Graylog can't connect to Wazuh Indexer

1. Describe your incident:

In trying to set up Graylog to connect to Wazuh Indexer, I am unable to get it to connect and create new indexes. I receive this error during preflight when launching the docker container for graylog:

ERROR: org.graylog2.storage.versionprobe.VersionProbe - Unable to retrieve version from indexer node: Failed to connect to /10.10.1.60:9200. - Connection refused.

INFO : org.graylog2.storage.versionprobe.VersionProbe - Indexer is not available. Retry #36

2. Describe your environment:

• OS Information: Graylog is on Docker 25

• Package Version: Graylog Open 7

• Docker Compose File:

  graylog:
  hostname: “server”
  image: “${GRAYLOG_IMAGE:-graylog/graylog:7.0}”
  depends_on:
  mongodb:
  condition: “service_started”
  datanode:
  condition: “service_started”
  entrypoint: “/usr/bin/tini –  /docker-entrypoint.sh”
  environment:
  GRAYLOG_NODE_ID_FILE: “/usr/share/graylog/data/data/node-id”
  
  GRAYLOG_PASSWORD_SECRET: “${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}”
  GRAYLOG_ROOT_PASSWORD_SHA2: “${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}”
  GRAYLOG_HTTP_BIND_ADDRESS: “0.0.0.0:9000”
  GRAYLOG_HTTP_EXTERNAL_URI: “http://10.10.1.32:9000/”
  GRAYLOG_MONGODB_URI: “mongodb://mongodb:27017/graylog”
  GRAYLOG_ELASTICSEARCH_HOSTS: “https://graylog:password@10.10.1.60:9200”
  ports:
  
  “5044:5044/tcp”   # Beats
  
  “5140:5140/udp”   # Syslog
  
  “5140:5140/tcp”   # Syslog
  
  “5555:5555/tcp”   # RAW TCP
  
  “5555:5555/udp”   # RAW UDP
  
  “9000:9000/tcp”   # Server API
  
  “12201:12201/tcp” # GELF TCP
  
  “12201:12201/udp” # GELF UDP
  #- “10000:10000/tcp” # Custom TCP port
  #- “10000:10000/udp” # Custom UDP port
  
  “13301:13301/tcp” # Forwarder data
  
  “13302:13302/tcp” # Forwarder config
  networks:
  
  graylog
  volumes:
  
  “graylog_data:/usr/share/graylog/data/data”
  restart: “on-failure”
  

3. What steps have you already taken to try and solve the problem?

Attempted to follow steps and other forum posts to edit docker compose file. This is the latest edit that receives the above error.

4. How can the community help?

I would greatly appreciate it if the community could provide assistance on what this error could mean, how to further diagnose, where additional/more verbose logs may reside, and any other details that could help me troubleshoot.

One such potential cause is that there is no certificate loaded, but I could not find a comprehensive guide for setting up certificates on Docker instances of graylog - also no other logs mention any certificate issues, and shutting off SSL in wazuh indexer config didn’t change it.

Hey @Sam_Gunn,

The Graylog node is failing to reach 10.10.1.60 on port 9200, are you certain that networking between the Graylog node and your Opensearch is correctly set up?

Thank you for replying. I do sometimes hate yaml files. Turned out you’re right - the Wazuh indexer was using the localhost instead of it’s Network IP and that prevented connections across the network.

Now graylog is giving this error:

Unable to retrieve version from indexer node: (certificate_unknown) None of the TrustManagers trust this certificate chain. - None of the TrustManagers trust this certificate chain.

This means that I need to load a certificate in graylog, right? Do you know any resources that can help me do that via docker compose? I’ve only found guides for doing so in a normal installation, not docker containers.

Thanks!

Check out this chain, it links out to a guide on implementing certs and some specifics in the last comment on how that is achieved within docker.

Thanks! I actually found that last night and it got me on the right track. Now I am getting this error, which I believe suggests a problem on the wazuh side, right?

2026-02-27 14:13:29,183 ERROR: org.graylog2.storage.versionprobe.VersionProbe - Unable to retrieve version from indexer node 10.10.1.60:9200: unknown error - an exception occurred while deserializing error response: {}

com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Unauthorized': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')

 at [Source: (okio.Buffer$inputStream$1); line: 1, column: 13]

	at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2602)

	at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2628)

	at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2636)

	at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:830)

	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3662)

	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2749)

	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:867)

	at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:753)

	at com.fasterxml.jackson.databind.ObjectReader._initForReading(ObjectReader.java:356)

	at com.fasterxml.jackson.databind.ObjectReader._bindAndClose(ObjectReader.java:2133)

	at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1504)

	at retrofit2.converter.jackson.JacksonResponseBodyConverter.convert(JacksonResponseBodyConverter.java:33)

	at retrofit2.converter.jackson.JacksonResponseBodyConverter.convert(JacksonResponseBodyConverter.java:23)

	at org.graylog2.storage.versionprobe.VersionProbeImpl.lambda$probeSingleHost$2(VersionProbeImpl.java:158)

	at org.graylog2.storage.versionprobe.VersionProbeImpl.rootResponse(VersionProbeImpl.java:213)

	at org.graylog2.storage.versionprobe.VersionProbeImpl.probeSingleHost(VersionProbeImpl.java:168)

	at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)

	at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(Unknown Source)

	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(Unknown Source)

	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(Unknown Source)

	at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)

	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)

	at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(Unknown Source)

	at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)

	at java.base/java.util.stream.ReferencePipeline.findFirst(Unknown Source)

	at org.graylog2.storage.versionprobe.VersionProbeImpl.probeAllHosts(VersionProbeImpl.java:136)

	at org.graylog2.storage.versionprobe.VersionProbeImpl.lambda$probe$1(VersionProbeImpl.java:116)

	at com.github.rholder.retry.AttemptTimeLimiters$NoAttemptTimeLimit.call(AttemptTimeLimiters.java:78)

	at com.github.rholder.retry.Retryer.call(Retryer.java:160)

	at org.graylog2.storage.versionprobe.VersionProbeImpl.probe(VersionProbeImpl.java:116)

	at org.graylog2.bootstrap.preflight.SearchDbPreflightCheck.runCheck(SearchDbPreflightCheck.java:50)

	at com.google.common.collect.ImmutableList.forEach(ImmutableList.java:421)

	at org.graylog2.bootstrap.preflight.PreflightCheckService.runChecks(PreflightCheckService.java:52)

	at org.graylog2.bootstrap.ServerBootstrap.runPreFlightChecks(ServerBootstrap.java:183)

	at org.graylog2.bootstrap.ServerBootstrap.beforeInjectorCreation(ServerBootstrap.java:151)

	at org.graylog2.bootstrap.CmdLineTool.doRun(CmdLineTool.java:362)

	at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:287)

	at org.graylog2.bootstrap.Main.main(Main.java:57)

2026-02-27 14:13:29,183 INFO : org.graylog2.storage.versionprobe.VersionProbe - Indexer is not available. Retry #9716

By looking through more logs, I discovered that graylog is not sending the authorization header. This is the error i get on the wazuh side:

[2026-02-27T17:21:53,426][WARN ][o.o.s.a.BackendRegistry  ] [node-1] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'

I am trying to figure out how to get graylog to send that info.

In this instance what is the indexer, are you using Graylog Data Node or Opensearch - if Opensearch which version?

If you could post the docker conf for OS that would help give some context.

Sorry for not clarifying. Wazuh indexer uses opensearch. Looks like version 2.19.4.

Here is my docker config for Graylog. Wazuh is a standalone install on a VM.

