1. Describe your incident:

Hello everybody,
i am total to graylog. I have installed it over docker-compose with opensearch. In browser i can get graylog under http://my-server:9000 but i see only the Graylog Initial Setup page and not thig more.

2. Describe your environment:

• OS Information:
  Linux ( ubuntu 22 ).

• Package Version:
  image: graylog/graylog:6.1
  image: mongo:5.0.13
  image: opensearchproject/opensearch:latest

• Service logs, configurations, and environment variables:

Here are the container logs:
It seems you are starting Graylog for the first time. To set up a fresh install, a setup interface has
been started. You must log in to it to perform the initial configuration and continue.

Initial configuration is accessible at 0.0.0.0:9000, with username ‘admin’ and password ‘WicIFXhgYE’.
Try clicking on http://admin:WicIFXhgYE@0.0.0.0:9000

[2024-10-30T14:09:44,270][INFO ][o.o.s.c.ConfigurationRepository] [b8a55bae2b55] Hot-reloading of audit configuration is enabled
[2024-10-30T14:09:44,270][INFO ][o.o.s.c.ConfigurationRepository] [b8a55bae2b55] Node ‘b8a55bae2b55’ initialized
[2024-10-30T14:09:52,996][INFO ][o.o.m.a.MLModelAutoReDeployer] [b8a55bae2b55] Index not found, not performing auto reloading!
[2024-10-30T14:09:52,997][INFO ][o.o.m.c.MLCommonsClusterManagerEventListener] [b8a55bae2b55] Starting ML sync up job…
[

{“t”:{“$date”:“2024-10-30T14:10:11.794+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:51800, “ctx”:“conn8”,“msg”:“client metadata”,“attr”:{“remote”:“10.20.23.4:58410”,“client”:“conn8”,“doc”:{“driver”:{“name”:“mongo-java-driver|legacy”,“version”:“5.2.0”},“os”:{“type”:“Linux”,“name”:“Linux”,“architecture”:“amd64”,“version”:“5.4.0-172-generic”},“platform”:“Java/Eclipse Adoptium/17.0.12+7”,“env”:{“container”:{“runtime”:“docker”}}}}}
{“t”:{“$date”:“2024-10-30T14:10:26.384+00:00”},“s”:“I”, “c”:“STORAGE”, “id”:22430, “ctx”:“Checkpointer”,“msg”:“WiredTiger message”,“attr”:{“message”:“[1730297426:384528][1:0x7fcd07d70700], WT_SESSION.checkpoint: [WT_VERB_CHECKPOINT_PROGRESS] saving checkpoint snapshot min: 4, snapshot max: 4 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 65”}}

3. What steps have you already taken to try and solve the problem?

i have tried it with data-node, but the same result

4. How can the community help?

which config mistake i have done? my-server 9000 the correct endpoint for login to the graylog GUI?

can get graylog under http://my-server:9000 but i see only the Graylog Initial Setup page and not thig more.

Can you share a screenshot? Are you able to complete the initial setup?

This section in the log:

Initial configuration is accessible at 0.0.0.0:9000, with username ‘admin’ and password ‘WicIFXhgYE’.
Try clicking on http://admin:WicIFXhgYE@0.0.0.0:9000

Provides the auto generated random password to allow you to perform the initial setup. Is that not working?

@drewmiranda-gl Thanks for replying

I get the login page of graylog under http://my-server:9000 and i can log in with the auto generated credentials ( admin : WicIFXhgYE ) and after that i see only the following page ( Initial Setup Page ). I send you a screenshot . Thanks for your help !

graylog1917×886 140 KB

@drewmiranda-gl i could handle the problem . Now i get the GUI of graylog. I should be able to login with the credentials, that i have set in the docker-compose, correct ? am i on the correct way?

graylog1683×923 48.7 KB

Hello one more time,
i have now installed graylog successfully. I can login with the user credentials from the docker-compose file. On the same linux machine i have created a graylog.conf file under /etc/rsyslog.d/ . After restarting the rsyslog i see that the connection with graylog is ok. Now the question is, how can i get the rsyslg infos in graylog? under the search i used some simple querys like , ssh login , but i dont get any result ( i have already done a login and logout per ssh on the same server ).

Thanks for your tips !

