Graylog 2.3 new


i installed the new graylog version 2.3 and configured it but it doesnt show messages from my older elasticksearch node.
i have another graylog server node 2.2.3 witch can read data from the same ES node. any ideas?

(Jochen) #2

What’s the configuration of your Graylog and Elasticsearch nodes?
What’s in the logs of your Graylog and Elasticsearch nodes?


server conf is this (i see its new for this version)
elasticsearch_hosts =
elasticsearch_discovery_enabled = true

ES conf is this [“”,“”] can see the log can not see the logs

no errors

(Jochen) #4

Is the address of the Elasticsearch HTTP API of an Elasticsearch node?
Do the Elasticsearch nodes advertise the correct addresses in the Elasticsearch cluster state?

#5 is correct


in the working server node i can see the logs belongs to the new server (internal logs) witch means that the new server can send the logs to ES but cant read them.

(Jochen) #7

What does this mean exactly?

(Jochen) #8

Please post the complete configuration and logs of all Graylog and Elasticsearch nodes.


graylog conf (new version)

is_master = true

node_id_file = /var/opt/graylog/graylog-server-node-id

password_secret = 3094e356cc0f26de799229b56c75192eef3bf6e1d85788c1878d6f3b6c0c5b74c1898b4a2f296e93f36d455ff2cfa7458fc230f3dfbe744cfe474755d45585fa

root_username = admin

root_password_sha2 = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

root_timezone = Etc/UTC

plugin_dir = /opt/graylog/plugin

rest_listen_uri =

web_listen_uri =

rest_enable_cors = true

elasticsearch_shards = 4
elasticsearch_replicas = 1

elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = true

allow_highlighting = true

elasticsearch_hosts =

elasticsearch_max_total_connections = 20

elasticsearch_max_total_connections_per_route = 2

elasticsearch_discovery_enabled = true

elasticsearch_analyzer = standard

output_batch_size = 500

output_flush_interval = 1

output_fault_count_threshold = 5
output_fault_penalty_seconds = 30

processbuffer_processors = 5
outputbuffer_processors = 3

processor_wait_strategy = blocking

ring_size = 65536

inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking

message_journal_enabled = true

message_journal_dir = /var/opt/graylog/data/journal

message_journal_max_size = 1gb

async_eventbus_processors = 2

lb_recognition_period_seconds = 3

alert_check_interval = 60

mongodb_uri = mongodb://

mongodb_max_connections = 100

mongodb_threads_allowed_to_block_multiplier = 5

transport_email_enabled = false
transport_email_hostname =
transport_email_port = 587
transport_email_use_auth = false
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username =
transport_email_auth_password =
transport_email_subject_prefix = [graylog]
transport_email_from_email =

transport_email_web_interface_url =

dashboard_widget_default_cache_time = 10s

content_packs_loader_enabled = true

content_packs_dir = /opt/graylog/contentpacks

content_packs_auto_load = grok-patterns.json,content_pack_appliance.json

ES conf graylog “Franz Kafka”

index.number_of_shards: 1

index.number_of_replicas: 0 /var/opt/graylog/data/elasticsearch

path.logs: /var/log/graylog/elasticsearch/ 10s false [“”]


problem solved.
i reconfigured graylog 2.3 as a backend. and compared the .yml files to my old data node and found that
this parameter “discovery.zen.ping_timeout: 10s” in the new version is different then the old version
" 10s"
after changing it i can finally see all the logs using the new graylog sever.

thanks for the help and support


it didnt solve the problem.
so i am steel stuck.

(Andi B ) #12

What is the contents of your elasticsearch data folder (/var/opt/graylog/data/elasticsearch) ?

On my docker-installation, the data folder was like:

./node <- new
./graylog/node <- old

So the data is put into node instead of graylog/node. So I stopped elastic, moved the folder and started again. This worked for me.

(Li Li) #13

I ran into the same problem. It was caused by me forgetting to set “elasticsearch_hosts” in graylog 2.3 configuration. The old “elasticsearch_discovery_zen_ping_unicast_hosts” parameter is no longer working as Graylog 2.3 switches to Elasticsearch HTTP client. Once I got that set correctly, my 2.3 node can “see” the old indices.

(system) closed #14

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.