Graylog Installation Issue

Hi ,

I have tried to install Graylog in my lab.
The issue is that I cannot have HTTP access to Graylog (default port 9000).

Here you have some details :
I am running Ubuntu 20.04:
ubuntu@ubuntu:~$ lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal

Graylog is running :
ubuntu@ubuntu:/home$ ps aux | grep graylog
ubuntu 1170412 0.0 0.0 6432 656 pts/0 S+ 19:28 0:00 grep --color=auto graylog

FYI I followed the steps mentioned in page Ubuntu installation

The Ubuntu host has Internet access (it is a private IP address). The IP add es 192.168.1.2 if needed (it is not reachable from Internet).

If you can check I attach here the Configuration File located at /etc/graylog/server/server.conf

I have add password_secret and root_password_sha2 to this configuration file as is indicated in the above page.

Sorry for this long email.

Could you attach the server.conf file please ?

@emgonzalez59

Hope you don’t mind but I moved this post out of Development which is the place to discuss and ask questions about the development of a Graylog-related project and into Graylog Central , I believe this is a installment issue.

Hi H2Cyber,
I tried to upload it but I get an error saying that new users cannot upload files.

Hi H2Cyber,
Here you are the error mentioned before.
error

Hello,
You could copy and Paste your configuration. as shown here

Here is the Status of the Graylog service:

ubuntu@ubuntu:~$ systemctl status graylog-server.service
? graylog-server.service - Graylog server
Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Tue 2022-09-20 22:22:12 -03; 8s ago
Docs: http://docs.graylog.org/
Process: 2973 ExecStart=/usr/share/graylog-server/bin/graylog-server (code=exited, status=1/FAILURE)
Main PID: 2973 (code=exited, status=1/FAILURE)

Hi there,

May be these logs are useful (it was extracted from /var/log/graylog-server/server.log >>

2022-09-20T00:48:52.154-03:00 ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Couldn’t run validator method
at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:227) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:100) ~[graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:464) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:270) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:45) [graylog.jar:?]
Caused by: java.lang.reflect.InvocationTargetException
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at com.github.joschi.jadconfig.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:53) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:221) ~[graylog.jar:?]
… 4 more

Hello @emgonzalez59

What @H2Cyber needs is your configuration file for Graylog, Judging from the partial log you posted it my be the source of this issue.

Example:

[root@graylog elasticsearch]# cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = epOqmLi7r7CdZxl76QOQxr8bRUPYstNdcBuajsaSNfG5bkXXFxy22EBT17elgGTUJgbD
root_password_sha2 =ef92b778bafe771e89245b89ecbc08a44a4e166c0665991
root_email = "greg.smith@domain.com"
root_timezone = America/Chicago
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 192.168.1.100:9000
http_enable_cors = true

Notice the formatting??

Hi is the server.conf file:

node_id_file = /etc/graylog/server/node-id
password_secret = <hash>
root_password_sha2 = <hash>
root_timezone = America/Argentina/Buenos_Aires
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 127.0.0.1:9000
http_publish_uri = http://$http_bind_address
http_external_uri = $http_publish_uri
http_enable_cors = true
http_enable_gzip = true
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
proxied_requests_thread_pool_size = 32

Hi gsmith,

I found the way to show server.conf content without including comments:

Here is:

is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret = <hash>
root_password_sha2 = <hash>
root_timezone = America/Argentina/Buenos_Aires
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 192.168.1.2:9000
http_publish_uri = http://192.168.1.2:9000
http_external_uri = $http_publish_uri
http_enable_cors = true
http_enable_gzip = true
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
proxied_requests_thread_pool_size = 32

Sorry, I am stuck on this Installation issue… may be difficult to troubleshoot so if anyone can send me an server.conf file (obviously without Private IP addresses) will be appreciated…Thanks

@emgonzalez59

Here is mine.