Hello @Mazi,

These free courses over at Graylog Academy will give you a great foundation on how to search/analyse/utilise the logs being ingested to your cluster.

thanks for your suggestion but the registration is not simple -_-

No i have only one question about the rsyslog connection under tcp from client to the graylog server. I can get the syslog infos from clients in graylog server but only under udp and under tcp it does not work. ( I have installed graylog over docker-compose on ubuntu 22.04 ) Here are my port configurations ( ports are free in firewll ) :

Port mapping in the docker-compose for graylog container:
ports:

Graylog web interface and REST API

  - "9000:9000/tcp"

Rsyslog tcp

  - "5140:5140/tcp"

and the graylog.conf file under /etc/rsyslog.d/

.@@server-ip:5140;RSYSLOG_SyslogProtocol23Format
$DebugFile /var/log/rsyslog-debug.log
$DebugLevel 2

any help will be really appreciated , thanks!

I’m not seeing anything wrong with the configuration provided, when using tcpdump can you see the logs being sent from the host and subsequently arriving on the Graylog node?

@Wine_Merchant Hello, i could solve the problem, thanks. But now there is another error after i have set up ssl certificates for graylog . I can access graylog in browser under https without any problem and login works also fine. But in the graylog container i get the following error/ warn:

graylog | 2024-11-14 09:57:51,281 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Failed to call API on node <83c6d-7d28-4a78-b7ca-14f4d7fac>, cause: Failed to connect to server/ ip:9000 (duration: 3 ms)

do you may know, what could be the reason ?

@Wine_Merchant Hello again,
a new update from my side. i think it happens only if the graylog server tries to catch the log entries from the client under TLS and it does not still work fine. I send here my TLS Configs for both server and client. Could you please have a look at it:
server side:

make gtls driver the default and set certificate files

global(
DefaultNetstreamDriver=“gtls”
DefaultNetstreamDriverCAFile=“/srv/certs-chain.pem”
DefaultNetstreamDriverCertFile=“/srv/server-cert.cer”
DefaultNetstreamDriverKeyFile=“/srv/server-key.key”
)

load TCP listener

module(
load=“imtcp”
StreamDriver.Name=“gtls”
StreamDriver.Mode=“1”
StreamDriver.Authmode=“x509/certvalid”
)

start up listener at port 6514

input(
type=“imtcp”
port=“6514”
)

and the client side

certificate files - just CA for a client

global(DefaultNetstreamDriverCAFile=“/srv/certs-chain.pem”)

set up the action for all messages

action(type=“omfwd” protocol=“tcp” target=“server.local” port=“6514”
StreamDriver=“gtls” StreamDriverMode=“1” StreamDriverAuthMode=“x509/certvalid”)

and the i get this error in log container:
2024-11-18 13:19:23,126 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Failed to call API on node <83f6d-7d28-4b78-b7ca-14f476fac>, cause: None of the TrustManagers trust this certificate chain. (duration: 6 ms)

Thanks for your help !

Hello @Mazi,

Do inputs now run? The error suggests that Graylog is still unable to call itself via API due a not trusting the certificate.

Is the CA and server cert now within the keystore? Have you tried catting the server and ca cert into one single chain of authority?

@Wine_Merchant Hi and thanks for replaying.
because i have installed graylog over docker, i added the CA Certs directly to the truststore of the container itself. Now i dont get the error anymore and i can see the log entries of from the graylog server itself ( i mean the server that graylog runs on that ). But i can not get the log entries from the client. I have restarted the rsyslog on the client and i get this error :

rsyslogd[3279891]: error: authentication mode ‘x509/namevalid’ not supported by gtls netstream driver [v8.2001.0 try https://www.rsyslog.com/e/2086 ]

and here is my client config for TLS:

certificate files - just CA for a client

global(DefaultNetstreamDriverCAFile=“/srv/certs-chain.pem”)

set up the action for all messages

action(type=“omfwd” protocol=“tcp” target=“server” port=“514”
StreamDriver=“gtls” StreamDriverMode=“1” StreamDriverAuthMode=“x509/namevalid”)

I have found the other values for StreamDriverAuthMode but i dont know, which one is better and easier to config?

Thanks for confirming @Mazi, the error is quite explicit. What if you were to alter "StreamDriverAuthMode=“x509/namevalid” to "StreamDriverAuthMode=“x509/certvalid” or "StreamDriverAuthMode=“x509/name”?

@Wine_Merchant none of them works and i get again the same error:

error: authentication mode ‘x509/name’ not supported by ptcp netstream driver

and now i get one more error:
imtcp: module loaded, but no listeners defined - no input will be gathered [v8.2001.0 try https://www.rsyslog.com/e/2212 ]

I just want that the syslog entries from the client to be sent on the graylog server over TLS, is my config correct at all ?

Thanks for your help !

@drewmiranda-gl @Wine_Merchant i could solve the problem, thanks for your tips and help

for those who have the same problem, i used this parameter:

StreamDriverAuthMode=“x509/fingerprint”

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.