Data not showing up after update Graylog and Ubuntu version

Hi all,
My Graylog server was running in version 2.4.6 on Ubuntu 16.04. I wanted to update graylog to the last version so decided to follow the update path, I’ve updated to Ubuntu 20.04 then Graylog to 3.2.6. But no data is showing up anymore, in or out.

Graylog: 3.2.6
Mongodb: 4.0.28
Elasticsearch: 5.6.16

Checking the elasticsearch logs I can see just 2 lines:

 [2022-12-15T10:08:34,419][INFO ][o.e.c.m.MetaDataCreateIndexService] [YKaFcsr] [graylog_1260] creating index, cause [api], templates [graylog-internal], shards [4]/[0], mappings [message]
 [2022-12-15T10:08:34,701][INFO ][o.e.c.r.a.AllocationService] [YKaFcsr] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[graylog_1260][0]] ...]).

Elasticsearch health status:

{
  "cluster_name" : "graylog",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 268,
  "active_shards" : 268,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

I cannot see any error in the server.log, just some warns, not sure if its impacting on my issue:

2022-12-13T14:53:24.606Z INFO  [ServerBootstrap] Graylog server up and running.
2022-12-13T14:53:24.623Z INFO  [InputStateListener] Input [GELF UDP/5bcaf32e01be1503e69c91fb] is now STARTING
2022-12-13T14:53:24.628Z INFO  [InputStateListener] Input [Syslog UDP/5bcaf01c01be1503e69c8e45] is now STARTING
2022-12-13T14:53:24.681Z INFO  [KafkaJournal] Read offset 0 before start of log at 1183649253, starting to read from the beginning of the journal.
2022-12-13T14:53:24.743Z INFO  [InputStateListener] Input [Syslog UDP/5bcaf01c01be1503e69c8e45] is now RUNNING
2022-12-13T14:53:24.745Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=WinLogs-gelf, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} (channel [id: 0x2feae84f, L:/0:0:0:0:0:0:0:0%0:5414]) should be 1048576 but is 425984.
2022-12-13T14:53:24.745Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=WinLogs-gelf, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} (channel [id: 0x3c869726, L:/0:0:0:0:0:0:0:0%0:5414]) should be 1048576 but is 425984.
2022-12-13T14:53:24.746Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=fortinet-udp-input, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} (channel [id: 0x2ec2a4a0, L:/0:0:0:0:0:0:0:0%0:11514]) should be 262144 but is 425984.
2022-12-13T14:53:24.746Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=fortinet-udp-input, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} (channel [id: 0x42be73bb, L:/0:0:0:0:0:0:0:0%0:11514]) should be 262144 but is 425984.
2022-12-13T14:53:24.747Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=fortinet-udp-input, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} (channel [id: 0x72280cb5, L:/0:0:0:0:0:0:0:0%0:11514]) should be 262144 but is 425984.
2022-12-13T14:53:24.748Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=fortinet-udp-input, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} (channel [id: 0x46c8414e, L:/0:0:0:0:0:0:0:0%0:11514]) should be 262144 but is 425984.
2022-12-13T14:53:24.749Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=WinLogs-gelf, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} (channel [id: 0xe1517f4e, L:/0:0:0:0:0:0:0:0%0:5414]) should be 1048576 but is 425984.
2022-12-13T14:53:24.748Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=WinLogs-gelf, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} (channel [id: 0xc24e0dc1, L:/0:0:0:0:0:0:0:0%0:5414]) should be 1048576 but is 425984.
2022-12-13T14:53:24.751Z INFO  [InputStateListener] Input [GELF UDP/5bcaf32e01be1503e69c91fb] is now RUNNING
2022-12-15T10:08:34.254Z INFO  [AbstractRotationStrategy] Deflector index <Default index set> (index set <graylog_1259>) should be rotated, Pointing deflector to new index now!
2022-12-15T10:08:34.258Z INFO  [MongoIndexSet] Cycling from <graylog_1259> to <graylog_1260>.
