Graylog 2.5 deflector error message


(charlie) #1

Has anyone managed to get rid of this error?

I’ve tried stopping Graylog and deleting it with curl -X DELETE “localhost:9200/graylog_deflector” however it gives me the following exception:

So I can delete all my indices, (this box is empty anyway) and confirm it’s deleted with the above command as it says it can’t find it.

In the documentation it says to add “action.auto_create_index: false” to the elastic config. However when i do that to the YML file, it fails to start elastic. Which lead me to try:

curl -X PUT “localhost:9200/_cluster/settings” -H ‘Content-Type: application/json’ -d’{“persistent”: {“action.auto_create_index”: “false” }}’

However that didn’t work either.

Has anyone managed to get rid of this error on graylog 2.5?
(running elastic 6.5.4)

Any help would be greatly appreciated…


(Jan Doberstein) #2

What is the error message? I’m not able to read that screenshot.


(charlie) #3

sorry, thought they’d show up if clicked on. Basically elastic returns:

The provided expressession [graylog_deflector] matches an alias. Specify the corresponding concrete indicies instead


(charlie) #4

When I attempt to start elastic with the added line in the YML file, it doesn’t give any output. It just stops at the initializing java line. Unfortunately I don’t have anything useful on that front


(charlie) #5

Ok, this can be closed now. I installed graylog 2.4 and then upgraded to 3.0. All seems well. Not sure what was up with 2.5


(Jan Doberstein) #6

could you please write down your upgrade path - it sounds itchy but with the given information we are not able to verify that:

  • GL 2.5 & ES 6.5 - not working?

Can you please complete the above list.


(charlie) #7

I was using GL 2.5 & Elastic 6. I copied and pasted all the commands from the following link

http://docs.graylog.org/en/2.5/pages/installation/os/ubuntu.html

Fresh VM, nothing fancy. 2.4 -> 3.0 works well though!


(Jan Doberstein) #8

so your problem is gone because you make a new installation?


#9

I’m only able to reproduce this activity if I delete the current index directory that is being written to, whether elastic is running or not. Don’t do that, it’s a terrible practice, but fine for test

Method of fixing is to stop elastic, manually delete the graylog deflector directory and start back up elastic. It should start startup and create a new index for writing.

if you run into an issue with the search page looking for a missing index, then you need to remove the index ranges from mongo and rebuild those ranges again in graylog


(charlie) #10

New install under 2.4, then migrated to 3.0


(charlie) #11

Thanks. I stopped graylog before deleting the index after I had the issue post install, certainly didn’t delete anything while it’s online


(Jan Doberstein) #12

what other versions did you have used and upgraded?

  • Elasticsearch?
  • MongoDB?

(charlie) #13

Basically these were my steps:

  1. Create new Ubuntu server 16.04 VM with open-ssh server from the install
  2. Follow install guide for 2.5
  3. Get deflector message on first graylog start
  4. Follow guide to fix deflector message in the FAQs
  5. Didn’t work, so started from #1 again (deleted VM). Repeat x2
  6. Install 2.4. No error. Upgrade to 3.0 (all from the graylog guide. I just copied/pasted the commands etc)