Hello, Install Graylog v2.3.1 with Elasticsearch v2.3.1 and MongoDB v3.2.17, when I enter the web server and click on “Search” tab, I get the message “Could not execute the search”
Error Message:
Unable to perform search query.
Details:
Search status code:
500
Search response:
cannot GET http://10.X.X.X:9000/api/search/universal/relativequery=%2A&range=300&limit=150&sort=timestamp%3Adesc (500)
In the “Sources” tab, I get:
Input buffer 0.00%
Process buffer 0.00%
Output buffer 0.00%
I have it configured:
/etc/elasticsearch/elasticsearch.yml
network.host: 10.X.X.X
elasticsearch_discovery_zen_ping_multicast_enabled: false
elasticsearch_discovery_zen_ping_unicast_hosts: 10.X.X.X:9200
discovery.zen.ping.multicast.enabled: false
script.inline: false
script.indexed: false
script.file: false
http.max_initial_line_length: 100k
discovery.zen.minimum_master_nodes: 3
index.number_of_shards: 4
index.number_of_replicas: 0
curl -XGET 'http://10.X.X.X:9200/_cluster/health?pretty=true'
{
"error" : {
"root_cause" : [ {
"type" : "master_not_discovered_exception",
"reason" : null
} ],
"type" : "master_not_discovered_exception",
"reason" : null
},
"status" : 503
}
vi /etc/graylog/server/server.conf
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = zcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
root_username = admin
root_password_sha2 = 5d8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
plugin_dir = plugin
rest_listen_uri = http://10.X.X.X:9000/api/
rest_transport_uri = http://10.X.X.X:9000/api/
web_listen_uri = http://10.X.X.X:9000/
elasticsearch_cluster_name = graylog
elasticsearch_cluster_discovery_timeout = 10000
rotation_strategy = count
elasticsearch_max_number_of_indices = 20
elasticsearch_max_docs_per_index = 20000000
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_host = 10.X.X.X:9200
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 100
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 20
outputbuffer_processors = 15
outputbuffer_processor_keep_alive_time = 5000
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://10.X.X.X/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32
/etc/syslog-ng/syslog-ng.conf
source s_src {
system();
internal();
unix-stream ("/dev/log");
udp(ip(0.0.0.0) port(5140));
};
destination d_net { syslog("10.X.X.X" port(5140)); };
vi /etc/rsyslog.conf
# provides UDP syslog reception
$module(load="imudp")
$input(type="imudp" port="5140")
#ModLoad imudp
UDPServerRun 5140
# provides TCP syslog reception
$module(load="imtcp")
$input(type="imtcp" port="5140")
# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on
*.* @10.X.X.X:5140;RSYSLOG_SyslogProtoco123Format
# Filter duplicated messages
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf