Graylog API Call Timing Out

When I tried to start and input I got an error about the input not being able to start. The popup suggested I check my error logs, here is what I see:

2017-10-23T10:47:51.826+01:00 WARN  [ProxiedResource] Unable to call http://VMExternalIP:9000/api/system/metrics/multiple on node <0e3dcc02-a09a-4a7f-b9eb-13ff286b89f8>
java.net.SocketTimeoutException: connect timed out

I have provided what I deem to be the relevant parts of my config.

rest_listen_uri = http://InternalP:9000/api/
rest_transport_uri = http://ExternalIP:9000/api/
web_listen_uri = http://InternalIP:9000/

I believe that Graylog can connect to its external IP, however I am not 100% sure. Can anyone suggest how I would test this?

Cheers,

G

I tried:

curl http://VMExternalIP:9000/api/system/inputstates

I believed this would test connectivity between the Virtual machine and its external IP. The command timed out, which points further towards the VM not being able to communicate with its external address. Is there any way to work around this or should I put a hole in the firewall?

Cheers,

G

I have gone to ‘WebInterface’/api/api-browser. Going to this page allows me to perform API queries and I get response code ‘200’ which is a good sign. I still have no idea how to resolve this issue, could it be firewall blocking Graylog performing API queries on itself?

Use the internal URI for rest_transport_uri and the external one for web_endpoint_uri.

I have now set my config as you stated and now I get a login error which means my browser can’t access the API. this leads me to believe we need to add a firewall rule to allow access from the browser to the Graylog API.

Cheers,

G

So the rest_transport_api is set to the internal address and the web_endpoint_uri is set to the external address then we get a login error: 404 - cannot POST.

We have put a firewall rule in so that the virtual machine can go out and connect back into itself. The firewall rule is as follows: ExternalIPoftheVM to ExternalIPoftheVM over port 9000 on TCP. This should allow Graylog to connect to the API when the rest_transport_api is set to external.

Cheers,

George.

What’s the exact configuration of these settings and what’s the exact error message?

rest_listen_uri = http://Internal:9000/api/
rest_transport_uri = http://Internal:9000/api/
web_listen_uri = http://External:9000/

I get Error - the server returned: 404 - cannot POST (404)

That error message is from the web interface itself. When I set rest_transport_uri = http://External:9000/api/ I can connect to the web interface fine, but Graylog itself can’t query its rest api. So I things such as node info just shows as unavailable.

Cheers,

G

I will just quote what I wrote before:

You’re still missing the web_endpoint_uri setting.

Hi sorry, I meant that to be the Web_endpoint_uri and not web_listen_uri.

So to give you a clear picture the config is:
rest_listen_uri = http://Internal:9000/api/
rest_transport_uri = http://Internal:9000/api/
web_listen_uri = http://Internal:9000/
web_endpoint_uri = http://External:9000/

Cheers,

G

rest_listen_uri = http://0.0.0.0:9000/api/
rest_transport_uri = http://<Internal IP address>:9000/api/
web_listen_uri = http://0.0.0.0:9000/
web_endpoint_uri = http://<External IP address>:9000/api/

I should try this config you provided?

Cheers,

G

I didn’t provide it just for fun. :wink:

1 Like

Just tried them and I get the login issue.

Here is the error from the web interface:
Error - the server returned: 404 - cannot POST http://ExternalIP:9000/system/sessions (404)

There are no errors in /var/log/graylog/server.log

Cheers,

G

Are you using a reverse proxy in front of Graylog?
If not, you have used the wrong value for web_endpoint_uri. It has to point to the public URI of the Graylog REST API.

No, I am not using a reverse proxy, however I have may look into using one as it may resolve this issue.

The address I am using for the web_endpoint_uri is the external IP address of machine that Graylog is run on. I am not sure if that is the correct value?

Cheers,

G

An IP address alone is not the complete URI.

I am not sure what the complete URI would be, please could you help me?

cheers,

G

It’s http://<External IP address>:9000/api/, as written before.

Example:
Given the external URI for the Graylog web interface was http://example.com/ and the URI for the Graylog REST API was http://example.com/api/, then the web_endpoint_uri setting should be http://example.com/api/.

Just set the web_endpoint_uri from:

http://External IP address:9000/
to
http://External IP address:9000/api/

My issue has been resolved, thank you very much for your time and help.

Cheers,

G