I’d never heard of Graylog until a couple days ago. Love the idea but I can’t get it off the floor. I’m wanting to use it to monitor our ISP gear. syslog and netflow traffic. I see netflow errors in server.log, Error parsing NetFlow packet… but I don’t really think that’s causing this. Netflow’s are coming off a router running about 150 Mbps of traffic steady, and I have syslog setup on a handful of routers.
I followed the basic install for Ubuntu (16.04), and it starts up and responds okay but in a couple minutes it slugs to a halt. It’s like there is some memory or cpu leak but I can’t see where there is either, neither do I suspect that really because this looks like a stable package.
The backend becomes totally unresponsive to the web api calls and when I try to shut it down
systemctl stop graylog-server.service takes 5 minutes or more to complete.
I did a complete reinstall to see if I borked something but same exact results.
It’s running on a single KVM guest, 4 cores, 10 Gigs of RAM. No ssl at this point, I wanted to get it stabilized first.
I’m really excited about what I see here but I can’t get it to run long enough to even troubleshoot. If someone can point me in the general direction I’d be grateful and I’m sure I can figure it out eventually.
Update: I blocked netflow traffic with ufw to see if it was that, and the graylog-server started responding a lot better. CPU went from 100+% (1 core) down to ~10%.