Could not retrieve Elasticsearch cluster health. Fetching Elasticsearch cluster health failed: There was an error fetching a resource: Internal Server Error. Additional information: Couldn't read Elasticsearch cluster health

Graylog Central (peer support)
3

Hello @macko003

There is a issue that looks the same as yours, if you read further down the post.

I believe this has to do with the connection between Graylog and ES/OS. Since Opensearch has plugins.security I noticed members are trying to use certs and secure connection between the two. By default Opensearch YAML file has this enabled already.

So, using this configuration in Graylog config file does not work.

elasticsearch_hosts = https://192.168.1.100:9200

But this does

elasticsearch_hosts = http://192.168.1.100:9200

So enableing anything but user/password will not work.

elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200

Normally when I see “loading” on my GUI, its either certificates ( HTTPS) or Graylog is unable to connect to ES/OS this is due to configurations.

Last, What does the log file show? Not only from Graylog but MongoDb and Opensearch?

I do have Graylog docker working, here is my docker-compose file, hope it might help.

version: '3'
services:
   # MongoDB: https://hub.docker.com/_/mongo/
  mongodb:
   # Container time Zone     
    image: mongo:4.4.18    
    network_mode: bridge
   # DB in share for persistence
    volumes:
      - mongo_data:/data/db
   
  opensearch-node2:
    image: image: opensearchproject/opensearch:1.3.2    
    network_mode: bridge
    #data folder in share for persistence
    volumes:
      - es_data:/usr/share/opensearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0     
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
  graylog:
    #image: graylog/graylog-enterprise:4.3.3-jre11
    image: graylog/graylog-enterprise:4.3.9-jre11   
    network_mode: bridge
    dns:
      - 8.8.8.8
      - 8.8.4.4
   # journal and config directories in local NFS share for persistence
    volumes:
       - graylog_journal:/usr/share/graylog/data/journal
       # - graylog_bin:/usr/share/graylog/bin
       - graylog_bin:/usr/share/graylog-server/bin/
       - graylog_data:/usr/share/graylog/data/config
       - graylog_log:/usr/share/graylog/data/log
       - graylog_plugin:/usr/share/graylog/data/plugin
       - graylog_content:/usr/share/graylog/data/contentpacks
      # Mount local configuration directory into Docker container
       - graylog_scripts:/usr/share/graylog/scripts
       #- ./graylog/data/journal:/usr/share/graylog/data/journal
       #- ./graylog/config:/usr/share/graylog/data/config

    environment:
      # Container time Zone
      - TZ=America/Chicago
      # CHANGE ME (must be at least 16 characters)!
      - GRAYLOG_PASSWORD_SECRET=pJod1TRZAckHmqM2oQPqX1qnLVJS99jHm2DuCux2Bpiuu2XLT
      # Password: admin
      -GRAYLOG_ROOT_PASSWORD_SHA2=ef92b778bafe771e89245b89ecbc911881f383d4473e94f
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
      - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.1.100:9000/
      - GRAYLOG_ROOT_TIMEZONE=America/Chicago
      - GRAYLOG_ROOT_EMAIL=greg.smith@domain.com
      - GRAYLOG_HTTP_PUBLISH_URI=http://192.168.1.100:9000/
      - GRAYLOG_TRANSPORT_EMAIL_PROTOCOL=smtp
      - GRAYLOG_HTTP_ENABLE_CORS=true
      - GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL=http://192.168.1.100:9000/
      - GRAYLOG_TRANSPORT_EMAIL_HOSTNAME=192.168.1.100
      - GRAYLOG_TRANSPORT_EMAIL_ENABLED=true
      - GRAYLOG_TRANSPORT_EMAIL_PORT=25
      - GRAYLOG_TRANSPORT_EMAIL_USE_AUTH=false
      - GRAYLOG_TRANSPORT_EMAIL_USE_TLS=false
      - GRAYLOG_TRANSPORT_EMAIL_USE_SSL=false
      - GRAYLOG_TRANSPORT_FROM_EMAIL=root@localhost
      - GRAYLOG_TRANSPORT_SUBJECT_PREFIX=[graylog]
      - GRAYLOG_REPORT_DISABLE_SANDBOX=true
      #- depends_on: GRAYLOG_REPORT_RENDER_URI=http://192.168.1.100:9000
      - GRAYLOG_REPORT_USER=graylog-report
      - GRAYLOG_REPORT_RENDER_ENGINE_PORT=9515
    logging:
      driver: syslog
      options:
        syslog-address: "udp://192.168.2.120:51420"
        syslog-facility: "local7"
        syslog-format: "rfc3164"
        tag: "asible"
    links:
      - mongodb:mongo
      - elasticsearch
    #restart:always
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 8514:8514
      # Elasticsearch
      - 9200:9200
      - 9300:9300
      # Syslog UDP
      - 8514:8514/udp
      # GELF TCP
      #- 12201:12201
      # GELF UDP
      - 12201:12201/udp
      # Reports
      - 9515:9515
      - 9515:9515/udp
      # beats
      - 5044:5044
      # email
      - 25:25
      - 25:25/udp
      # web
      - 80:80
      - 443:443
      - 21:21
      # Forwarder
      - 13302:13302
      - 13301:13301
      # keycloak
      - 8443:8443
      # packetbeat
      - 5055:5055
      # Syslogs
      - 51420:51420
      # CEF Messages
      - 5555:5555/udp
#Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local
  graylog_bin:
    driver: local
  graylog_data:
    driver: local
  graylog_log:
    driver: local
  graylog_plugin:
    driver: local
  graylog_content:
    driver: local
  graylog_scripts:
    driver: local
root@ansible:/usr/local/bin#
2 Likes