Download Graylog V5.0 now and post your impressions, questions, and suggestions

Graylog Central (peer support)
1

Hey Graylog Open Members,

Graylog 5.0 is here and available for download. Try it our and ask questions or leave your feedback here.

Download Graylog 5.0 now and let us know what you think!

Also, check out these resources for more information:

So what’s new? See Graylog v5.0 in action
Graylog 5.0 Release Announcement
Graylog 5.0 Installation Documentation
Register now to join our technical experts for a live look at Graylog v5.0 on January 11, 2023, at 11 am ET.

Let’s get the discussion going here. What are your thoughts, questions, and suggestions?

2 Likes
2

@dscryber Might be some issue with links in the documentation, for example here
when clicking on say CentOS installation
I receive this:

image
image1345×1024 12 KB

I also noticed under Upgrading Graylog section.

image
image1920×1040 69.7 KB

Click on Manual Upgrade, Ubuntu Upgrade, etc.. nothing happens. I’m assuming there still working on it?

3

Hey @dscryber

Graylog Docker Install /Upgrade did not work very well.
I am fairly new at Docker but I have upgrade my service several time with out any issues. From the error in the logs I need to at least have MongoDb 5.0 install (i.e., I tried with MongoDb 4.4, it was a no go). MongoDb Container failed to be created.
The following link describe what I execute. I’m waiting for Deb package from OpenSearch before I start upgrade my Prod servers.

Also I found this here. Not sure if this is actual cause

4

yeah, tried in place upgrade, opensearch 2.4.0 screams about old indices created with es 6.8.11 so tried jumping back to 1.3.6 which now screams my indices are already upgraded to lucene 9, how deep is sh*t i’m in? is there any way to delete old indices while opensearch is offline?

EDIT: started clear node in another directory, logs must flow, any ideas on how to recover old data?

6

Now that Java is bundled within the Graylog installer, is the JVM heap size still managed via /etc/default/graylog-server ?

7

@maniel @Alper

My Docker Operation setup is still unable to upgrade, I have been going over what documentation they have for an upgrade/configuration needed but still haven’t found a completed resolve yet…
I made sure JAVA 17 was installed, Image MongoDb 5.0.13-14 & Graylog 5 Image.
Posted a “some what” resolve on the CPU issue on GitHub from the link above.

root@ansible:/usr/local/bin# sudo update-alternatives --config java
There are 3 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status
------------------------------------------------------------
* 0            /usr/lib/jvm/java-17-openjdk-amd64/bin/java      1711      auto mode
  1            /usr/lib/jvm/java-11-openjdk-amd64/bin/java      1111      manual mode
  2            /usr/lib/jvm/java-17-openjdk-amd64/bin/java      1711      manual mode
  3            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      manual mode

Press <enter> to keep the current choice[*], or type selection number:

I just start working with Docker for 11 months now, execute a few upgrades/Updates without an issue.
Here is the file I’ve been using.

Docker-Compose.yaml 
root@ansible:/usr/local/bin# cat docker-compose.yaml
version: '3'
services:
   # MongoDB: https://hub.docker.com/_/mongo/
  mongodb: 
   
    image: mongo:4.4.18
    #image: mongo:5.0.14
    #image: mongo:latest
    network_mode: bridge
   # DB in share for persistence
    volumes:
      - mongo_data:/data/db
   # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/6.6/docker.html
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2-amd64
    # image: opensearchproject/opensearch:1.3.2
    network_mode: bridge
    #data folder in share for persistence
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
   # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    #image: graylog/graylog-enterprise:4.3.3-jre11
    image: graylog/graylog-enterprise:4.3.9-jre11
    #image: graylog/graylog-enterprise:5.0.0
    network_mode: bridge
    dns:
      - 192.168.1.15
      - 192.168.1.16
   # journal and config directories in local NFS share for persistence
    volumes:
       - graylog_journal:/usr/share/graylog/data/journal
       # - graylog_bin:/usr/share/graylog/bin
       - graylog_bin:/usr/share/graylog-server/bin/
       - graylog_data:/usr/share/graylog/data/config
       - graylog_log:/usr/share/graylog/data/log
       - graylog_plugin:/usr/share/graylog/data/plugin
       - graylog_content:/usr/share/graylog/data/contentpacks
      # Mount local configuration directory into Docker container
       - graylog_scripts:/usr/share/graylog/scripts
       #- ./graylog/data/journal:/usr/share/graylog/data/journal
       #- ./graylog/config:/usr/share/graylog/data/config

