Graylog stopped receiving messages, and when debugging I noticed that, the Elasticsearch cluster RED. And I noticed the disk space is full. But, should that affect to the incoming/outgoing messages? I guess atleast the incoming should work normal. I undestand there is no messages to the index for the above reason. But does the number on the top right side indicate messages on UDP?
What do you mean by stopped receiving messages? Do you see the disk journal / queues increasing or is everything stopped?
Well, messages should continue to queue until Elasticsearch is available again unless the Graylog disk journal is on the same disk as the Elasticsearch storage which you have indicated is full. In that case no more messages can queue in the journal and the journal is also most likely corrupted.
It indicates the total number of messages that Graylog is receiving via any input, regardless of protocol.
No messages in journal and queues not increasing.
In this case, should there be error/warn about the journal is corrupted. Or how does the graylog incidate that the journal is corrupted? Currently I cannot see on logs anything indicating that.
There is free space in journal, currently using like 1%. Journal in UI looks like:
0 unprocessed messages are currently in the journal, in 1 segments.
Thank you for clarifying this. So Elasticsearch cluster state does not affect to graylog, unless the journal is full, in my case seems not.
In my journal folder, there is ‘.lock’ file, date is same date as the messages stopped. What does this indicate?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.