[root@graylog journal]# cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = epOqmLi7r7CdZxl76QOQxr8bRUPYstNdcBuajsa
root_password_sha2 =ef92b778bafe771e89245b89ecbc08a44a4e1
root_email = "greg.smith@domain.com"
root_timezone = America/Chicago
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 192.168.1.100:9000
http_enable_cors = true
elasticsearch_hosts = http://127.0.0.1:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = true
allow_highlighting = false
elasticsearch_analyzer = standard
elasticsearch_index_optimization_timeout = 1h
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_size = 5gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost:27017/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
http_connect_timeout = 10s
proxied_requests_thread_pool_size = 32
[root@graylog journal]#

Logon URL

http://192.168.1.100:9000

The correct URI is http_publish_uri = http://192.168.1.2:9000/ or leave it default http://$http_bind_address/

Thanks, I tried with default http://$http_bind_address/ and http_publish_uri = http://192.168.1.2:9000/ but it did not work.
I will try some time more and then unfortunately I am thinking in another SIEM option. Thanks all for your help!

We would hate to see you go without solving the issue! I took some time to clean up your server.conf posts by using the forum tool </> (shown above in the reply/edit box) which set up for preformatted text and makes code and logs easier to read.

There looks to be a couple of differences between your server.conf and the one that @gsmith posted for you - most notably you are not defining where your elasticsearch servers are.

elasticsearch_hosts = http://127.0.0.1:9200

If you are still up for the challenge, you could mirror @gsmith’s conf, adding what is missing and adjusting for your environment and get things going… You did install Elasticsearch, right? You may have installed OpenSearch (Newer Graylog instances would prefer OpenSearch as ElasticSearch is nearly deprecated for Graylog)

Either way, good luck!!

Hi there,
I have corrected the server.conf file and now it is as @gsmith posted for me… It is not possible to access Web GUI of Graylog server (http://192.168.1.2:9000 ).
I am stuck , I do not know the cause of this issue…
FYI>>

ubuntu@ubuntu:~$ systemctl status graylog-server.service
? graylog-server.service - Graylog server
     Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-10-06 12:49:50 -03; 2h 29min ago
       Docs: http://docs.graylog.org/
   Main PID: 1156 (graylog-server)
      Tasks: 15 (limit: 3416)
     Memory: 365.4M
     CGroup: /system.slice/graylog-server.service
             tq1156 /bin/sh /usr/share/graylog-server/bin/graylog-server
             mq1395 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeCloseNotify=true -Dlog4j2.formatMsgNoLookups=true -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEna>

Oct 06 12:49:50 ubuntu systemd[1]: Started Graylog server.
ubuntu@ubuntu:~$ ps aux | grep graylog
graylog     1156  0.0  0.0   2608   528 ?        Ss   12:49   0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server
graylog     1395  0.1 10.5 3603908 316556 ?      Sl   12:49   0:12 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeCloseNotify=true -Dlog4j2.formatMsgNoLookups=true -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=deb /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np
ubuntu     10658  0.0  0.0   6432   656 pts/0    S+   15:19   0:00 grep --color=auto graylog

AS you said I have installed Elasticsearch. Do you recommend me to install OpenSearch? Do you know where to get instructions to do that?

Thanks!!

So we have your Graylog service up and running but I still need to see what is going on now that things have changed. Could you post the results of the following commands… some of them are duplicates, but you have updated your instance and I don’ know what exactly was changed.

Please note - when you post code, use the “preformatted text” tool on any code, configuration or logs to make them more readable (like was done to some posts above) It is this tool in the reply edit box.

image

use this to show us versions:

dpkg -l | grep -E ".*(elasticsearch|graylog|mongo|java).*"

Then show your updated server.conf

cat /etc/graylog/server/server.conf         | egrep -v "^\s*(#|$)"

Status of Mongo/Elasticsearch services

systemctl status mongod
systemctl status elasticsearch

IMPORTANT:
When you post your server.conf, you need to make sure that passwords and other private information is obfuscated/changed or removed.