    environment:
      # Container time Zone
      - TZ=America/Chicago
      # CHANGE ME (must be at least 16 characters)!
      - GRAYLOG_PASSWORD_SECRET=pJod1TRZAckHmqM2oQPqX1qnLVJS99jHm2DuCux2Bpiuu2XLTZuyb2YW9eHiKLTifjy7cLpeWIjWgMtnwZf6Q79HW2nonDhN
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
      - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.1.100:9000/
      - GRAYLOG_ROOT_TIMEZONE=America/Chicago
      - GRAYLOG_ROOT_EMAIL=greg.smith@enseva.com
      - GRAYLOG_HTTP_PUBLISH_URI=http://192.168.1.100:9000/
      - GRAYLOG_TRANSPORT_EMAIL_PROTOCOL=smtp
      - GRAYLOG_HTTP_ENABLE_CORS=true
      - GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL=http://192.168.1.100:9000/
      - GRAYLOG_TRANSPORT_EMAIL_HOSTNAME=192.168.1.100
      - GRAYLOG_TRANSPORT_EMAIL_ENABLED=true
      - GRAYLOG_TRANSPORT_EMAIL_PORT=25
      - GRAYLOG_TRANSPORT_EMAIL_USE_AUTH=false
      - GRAYLOG_TRANSPORT_EMAIL_USE_TLS=false
      - GRAYLOG_TRANSPORT_EMAIL_USE_SSL=false
      - GRAYLOG_TRANSPORT_FROM_EMAIL=root@localhost
      - GRAYLOG_TRANSPORT_SUBJECT_PREFIX=[graylog]
      - GRAYLOG_REPORT_DISABLE_SANDBOX=true
      #- depends_on: GRAYLOG_REPORT_RENDER_URI=http://10.200.6.28:9000
      - GRAYLOG_REPORT_USER=graylog-report
      - GRAYLOG_REPORT_RENDER_ENGINE_PORT=9515
    logging:
      driver: syslog
      options:
        syslog-address: "udp://192.168.1.200:51420"
        syslog-facility: "local7"
        syslog-format: "rfc3164"
        tag: "asible"
    links:
      - mongodb:mongo
      - elasticsearch
    #restart:always
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 8514:8514
      # Elasticsearch
      - 9200:9200
      - 9300:9300
      # Syslog UDP
      - 8514:8514/udp
      # GELF TCP
      #- 12201:12201
      # GELF UDP
      - 12201:12201/udp
      # Reports
      - 9515:9515
      - 9515:9515/udp
      # beats
      - 5044:5044
      # email
      - 25:25
      - 25:25/udp
      # web
      - 80:80
      - 443:443
      - 21:21
      # Forwarder
      - 13302:13302
      - 13301:13301
      # keycloak
      - 8443:8443
      # packetbeat
      - 5055:5055
      # Syslogs
      - 51420:51420
      # CEF Messages
      - 5555:5555/udp
#Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local
  graylog_bin:
    driver: local
  graylog_data:
    driver: local
  graylog_log:
    driver: local
  graylog_plugin:
    driver: local
  graylog_content:
    driver: local
  graylog_scripts:
    driver: local
root@ansible:/usr/local/bin#

root # docker-compose up -d

Command show Mongo update was “Done” but the container was not started. having issue with naming convention with Mongo Container.

Dec  8 17:27:53 ansible kernel: [ 2473.152844] traps: mongod[18239] trap invalid opcode ip:56311d63fa7a sp:7ffc21b4de10 error:0 in mongod[5631195ba000+51eb000]

And this

Cannot link to a non running container: /876472e84634_bin_mongodb_1 AS /bin_graylog_1/bin_mongodb_1"

Since I am fairly new at Docker, I researching how to resolve this issue.

8

Not sure yet, still working on the upgrade, plus I’m waiting for OpenSearch to release Deb package because I’m on CentOS 7 right now and I’m going to wipe the server to install Ubuntu 20+ then rebuild it.

9

Umm good question, I do know from elasticsearch you can always upgrade but there will be lose of data if you back track. I’m assuming this also goes for OpenSearch.

10

@gsmith I’ll check out the links and alert documentation. Thanks!

