I am using the latest Graylog v2.2.3 OVA running in VMWare Player v12.5.0 build-4352439. Everything seem to be work great until I rebooted the Graylog Server. After that, the Elasticsearch cluster went into RED and shows the Shards as unassigned.
I ran the following command and restarted the graylog server:
curl -XPUT ‘:9200/_all/_settings’ -d ‘{“number_of_replicas”: 0}’
This reset the unassigned to 0 but the cluster is still in RED
Elasticsearch cluster unhealthy (RED) (triggered 2 days ago)
The Elasticsearch cluster state is RED which means shards are unassigned. This usually indicates a crashed and corrupt cluster and needs to be investigated. Graylog will write into the local disk journal. Read how to fix this in the Elasticsearch setup documentation.
Elasticsearch cluster
The possible Elasticsearch cluster states and more related information is available in the Graylog documentation.
Elasticsearch cluster is yellow. Shards: 4 active, 0 initializing, 0 relocating, 0 unassigned, What does this mean?
The cluster shows GREEN now but there are no new messages being displayed on the Syslog stream I have set up. This is the only stream outside the defaults and it was working until the reboot that put the shards into unassigned. Messages from nginx requests for example work fine.
Ok, I am able to use a syslog test util and send a message to graylog, which displays properly. So the issue appears to be with my devices communicating with graylog. Checking now to see if anything changed with our access rules, etc… on the network.
Should I see UDP 514 and UDP6 514 in netstat on the graylog server? I only see the UDP6 and want to make sure that is not the issue.
Ok, I figured it out. There were 2 issues. First the cluster going red and then the local PC that the OVA is running on had issues with the Symantec Firewall. Basically, Symantec decided at some point to start blocking the incoming UDP traffic. Everything appears to be working properly now. Thanks for everyone’s time!