Elasticsearch not getting messages

Graylog Central (peer support)
1

I have a deployment of graylog that has Elasticsearch on a separate VM, After working to get the Sidecars to respond I noticed the messages were going to graylog and dying there. The Graylog VM has found the elastic cluster but is not writing to it

I have configured the elastic hosts ip to the ip of the separate server I am wondering if there is another setting I am missing. The reason for the spilt is we want to eventually scale the environment to have multiple elastic nodes but the need now just calls for one for testing purposes

2

It would be helpful if you posted relevant information from your environment (using the forum tools like </> to make it look nice) For instance, below is the lines from my /etc/graylog/server/server.conf that tell it where the elastic server is… Are you seeing errors in the graylog logs (Post the relevant bits, nicely formatted) any other clues you can give that will help us help you?

# List of Elasticsearch hosts Graylog should connect to.
# Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes.
# If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that
# requires authentication.
#
# Default: http://127.0.0.1:9200
#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200
elasticsearch_hosts = http://fantasticUser:ShhSecretPW@Elastic-Host:9200
3

@tmacgbay
The system has regulations on it that we can not post anything about it including logs and configs. Though it could be someone set a password I will have to dig deeper on this. I believe it has something to do with either the elasticsearch.yml file setting the discovery settings or the password protected file

4

Good luck - if you need example config snippets from my environment I am happy to send them - we have Graylog and Elastic on separate VM’s but not clustered at the moment.

1 Like
5

@tmacgbay
We are not currently clustered just trying to get the split to actually work. It would be a huge help to the elasticsearch.yml currently scrolling the logs

6

/etc/elasticsearch/elasticsearch.yml - anonymized and w/o comments:

cluster.name: HotWings
action.auto_create_index: true
node.name: MyElastSvr
node.attr.rack: Rack-77
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
cluster.initial_master_nodes:
  - MyElastSvr
discovery.seed_hosts:
  - MyElastSvr
network.publish_host:
  - MyElastSvr
http.max_warning_header_count: 0
1 Like
7

@tmacgbay
The Configs looked the same after parsing the logs I noticed this error it is filtered down but this is what I am seeing

io.netty.handler.codec.decoder exception

On the graylog server

8

Couldn’t find anything on that -

9

@cbryner
Hello,
Yeah this would be hard to troubleshoot since your company doesnt not allow you to post Log file/s or configurations.

What do you get when you execute this command:

curl -XGET http://ipaddress:9200/_cluster/health?pretty=true

Maybe something in here might help.

Graylog to Elasticsearch connection

Hope that helps

2 Likes
10

@gsmith @tmacgbay
I was able to get it to report late friday, The input configurations that were created did not work as expected remade those and everything started to work. Thank you both for your help

1 Like
11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.