Delete all messages in Graylog

Graylog Central (peer support)
1

Background

I am running Graylog via a docker container as explained int he tutorial:

https://docs.graylog.org/en/3.3/pages/installation/docker.html

$ docker run --name mongo -d mongo:3
$ docker run --name elasticsearch \
    -e "http.host=0.0.0.0" \
    -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \
    -d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.10
$ docker run --link mongo --link elasticsearch \
    -p 9000:9000 -p 12201:12201 -p 1514:1514 -p 5555:5555 \
    -e GRAYLOG_HTTP_EXTERNAL_URI="http://127.0.0.1:9000/" \
    -d graylog/graylog:3.3

However, now I need to start clean with fresh data. I don’t want to loose all my configurations and extractors, so the minimal change I need is to simply delete all messages.

Index time

After some research I see that Graylog does not support deleting individual messages, the smallest unit it understands is an index.
So I need to delete all indexes from GayLog.

After some more research, I found the delete API in elasticsearch, and I tried this command (but it fails):

$ curl -XDELETE 'http://localhost:9000/*'
{"type":"ApiError","message":"HTTP 404 Not Found"}

I use localhost:9000 because that is the port I use to access graylog.

Questions

  • What am I dong wrong (how can I fix this command so it works as intended)?
  • Is there an easier way to delete all messages in Graylog?
2

Solution

As it turns out, there were two issues:

  • the command in the tutorial for the elasticsearch docker does not expose the container’s port
  • the port I was using (9000) was incorrect, it should be 9200

With this in mind, this is the solution I arrived to:

docker run --name mongo -d mongo:3
docker run --name elasticsearch \
    -p 9200:9200 \
    -e "http.host=0.0.0.0" \
    -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \
    -d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.10
docker run --name graylog --link mongo --link elasticsearch \
    -p 9000:9000 -p 12201:12201 -p 1514:1514 -p 5555:5555 \
    -e GRAYLOG_HTTP_EXTERNAL_URI="http://127.0.0.1:9000/" \
    -d graylog/graylog:3.3

As you can see, the elastic search command now exposes port 9200. With this in mind the following CURL now works as expected:

curl -XDELETE 'http://localhost:9200/*'

WARNING: After deleting all the indices (and therefore all messages) you need to recalculate the indices. This is another topic that is out of the scope of this question.

3

You can delete inactive indices in Graylog through System -> Indices. That would be better than going directly to the ES API behind Graylog’s back.