2022-12-15T10:08:34.258Z INFO  [MongoIndexSet] Creating target index <graylog_1260>.
2022-12-15T10:08:34.403Z INFO  [Indices] Successfully created index template graylog-internal
2022-12-15T10:08:34.717Z INFO  [MongoIndexSet] Waiting for allocation of index <graylog_1260>.
2022-12-15T10:08:34.823Z INFO  [MongoIndexSet] Index <graylog_1260> has been successfully allocated.
2022-12-15T10:08:34.823Z INFO  [MongoIndexSet] Pointing index alias <graylog_deflector> to new index <graylog_1260>.
2022-12-15T10:08:34.883Z INFO  [SystemJobManager] Submitted SystemJob <6f90ab10-7c60-11ed-9f36-0050569d9a46> [org.graylog2.indexer.indices.jobs.SetIndexReadOnlyAndCalculateRangeJob]
2022-12-15T10:08:34.883Z INFO  [MongoIndexSet] Successfully pointed index alias <graylog_deflector> to index <graylog_1260>.
2022-12-15T10:09:04.892Z INFO  [SetIndexReadOnlyJob] Flushing old index <graylog_1259>.
2022-12-15T10:09:05.015Z INFO  [SetIndexReadOnlyJob] Setting old index <graylog_1259> to read-only.
2022-12-15T10:09:05.044Z INFO  [SystemJobManager] Submitted SystemJob <818b0630-7c60-11ed-9f36-0050569d9a46> [org.graylog2.indexer.indices.jobs.OptimizeIndexJob]
2022-12-15T10:09:05.048Z INFO  [OptimizeIndexJob] Optimizing index <graylog_1259>.
2022-12-15T10:09:05.051Z INFO  [CreateNewSingleIndexRangeJob] Calculating ranges for index graylog_1259.
2022-12-15T10:09:05.056Z INFO  [SystemJobManager] SystemJob <818b0630-7c60-11ed-9f36-0050569d9a46> [org.graylog2.indexer.indices.jobs.OptimizeIndexJob] finished in 12ms.
2022-12-15T10:09:05.116Z INFO  [MongoIndexRangeService] Calculated range of [graylog_1259] in [61ms].
2022-12-15T10:09:05.118Z INFO  [CreateNewSingleIndexRangeJob] Created ranges for index graylog_1259.
2022-12-15T10:09:05.125Z INFO  [SystemJobManager] SystemJob <6f90ab10-7c60-11ed-9f36-0050569d9a46> [org.graylog2.indexer.indices.jobs.SetIndexReadOnlyAndCalculateRangeJob] finished in 242ms.
~
2022-12-13T14:53:24.606Z INFO  [ServerBootstrap] Graylog server up and running.
2022-12-13T14:53:24.623Z INFO  [InputStateListener] Input [GELF UDP/5bcaf32e01be1503e69c91fb] is now STARTING
2022-12-13T14:53:24.628Z INFO  [InputStateListener] Input [Syslog UDP/5bcaf01c01be1503e69c8e45] is now STARTING
2022-12-13T14:53:24.681Z INFO  [KafkaJournal] Read offset 0 before start of log at 1183649253, starting to read from the beginning of the journal.
2022-12-13T14:53:24.743Z INFO  [InputStateListener] Input [Syslog UDP/5bcaf01c01be1503e69c8e45] is now RUNNING
2022-12-13T14:53:24.745Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=WinLogs-gelf, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} (channel [id: 0x2feae84f, L:/0:0:0:0:0:0:0:0%0:5414]) should be 1048576 but is 425984.
2022-12-13T14:53:24.745Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=WinLogs-gelf, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} (channel [id: 0x3c869726, L:/0:0:0:0:0:0:0:0%0:5414]) should be 1048576 but is 425984.
2022-12-13T14:53:24.746Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=fortinet-udp-input, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} (channel [id: 0x2ec2a4a0, L:/0:0:0:0:0:0:0:0%0:11514]) should be 262144 but is 425984.
2022-12-13T14:53:24.746Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=fortinet-udp-input, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} (channel [id: 0x42be73bb, L:/0:0:0:0:0:0:0:0%0:11514]) should be 262144 but is 425984.
2022-12-13T14:53:24.747Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=fortinet-udp-input, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} (channel [id: 0x72280cb5, L:/0:0:0:0:0:0:0:0%0:11514]) should be 262144 but is 425984.
2022-12-13T14:53:24.748Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=fortinet-udp-input, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} (channel [id: 0x46c8414e, L:/0:0:0:0:0:0:0:0%0:11514]) should be 262144 but is 425984.
