Cleared index, services failed to start, rebooted, services running but missing custom input and grok patterns, yet port in use [edit]Issue eventually cleared itself just fine[/edit]

texas-bronius · October 27, 2017, 4:10pm

Looking for help with input not starting, custom input and GROK patterns missing after cleanse and forced restart. Here’s the story…

Still just getting my feet wet, but after getting the hang of things, I decided to clear my index to test load some old apache log files.

To clear the index, I logged into the box, issued:
sudo graylog-ctl cleanse

The progress messages indicate that the services were “down, normally up” and then “disabled, not stopping.” Status shows they are all disabled. So I tried sudo graylog-ctl start (no message) followed by `sudo graylog-ctl status’ reveals all services (elasticsearch, etcd, graylog-server, mongodb, nginx) are still disabled.

Ok. So I go the presumed easy route and reboot the machine with sudo reboot. All seems to come online just fine, my index looks clean which is what I was after, but my custom Input and two custom GROK patterns were gone. Also, both existing inputs were disabled and will not start: the out of box provided syslog (:514) I had disabled prior to creating my custom on on the same port, but when I go to start the provided one on 514, it reports Address in Use.

I am using a provided Graylog vm with Graylog 2.3.1+9f2c6ef.

jtkarvo · October 27, 2017, 5:47pm

Sounds from your description that the “cleanse” command is actually a “factory reset”, and deletes user made configurations in addition to all data. I have not used graylog-ctl, but if this is the case, you could make a request to improve documentation.

texas-bronius · October 27, 2017, 6:13pm

Ok maybe! I hadn’t considered that possibility.

Any speculation on why that deleted Input’s port 514 might still be tied up and how to free it?

This port freed itself up, and I am able to re-create the Input and grok logs again. Magical combo: Walk away to lunch, come back, `graylog-ctl restart` seems to have done it. And yep you hit the nail on the head: https://community.graylog.org/t/what-does-graylog-ctl-cleanse-do/1767

graylog-ctl cleanse will delete data and configuration, i. e. also the inputs you’ve created.

So that’s that Thanks for your reply @jtkarvo!

system · November 10, 2017, 6:13pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What does graylog-ctl cleanse do? Graylog Central (peer support)	2	1375	August 1, 2017
There is no index target to point to Creating one now Graylog Central (peer support)	16	1072	December 18, 2023
No Messages In or Out after rebooting Graylog Server Graylog Central (peer support)	50	6095	January 5, 2022
Bulk Data Removal Question Graylog Central (peer support)	5	404	July 27, 2018
Graylog filled my disk, how do I delete some data? Graylog Central (peer support)	4	18998	September 14, 2018

Cleared index, services failed to start, rebooted, services running but missing custom input and grok patterns, yet port in use [edit]Issue eventually cleared itself just fine[/edit]

Related topics