Can't see any messages on Graylog. "Could not execute search"

Graylog Central (peer support)
1

Error Message:

Unable to perform search query

Details:
Below is the error Im getting:

Search status code:

500

Search response:

cannot GET http://192.168.0.220:9000/api/search/universal/relative?query=gl2_source_input%3A5c50769fa7a7f60365ac852f&range=0&limit=150&sort=timestamp%3Adesc (500)

graylog
graylog.PNG1671×778 41.5 KB

Ive seen other topics where it’s suggested to start ‘Elasticsearch’ I don’t know what that means.

Could anyone please provide the steps i will need to take.

Thanks,

2

without knowledge about your setup, help will not be possible. How did you install Graylog, what Version of Graylog did you have (is answered by the screenshot) but what Elasticsearch version did you have? How is that configured?

3

Developed Graylog 2.5 via OVA on EXSI VMware centre.

  • What Elasticsearch version did you ? As far as I can remember i didn’t have to configure any of that during deployment.

-How is that configured? Didn’t configure it. Unless it was part of plugin i installed

4
  • Did you checked if all services are up and running?
  • pls try “System > indices > $INDEXNAME > maintenance > recalculate index range” and check if it is working now.
5

Sorry for being ignorant .

  • Did you checked if all services are up and running? How can i check this ?
    -I received errors when i clicked on “System > indices
    graylog%201
    graylog 1.PNG1672×1012 62.3 KB
6

Time to go back to basics with you @GreenFlag :slight_smile:

  1. Welcome to Graylog and our friendly community! We hope you’ll enjoy both the software and the forums.
  2. First rule of Fight Club… I mean… First rule of these forums is that you put in some effort into researching your problems. In this case, it would help both yourself and us a lot if you spent a few hours reading Graylog documentation.
  3. Here’s a VERY basic overview of what you’re building here…
  • Graylog is the software that we use to both collect, process and query data from a lot of disparate sources.
  • Graylog uses a MongoDB backend for the storage of configuration settings.
  • Graylog uses an ElasticSearch backend for the storage of all processed data.
  • The Graylog OVA is a virtual machine that includes all three of these components, in a setup that is at best useful for a proof of concept environment. Performance will suck, stability may suck, etc.
  • MongoDB and ElasticSearch are NOT products of the Graylog project. They are open source database products that Graylog was built upon.
  • Properly running and managing MongoDB and ElasticSearch requires a skillset that includes Linux/Unix administration, but of course also basic knowledge of the two products.

In the case of your problem, it looks like the ElasticSearch database on your OVA got hosed. It could be as simple as rebooting the VM completely. It could also be a case of a full disk. Or who knows, maybe you accidentally broke a configuration file :slight_smile:

7

graylog

I’ve restarted the VM but same error appears

8

graylog%201
graylog 1.PNG1680×1036 116 KB

Above show when click on Inputs

9

graylog%201
graylog 1.PNG1669×1014 93.8 KB

Above notifications are showing.

Sorry again for being ignorant.
I really appreciate your guys help and guidance.

10

The first error indicates that one input failed to start on one of your hosts. So that’s not altogether bad news. Question is: which input is it? I can’t tell from the numbers shown. Could it be that this particular input is told to run on a port <1024? Because that won’t work without extra trickery.

The other two messages indicate that Graylog is not able to push messages into ElasticSearch. Either ElasticSearch is refusing to accept your input, or Graylog cannot find ES. Since you are using the vendor-provided OVA, the latter is unlikely. Unless you went into the configuration and manually made changes.

When you go to System > Overview, what does the ElasticSearch status bar say? It -should- report that the Elastic status is “green”.

Unfortunately, the fact that earlier Graylog could not show you any indices suggests again that Graylog simply cannot talk to ElasticSearch. Either because ES is down, ES is broken, or because you manually made changes to the config file for Graylog.

11

Please review the screenshots from Configuration page and Overview Page.

If ES is broken, how can i verify that ?

Is there any log i can check for verification

Graylog%20Conf
Graylog Conf.PNG1688×900 98.1 KB
graylog%20Overview
graylog Overview.PNG1665×1013 66.9 KB
?

12

Please check your screenshots, there is the ES state.

You can find a lot of documents about graylog. Check the GL and ES’s logs.
http://docs.graylog.org/en/2.5/pages/configuration/file_location.html

Please spend a minute with your data before you post it.

13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.