can complete setup but seems the webpage ipaddress:9000 will not load. Chrome cannot reach this page. I have nuked the server and started fresh several times with no success. Opensearch page does load ipaddress:9200 with some json info.

  1. Describe your environment:

OS Information: ubuntu 22 LTS

Package Version: gray log 5.0 (single node) , OpenSearch 2.0.1, mongo dB 6.0

Service logs, configurations, and environment variables: Used configuration from graylog documentation page

What steps have you already taken to try and solve the problem?

Originally I had Graylog with ES functional, but for some reason it stopped processing logs and couldn’t get it back up. Admittedly I am new with linux and thought nuking and going with opensearch would be a good learning xp.**

Used both to try to figure out how to setup >>
youtube video on graylog setup and graylog page on ubuntu install both are slightly different. (can’t post the links as it kept giving me errors when tryign to setup this post.)

Services show running (openlog, mongodb, GL)

  1. How can the community help?

I just need to get the GL web interface to work so I can complete configuration. or finish pulling out hair

2

Hello @galcoChris

Can you show you configuration Graylog and Opensearch?

1 Like
3

Hallo @galcoChris

Please look with

netstat -nl

whether the port is open

Make sure if you want to reach the server from another device set the bind adress to 0.0.0.0:9000. If you use a firewall oder Ip Tables please open the port.

1 Like
4

Sorry you are having trouble. Is this the same GL instance, you had running, but you switched out ES for OS?

Your server.conf and opensearch.yml files would help. Also, have you checked the GL logs for clues?

1 Like
5

thanks for responding.

How would you recommend doing that? I am on a windows machine and not exact sure the best way to grab that off a remote vm

6

If you log in to the Ubuntu server and pull your graylog server.conf with a command like:

cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"

You can post the obfuscated results (We don’t wan to see the secrets!). You can use a similar command for the opensearch.yml file

Use the </> forum tool to make the formatting of those files readable
 :slight_smile:

1 Like
7

I have tried binding the device’s actually IP address,
put the 0.0.0.0 address, tried the default port 9000 and other ports each reboot everytime and giving it some time before testingt o make sure fully up. The opensearch 9200 page will populate but nothing on 9000

netstat results >>
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 10.100.20.201:9200 :::* LISTEN
tcp6 0 0 10.100.20.201:9300 :::* LISTEN
udp 0 0 127.0.0.53:53 0.0.0.0:*
udp 0 0 10.100.20.201:68 0.0.0.0:*
raw6 0 0 :::58 :::*

created explicit rule to allow 9000 , still no success

8

Hey,

one way is using Putty here for SSH, were just guessing here to help you so configuration and log files would help.

if you created Graylog server on Ubuntu how did you set it up without logging in?

1 Like
9

I see mongo, ssh, DNS and Opensearch all listening. Graylog is not in there.

I suspect 9000 is not listening because Graylog is not starting. Check your graylog server log for hints as to why.

https://go2docs.graylog.org/5-0/setting_up_graylog/default_file_locations.html?Highlight=default

1 Like
10

Yup definitely logged in. A lot of the terminals seem to not let me copy and paste. I guess I could ask you the same and say you could just read the documentation on how it is suppose to be setup and there you go? After not knowing anything about linux and trying to follow along it has been amazing frustrating but thanks for your help. putty seems the only that is letting me copy and paste.

Attempted to do as tmacgbay says and looks like a good command to run to give what yall are asking and from what i can understand it should output the conf file without all the extra noncommented chars out- This seems to freeze putty and no response though.

11

graylog-server.service - Graylog server
Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; v>
Active: active (running) since Thu 2023-03-16 19:09:22 UTC; 2h 33min a>
Docs: http://docs.graylog.org/
Main PID: 872 (graylog-server)
Tasks: 24 (limit: 9402)
Memory: 290.8M
CPU: 23.173s
CGroup: /system.slice/graylog-server.service
├─872 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─916 /usr/share/graylog-server/jvm/bin/java -Xms1g -Xmx1g -se

the service is up and running? or am I reading this wrong

12

okay was able to get it to pull - thanks

for http binding I have tried as one example showed me 0.0.0.0:9000
previously when I was using GL with ES I inputted : 9000 and was able to get a connection
(completely reinstall OS since then and now using GL with opensearch)

is_leader = true
node_id_file = /etc/graylog/server/node-id
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 10.100.20.201:9000
stream_aware_field_types=false
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000

1 Like
13

hey

Looks like it been running for 2 hours and 33 minutes today.

That is my go-to linux friendly tool.
Putty on windows shouldnt freeze unless the node your connecting to is having issues. Not 100 % sure thou.

1 Like
14

I was using nano instead of cat - once I did cat then it gave me results
apparently, I can’t copy paste out of a forum when its handed to me on a silver platter
my bad
but hey I learn further the differences.

1 Like
15

hey @galcoChris

So i scanned over you config file, what I dont see is these two configurations.

password_secret =
root_password_sha2 =

If not, the configuration file does show how to generate those hashes.

1 Like
16

I removed both of those those.

Used >>
echo -n “Enter Password: " && head -1 </dev/stdin | tr -d ‘\n’ | sha256sum | cut -d” " -f1
and
pwgen -N 1 -s 96

as documented to generate secret & password

https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/ubuntu_installation.html

1 Like
17

Understood, I personall do not see anything odd in the configuration file. By chance since graylog service is started, have you TAIL’d graylog log file?

on ubuntu it should be


root# tail -f /var/log/graylog-server/server.log

Check for warnings and errors, sometimes it helps to log in Graylog web UI 10.100.20.201:9000 so it will generate some logs. Maybe we can get a clue on whats going on.

1 Like
18

2023-03-17T14:16:28.663Z INFO [VersionProbe] Elasticsearch is not available. Retry #281
2023-03-17T14:16:33.664Z ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: Failed to connect to /127.0.0.1:9200. - Connection refused.
2023-03-17T14:16:33.664Z INFO [VersionProbe] Elasticsearch is not available. Retry #282
^C
petersc@svr100-graylog:~$ cd /etc/elasticsearch/elasticsearch.yml
-bash: cd: /etc/elasticsearch/elasticsearch.yml: No such file or directory
petersc@svr100-graylog:~$ sudo systemctl status elasticsearch.service
Unit elasticsearch.service could not be found.

Noticed it is trying to use elasticsearch for some reason. Although it doesn’t configured to do so. I m using opensearch.

When I make connections on 9200 it doesn’t show in the log. (the connection will successfully connect to opensearch page)

When I attempt connection on 9000 it doesn’t show in the log. (connection fails as before)

19

Hey @galcoChris

Seams like you have a lot going on. I know oyu dont want to hear this but really need to go back over the documentations.

This port is for Elasticsearch/Opensearch, normally used for API like checking the status, using PUT/DELETE/GET/POST.Port 9000 is for your web UI.

If you install openseach make sure its running, and the status is in Green/ok. Then move on to MongoDb and do the same. Both opensearch/elasticsearch will connect to Graylog using localhost or 127.0.0.1 by default. If you cant reach the Web UI usig this → 10.100.20.201:9000 in your Graylog config. double check your MongoDb logs.

if so then this should show something.

systemctl status opensearch

1 Like
20

Hi @galcoChris,

Can you post the entire server.conf files, sans sensitive info like hashes and such? I don’t see your elasticsearch hosts defined, so it’s possible that GL doesn’t know where to connect to Opensearch.

There are other settings that may need to be looked at as well. The entire conf file will be helpful.

1 Like