1 Like
11

For those who are having troubles with installing/starting mongoDb-5.0 found a link that pretty much sums it up.

https://jira.mongodb.org/browse/DOCS-14684

3 Likes
12

i’m kinda okay with deleting old indices indexed by ES <7 manually but it’s really tedious, basically opensearch 2.* complains about one index at a time which gives me it’s directory name which i can then delete…

13

Yeah I had to do the same a while back, lesson learned with Elasticsearch. My way was

I had to find the oldest shard and execute the following command to delete the index;

root# curl -XGET http://localhost:9200/_cat/shards  
root# curl -XDELETE http://localhost:9200/ graylog_457/
14

yeah, but opensearch fails to run properly, just spews errors before it publishes REST API

15

In trying to do a clean install of 5.0 on Ubuntu 20.04, I see an error when trying to install Elasticsearch 7.10.2:

The repository ‘https://artifacts.elastic.co/packages/oss-7.10.2/apt stable Release’ does not have a Release file.

I tried to install using OpenSearch, but it seems that there are many references to Elasticsearch in the Graylog config file that must be somehow satisfied.

I’ve also posted to the Elasticsearch forum on the repo issue, but maybe someone here has overcome this issue.

Edit: Elasticsearch tells me that to install this specific version, it must be manually installed. I’ll try that later today.

Edit 2: that did the trick, I was able to get 5.0 up and running. I would suggest that the instructions for Elasticsearch be modified to show a manual installation.

Since I had the chance, I decided to try it on Ubuntu 22.04 with MongoDB 6.0 and Elasticsearch 7.10.2. Time to find some inputs!

2 Likes
16

Questions regarding the docs:

https://go2docs.graylog.org/5-0/upgrading_graylog/upgrading_graylog.html?tocpath=Upgrading%20Graylog|_____0

Please add link to “Upgrading to Graylog 5.0.x”

https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/installing_graylog.html?tocpath=Downloading%20and%20Installing%20Graylog|Installing%20Graylog|_____0

Here you write that only RHEL 9 is supported - RHEL 7 or 8 is not mentioned.

https://go2docs.graylog.org/5-0/upgrading_graylog/upgrading_to_graylog_5.0.x.htm?tocpath=Upgrading%20Graylog|Upgrade%20Notes%20by%20Version|_____15

But on the Upgrade Notes I read that support for RHEL 6 is dropped. Does that mean that RHEL 7 and 8 is still supported? One of both pages need an edit I think.

17

We run GL on HyperV
GL5 requires Mongo5+
Mongo5+ requires AVX cpu extensions
HyperV does not provide AVX (VMWare apparently can)
Result = you can’t run GL5+ on HyperV anymore.

18

This kills you in HyperV as well.

19

Hey,
Sure does, were looking at options :frowning_face:

1 Like
20

Two day trying to install graylog, because mongodb doesn´t works, after install version 5 of mongo i put systemctl status mongod and the output is:
root@santifernvm01:/etc/apt# systemctl status mongod
● mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
Active: failed (Result: signal) since Mon 2022-12-19 14:21:46 CET; 29min ago
Docs: https://docs.mongodb.org/manual
Process: 3208 ExecStart=/usr/bin/mongod --config /etc/mongod.conf (code=killed, signal=ILL)
Main PID: 3208 (code=killed, signal=ILL)
CPU: 7ms

Dec 19 14:21:46 santifernvm01 systemd[1]: Started MongoDB Database Server.
Dec 19 14:21:46 santifernvm01 systemd[1]: mongod.service: Main process exited, code=killed, status=4/ILL
Dec 19 14:21:46 santifernvm01 systemd[1]: mongod.service: Failed with result ‘signal’.
root@santifernvm01:/etc/apt#

What is the problkem. Virtualboc 2 CPU 4g RAM debian 11 bullseye… please help meeeeeeeeeeeeeeeeeeeeeeeeeeee

21

I’m assuming you didn’t upgrade to mongo 5.0 from an unsupported version (lower than 4.4.1) if you did you should roll back and follow their upgrade path. For example, if you were on mongodb 4.2 you must upgrade to 4.4.18, then upgrade to 5.0 and then if you want upgrade to 6.0 as this is the latest supported version on graylog 5.0

Between each upgrade, you should run this command in mongo shell and make sure the compatibility version matches the version currently installed or it won’t start:

db.adminCommand( { getParameter: 1, featureCompatibilityVersion: 1 } )

That command will give you the current compatibility level and should match the version currently installed, if it doesn’t then you have to run the following command (replace 5.0 with the current version):

db.adminCommand( { setFeatureCompatibilityVersion: "5.0" } )

After that you can perform the upgrade following mongodb documentation.

Let me know if that was it, but without logs or config files I cannot help you further.