Delete all messages in Graylog

Background

I am running Graylog via a docker container as explained int he tutorial:

https://docs.graylog.org/en/3.3/pages/installation/docker.html

$ docker run --name mongo -d mongo:3
$ docker run --name elasticsearch \
    -e "http.host=0.0.0.0" \
    -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \
    -d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.10
$ docker run --link mongo --link elasticsearch \
    -p 9000:9000 -p 12201:12201 -p 1514:1514 -p 5555:5555 \
    -e GRAYLOG_HTTP_EXTERNAL_URI="http://127.0.0.1:9000/" \
    -d graylog/graylog:3.3

However, now I need to start clean with fresh data. I don’t want to loose all my configurations and extractors, so the minimal change I need is to simply delete all messages.

Index time

After some research I see that Graylog does not support deleting individual messages, the smallest unit it understands is an index.
So I need to delete all indexes from GayLog.

After some more research, I found the delete API in elasticsearch, and I tried this command (but it fails):

$ curl -XDELETE 'http://localhost:9000/*'
{"type":"ApiError","message":"HTTP 404 Not Found"}

I use localhost:9000 because that is the port I use to access graylog.

Questions

  • What am I dong wrong (how can I fix this command so it works as intended)?
  • Is there an easier way to delete all messages in Graylog?

Solution

As it turns out, there were two issues:

  • the command in the tutorial for the elasticsearch docker does not expose the container’s port
  • the port I was using (9000) was incorrect, it should be 9200

With this in mind, this is the solution I arrived to:

docker run --name mongo -d mongo:3
docker run --name elasticsearch \
    -p 9200:9200 \
    -e "http.host=0.0.0.0" \
    -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \
    -d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.10
docker run --name graylog --link mongo --link elasticsearch \
    -p 9000:9000 -p 12201:12201 -p 1514:1514 -p 5555:5555 \
    -e GRAYLOG_HTTP_EXTERNAL_URI="http://127.0.0.1:9000/" \
    -d graylog/graylog:3.3

As you can see, the elastic search command now exposes port 9200. With this in mind the following CURL now works as expected:

curl -XDELETE 'http://localhost:9200/*'

WARNING: After deleting all the indices (and therefore all messages) you need to recalculate the indices. This is another topic that is out of the scope of this question.

You can delete inactive indices in Graylog through System -> Indices. That would be better than going directly to the ES API behind Graylog’s back.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.