 # Graylog: https://hub.docker.com/r/graylog/graylog-enterprise
  graylog:
    hostname: "server"
    image: "${GRAYLOG_IMAGE:-graylog/graylog:7.0}"
    depends_on:
      mongodb:
        condition: "service_started"
      datanode:
        condition: "service_started"
    entrypoint: "/usr/bin/tini --  /docker-entrypoint.sh"
    environment:
      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/data/node-id"
      # GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
      GRAYLOG_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}"
      GRAYLOG_ROOT_PASSWORD_SHA2: "${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
      GRAYLOG_HTTP_EXTERNAL_URI: "http://10.10.1.32:9000/"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
      GRAYLOG_ELASTICSEARCH_HOSTS: "https://10.10.1.60:9200" 
      GRAYLOG_ELASTICSEARCH_USERNAME: "graylog"
      GRAYLOG_ELASTICSEARCH_PASSWORD: "password"
      GRAYLOG_SERVER_JAVA_OPTS: "-Djavax.net.ssl.trustStore=/certificates/graylog-truststore.jks -Djavax.net.ssl.trustStorePassword=password"

      
    ports:
    - "5044:5044/tcp"   # Beats
    - "5140:5140/udp"   # Syslog
    - "5140:5140/tcp"   # Syslog
    - "5555:5555/tcp"   # RAW TCP
    - "5555:5555/udp"   # RAW UDP
    - "9000:9000/tcp"   # Server API
    - "12201:12201/tcp" # GELF TCP
    - "12201:12201/udp" # GELF UDP
    #- "10000:10000/tcp" # Custom TCP port
    #- "10000:10000/udp" # Custom UDP port
    - "13301:13301/tcp" # Forwarder data
    - "13302:13302/tcp" # Forwarder config
    networks:
      - graylog
    volumes:
      - "graylog_data:/usr/share/graylog/data/data"
      - "/mnt/NAS1/docker/graylog/certs:/certificates"

    restart: "on-failure"

Graylog currently supports 2.19.3 so you might experience some issues when you finally get connected.

Has security been implemented on the Opensearch cluster and did you generate a username and password? It would be the same as the one used for Wazuh to connect to OS, It could also be a JWT token.

Yes, the indexer has security, and I’ve setup the keystore and credentials in my graylog environment:

GRAYLOG_ELASTICSEARCH_HOSTS: "https://10.10.1.60:9200" 
      GRAYLOG_ELASTICSEARCH_USERNAME: "graylog"
      GRAYLOG_ELASTICSEARCH_PASSWORD: "password"
      GRAYLOG_SERVER_JAVA_OPTS: "-Djavax.net.ssl.trustStore=/certificates/graylog-truststore.jks -Djavax.net.ssl.trustStorePassword=password"

Unfortunately the Wazuh indexer log still says it’s not receiving the right headers.

Hey @Sam_Gunn,

Try with the below and drop the GRAYLOG_ELASTICSEARCH_USERNAME and GRAYLOG_ELASTICSEARCH_PASSWORD options.

GRAYLOG_ELASTICSEARCH_HOSTS = https://graylog:password@10.10.1.60:9200

Hi @Wine_Merchant

It doesn’t change anything unfortunately.

I did notice, however, that during the startup in graylog, it shows this:

Picked up JAVA_TOOL_OPTIONS:  -Djavax.net.ssl.trustStore=/tmp/custom.keystore -Djavax.net.ssl.trustStorePassword=changeit

And doesn’t mention the keystore I specified in the docker config file at all.

GRAYLOG_SERVER_JAVA_OPTS: "-Djavax.net.ssl.trustStore=/certificates/graylog-truststore.jks -Djavax.net.ssl.trustStorePassword=password"

Does that mean anything? Is there something wrong with this line in the docker config?

@Sam_Gunn

What is the output of the below?

docker exec <container_id> ps aux | grep java

As for the OS issue, if it were a certs problem I would imagine this would be reflected in the error.

Does running the below from the Graylog node yield a response?

curl -i -u "graylog:password" -XGET "http://10.10.1.60:9200"

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.