Graylog INPUTS fail

adrianrus · August 28, 2023, 4:10pm

Hi everyone

INPUT fails to start.

Graylog 5.0.9+f018089 with OpenSearch

/etc/default/elasticsearch FILE looks like this:

################################
# OpenSearch
################################

# OpenSearch home directory
#OPENSEARCH_HOME=/usr/share/opensearch

# OpenSearch Java path
OPENSEARCH_JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64

# OpenSearch configuration directory
# Note: this setting will be shared with command-line tools
OPENSEARCH_PATH_CONF=/etc/opensearch

# OpenSearch PID directory
#PID_DIR=/var/run/opensearch

# Additional Java OPTS
#OPENSEARCH_JAVA_OPTS=

# Configure restart on package upgrade (true, every other setting will lead to not restarting)
#RESTART_ON_UPGRADE=true

################################
# OpenSearch service
################################

# SysV init.d
#
# The number of seconds to wait before checking if OpenSearch started successfully as a daemon process
OPENSEARCH_STARTUP_SLEEP_TIME=5

################################
# System properties
################################

# Specifies the maximum file descriptor number that can be opened by this process
# When using Systemd, this setting is ignored and the LimitNOFILE defined in
# /usr/lib/systemd/system/opensearch.service takes precedence
#MAX_OPEN_FILES=65535

# The maximum number of bytes of memory that may be locked into RAM
# Set to "unlimited" if you use the 'bootstrap.memory_lock: true' option
# in opensearch.yml.
# When using systemd, LimitMEMLOCK must be set in a unit file such as
# /etc/systemd/system/opensearch.service.d/override.conf.
#MAX_LOCKED_MEMORY=unlimited

# Maximum number of VMA (Virtual Memory Areas) a process can own
# When using Systemd, this setting is ignored and the 'vm.max_map_count'
# property is set at boot time in /usr/lib/sysctl.d/opensearch.conf
#MAX_MAP_COUNT=262144

on a check looks okey

RSYSLOG:


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

$IncludeConfig /etc/rsyslog.d/*.conf
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @10.13.200.8:1514;RSYSLOG_SyslogProtocol23Format

the INPUT setting

the collector

got the:

iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514

as well

i m still trying to understand why the input doesn t start

drewmiranda-gl · August 28, 2023, 4:54pm

Can you post the text with the error directly from server.log? default location:

/var/log/graylog-server/server.log

Thanks!

adrianrus · August 28, 2023, 8:25pm

subjectAltNames: [*.domainname.net, domainname.net]

2023-08-01T13:10:01.700+02:00 WARN [ProxiedResource] Unable to call https://10.13.200.8:9000/api/system/inputstates on node <82b9e79c-db07-45af-8a24-a6a9618fe37a>: Hostname 10.13.200.8 not verified:
certificate: sha256/uOlV5U3Iwdsx4bl0BGhunltQFex/zhayRxwMIUc7bSk=
DN: CN=.domainname.net
subjectAltNames: [.domainname.net, domainname.net]
2023-08-01T13:10:02.216+02:00 WARN [ProxiedResource] Unable to call https://10.13.200.8:9000/api/system/metrics/multiple on node <82b9e79c-db07-45af-8a24-a6a9618fe37a>: Hostname 10.13.200.8 not verified:
certificate: sha256/uOlV5U3Iwdsx4bl0BGhunltQFex/zhayRxwMIUc7bSk=
DN: CN=.domainname.net
subjectAltNames: [.domainname.net, domainname.net]
2023-08-01T13:10:03.704+02:00 WARN [ProxiedResource] Unable to call https://10.13.200.8:9000/api/system/inputstates on node <82b9e79c-db07-45af-8a24-a6a9618fe37a>: Hostname 10.13.200.8 not verified:
certificate: sha256/uOlV5U3Iwdsx4bl0BGhunltQFex/zhayRxwMIUc7bSk=
DN: CN=.domainname.net
subjectAltNames: [.domainname.net, domainname.net]
2023-08-01T13:10:04.219+02:00 WARN [ProxiedResource] Unable to call https://10.13.200.8:9000/api/system/metrics/multiple on node <82b9e79c-db07-45af-8a24-a6a9618fe37a>: Hostname 10.13.200.8 not verified:
certificate: sha256/uOlV5U3Iwdsx4bl0BGhunltQFex/zhayRxwMIUc7bSk=
DN: CN=.domainname.net
subjectAltNames: [.domainname.net, domainname.net]
2023-08-01T13:10:05.706+02:00 WARN [ProxiedResource] Unable to call https://10.13.200.8:9000/api/system/inputstates on node <82b9e79c-db07-45af-8a24-a6a9618fe37a>: Hostname 10.13.200.8 not verified:
certificate: sha256/uOlV5U3Iwdsx4bl0BGhunltQFex/zhayRxwMIUc7bSk=
DN: CN=.domainname.net
subjectAltNames: [.domainname.net, domainname.net]
2023-08-01T13:10:06.222+02:00 WARN [ProxiedResource] Unable to call https://10.13.200.8:9000/api/system/metrics/multiple on node <82b9e79c-db07-45af-8a24-a6a9618fe37a>: Hostname 10.13.200.8 not verified:
certificate: sha256/uOlV5U3Iwdsx4bl0BGhunltQFex/zhayRxwMIUc7bSk=
DN: CN=.domainname.net
subjectAltNames: [.domainname.net, domainname.net]
2023-08-01T13:10:07.710+02:00 WARN [ProxiedResource] Unable to call https://10.13.200.8:9000/api/system/inputstates on ^C

chris.black-gl · August 28, 2023, 9:20pm

@adrianrus, it appears you haven’t configured your certificates correctly. Did you get it working without https first?

If so, what changes did you make after that?

adrianrus · August 29, 2023, 9:54am

thing is that i followed a cookbook created by … me still when did another server and working :)))

BUT, that is on the 4.2 version with elastic search, this is 5.0 with opensearch and some things might be off.

I might need to go for the non TLS version and start from there.

chris.black-gl · August 29, 2023, 8:31pm

Beware of “should have”. It has led me astray more times than I care to admit.

Establishing a known good configuration without TLS would be where I start and go from there. Good luck and let us know how it turns out!

adrianrus · September 5, 2023, 10:19am

will do
keeping this one alive until then with update

system · September 19, 2023, 10:20am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Upgrade To Opensearch Graylog Central (peer support)	5	188	December 23, 2023
Fresh Graylog 5.0 Install w/ OpenSearch; OpenSearch invariably fails after a few hours Graylog Central (peer support)	11	3563	March 7, 2023
Job for opensearch.service failed because the control process exited the error code Graylog Central (peer support)	5	2640	August 1, 2023
Graylog-server.service fails to start / no logs Graylog Central (peer support)	3	6056	January 6, 2021
An input has failed to start Graylog Central (peer support)	5	6546	July 30, 2018

Graylog INPUTS fail

Related Topics