The graylog server.log file is getting out of control. Due to warning error for Elasticsearch no security. I only have 1 node and careless about security

How Do I stop this from eating all my free space on the drive

/var/log/graylog-server#
root@Syslog:/var/log/graylog-server# ls -la
total 19444
drwxr-xr-x 2 graylog graylog 4096 Dec 2 20:38 .
drwxrwxr-x 11 root syslog 4096 Dec 2 22:38 …
-rw-r–r-- 1 graylog graylog 19897561 Dec 2 23:45 server.log
root@Syslog:/var/log/graylog-server# ls -lah
total 20M
drwxr-xr-x 2 graylog graylog 4.0K Dec 2 20:38 .
drwxrwxr-x 11 root syslog 4.0K Dec 2 22:38 …
-rw-r–r-- 1 graylog graylog 20M Dec 2 23:45 server.log
root@Syslog:/var/log/graylog-server#
root@Syslog:/var/log/graylog-server# ls -lah
total 21M
drwxr-xr-x 2 graylog graylog 4.0K Dec 2 20:38 .
drwxrwxr-x 11 root syslog 4.0K Dec 2 22:38 …
-rw-r–r-- 1 graylog graylog 21M Dec 2 23:52 server.log
root@Syslog:/var/log/graylog-server#

What is the specific error message you are seeing, Graylog doesn’t normally care that much about running without security to ES/OS as that’s it’s default config.

let me get that log for ya…
tail -n 0 -f /var/log/graylog-server/server.log

====
2023-12-03T08:57:45.206-08:00 WARN [RestClient] request [GET http://127.0.0.1:9200/gl-system-events_0/_stats] returned 1 warnings: [299 Elasticsearch-7.17.15-0b8ecfb4378335f4689c4223d1f1115f16bef3ba “Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See Set up minimal security for Elasticsearch | Elasticsearch Guide [7.17] | Elastic to enable security.”]

BTW: the instruction for 5.2 installer of Elasticsearch failed – needed update - seemy note below:

Install Elasticsearch

1. Install from Internet Site:

• Graylog Site is syntax outdated
  curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg
  echo “deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
  sudo apt update
  sudo apt install elasticsearch

2. Backto Graylog site:
   Modify the Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml), set the cluster name to graylog, and uncomment action.auto_create_index: false to enable the action.

===from 5.2 doc =====
wget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey
sudo apt-key add myKey
echo “deb [signed-by=/usr/share/keyrings/elasticsearch-keyring”] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install elasticsearch-oss

=====
error package not found

Looks like you can silence that by setting
xpack.security.enabled: false
in the Elasticsearch.yml

Hi, update the config as suggested . It worked!

Thanks for your help.

===============

Configure security for the Elastic Stack | Elasticsearch Guide [7.16] | Elastic

cluster.name: graylog
action.auto_create_index: false
xpack.security.enabled: false

==================

What version of elastic search did you install, the error seems to reference 7.17…

The latest version of 17 …how do you stop this warning in the server.log? it is none stop

2023-12-18T06:20:19.978Z WARN [RestClient] request [POST http://127.0.0.1:9200/gl-system-events_0/_refresh?ignore_throttled=false&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true] returned 1 warnings: [299 Elasticsearch-7.17.15-0b8ecfb4378335f4689c4223d1f1115f16bef3ba “[ignore_throttled] parameter is deprecated because frozen indices have been deprecated. Consider cold or frozen tiers in place of frozen indices.”]

I’m not sure, Graylog only supports up to elastic 7.10 so you may have all kinds of weird things happen. You may be able to stop the warning from the elastic side, but you won’t be able to stop Graylog from sending that command.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.