2022-12-13T14:53:24.749Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=WinLogs-gelf, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} (channel [id: 0xe1517f4e, L:/0:0:0:0:0:0:0:0%0:5414]) should be 1048576 but is 425984.
2022-12-13T14:53:24.748Z WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input GELFUDPInput{title=WinLogs-gelf, type=org.graylog2.inputs.gelf.udp.GELFUDPInput, nodeId=null} (channel [id: 0xc24e0dc1, L:/0:0:0:0:0:0:0:0%0:5414]) should be 1048576 but is 425984.
2022-12-13T14:53:24.751Z INFO  [InputStateListener] Input [GELF UDP/5bcaf32e01be1503e69c91fb] is now RUNNING
2022-12-15T10:08:34.254Z INFO  [AbstractRotationStrategy] Deflector index <Default index set> (index set <graylog_1259>) should be rotated, Pointing deflector to new index now!
2022-12-15T10:08:34.258Z INFO  [MongoIndexSet] Cycling from <graylog_1259> to <graylog_1260>.
2022-12-15T10:08:34.258Z INFO  [MongoIndexSet] Creating target index <graylog_1260>.
2022-12-15T10:08:34.403Z INFO  [Indices] Successfully created index template graylog-internal
2022-12-15T10:08:34.717Z INFO  [MongoIndexSet] Waiting for allocation of index <graylog_1260>.
2022-12-15T10:08:34.823Z INFO  [MongoIndexSet] Index <graylog_1260> has been successfully allocated.
2022-12-15T10:08:34.823Z INFO  [MongoIndexSet] Pointing index alias <graylog_deflector> to new index <graylog_1260>.
2022-12-15T10:08:34.883Z INFO  [SystemJobManager] Submitted SystemJob <6f90ab10-7c60-11ed-9f36-0050569d9a46> [org.graylog2.indexer.indices.jobs.SetIndexReadOnlyAndCalculateRangeJob]
2022-12-15T10:08:34.883Z INFO  [MongoIndexSet] Successfully pointed index alias <graylog_deflector> to index <graylog_1260>.
2022-12-15T10:09:04.892Z INFO  [SetIndexReadOnlyJob] Flushing old index <graylog_1259>.
2022-12-15T10:09:05.015Z INFO  [SetIndexReadOnlyJob] Setting old index <graylog_1259> to read-only.
2022-12-15T10:09:05.044Z INFO  [SystemJobManager] Submitted SystemJob <818b0630-7c60-11ed-9f36-0050569d9a46> [org.graylog2.indexer.indices.jobs.OptimizeIndexJob]
2022-12-15T10:09:05.048Z INFO  [OptimizeIndexJob] Optimizing index <graylog_1259>.
2022-12-15T10:09:05.051Z INFO  [CreateNewSingleIndexRangeJob] Calculating ranges for index graylog_1259.
2022-12-15T10:09:05.056Z INFO  [SystemJobManager] SystemJob <818b0630-7c60-11ed-9f36-0050569d9a46> [org.graylog2.indexer.indices.jobs.OptimizeIndexJob] finished in 12ms.
2022-12-15T10:09:05.116Z INFO  [MongoIndexRangeService] Calculated range of [graylog_1259] in [61ms].
2022-12-15T10:09:05.118Z INFO  [CreateNewSingleIndexRangeJob] Created ranges for index graylog_1259.
2022-12-15T10:09:05.125Z INFO  [SystemJobManager] SystemJob <6f90ab10-7c60-11ed-9f36-0050569d9a46> [org.graylog2.indexer.indices.jobs.SetIndexReadOnlyAndCalculateRangeJob] finished in 242ms.

Any thoughts?

Thank you

It’s not clear if you are seeing the data pass through the Graylog at all - When you look at the Inputs are you seeing data come in? Should look something like this where your average rate should be above zero.

If you aren’t seeing anything there, check to make sure you updated server has retained the correct network address, and any firewall you might have running (such as UFW) is allowing data in.

If it is getting to Graylog but not getting pushed back out to be stored in Elasticsearch then your buffers will start to fill in System/nodes and node detail.

Hi @tmacgbay,
I’ve managed to get it working an hour back.
I think somehow elasticsearch has been upset. What I have made was disabled shards allocation and restart elastisearch service then, enabled allocation again.

Now I want to update elasticsearch to 6.8 to me able to update graylog to version 4 as well but I’m not finding a clear instruction in how to reindex before upgrade it.

Thank you for your answer

Glad you have it running!! When you have gotten far enough, switch to Opensearch since Graylog will be using that in the future.

Good luck with the upgrades!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.