Documentation for OpenSearch is here but lets get the server up and running before we worry about that part.

ubuntu@ubuntu:~$ dpkg -l | grep -E ".*(elasticsearch|graylog|mongo|java).*"
ii  ca-certificates-java                       20190405ubuntu1                     all          Common CA certificates (JKS keystore)
ii  elasticsearch-oss                          7.10.2                              amd64        Distributed RESTful search engine built for the cloud
ii  gir1.2-javascriptcoregtk-4.0:amd64         2.36.8-0ubuntu0.20.04.1             amd64        JavaScript engine library from WebKitGTK - GObject introspection data
ii  gjs                                        1.64.5-0ubuntu0.20.04.01            amd64        Mozilla-based javascript bindings for the GNOME platform
ii  graylog-4.3-repository                     1-5                                 all          Package to install Graylog 4.3 GPG key and repository
ii  graylog-enterprise-integrations-plugins    4.3.5-1                             all          Graylog Enterprise Integrations plugins
ii  graylog-enterprise-plugins                 4.3.5-1                             amd64        Graylog Enterprise plugins
ii  graylog-integrations-plugins               4.3.5-1                             all          Graylog Integrations plugins
ii  graylog-server                             4.3.5-1                             all          Graylog server
ii  java-common                                0.72                                all          Base package for Java runtimes
ii  libgjs0g:amd64                             1.64.5-0ubuntu0.20.04.01            amd64        Mozilla-based javascript bindings for the GNOME platform
ii  libjavascriptcoregtk-4.0-18:amd64          2.36.8-0ubuntu0.20.04.1             amd64        JavaScript engine library from WebKitGTK
ii  libjuh-java                                1:6.4.7-0ubuntu0.20.04.5            all          LibreOffice UNO runtime environment -- Java Uno helper
ii  libjurt-java                               1:6.4.7-0ubuntu0.20.04.5            all          LibreOffice UNO runtime environment -- Java Uno Runtime
ii  libridl-java                               1:6.4.7-0ubuntu0.20.04.5            all          LibreOffice UNO runtime environment -- base types and types access library for the Java Uno typesystem
ii  libunoloader-java                          1:6.4.7-0ubuntu0.20.04.5            all          LibreOffice UNO runtime environment -- (Java) UNO loader
ii  mongodb-org                                4.0.28                              amd64        MongoDB open source document-oriented database system (metapackage)
ii  mongodb-org-mongos                         4.0.28                              amd64        MongoDB sharded cluster query router
ii  mongodb-org-server                         4.0.28                              amd64        MongoDB database server
ii  mongodb-org-shell                          4.0.28                              amd64        MongoDB shell client
ii  mongodb-org-tools                          4.0.28                              amd64        MongoDB tools

ubuntu@ubuntu:~$ cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret = <REMOVED>
root_password_sha2 = <REMOVED>
root_email = <REMOVED>
root_timezone = America/Argentina/Buenos_Aires
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 192.168.1.2:9000
http_enable_cors = true
elasticsearch_hosts = http://127.0.0.1:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = true
allow_highlighting = false
elasticsearch_analyzer = standard
elasticsearch_index_optimization_timeout = 1h
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_size = 5gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost:27017/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
http_connect_timeout = 10s
proxied_requests_thread_pool_size = 32
ubuntu@ubuntu:~$ systemctl status mongod
? mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-10-06 12:49:47 -03; 4h 43min ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 1071 (mongod)
     Memory: 150.3M
     CGroup: /system.slice/mongod.service
             mq1071 /usr/bin/mongod --config /etc/mongod.conf

Oct 06 12:49:47 ubuntu systemd[1]: Started MongoDB Database Server.

ubuntu@ubuntu:~$ systemctl status elasticsearch
? elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sun 2011-01-02 12:18:47 -03; 11 years 9 months ago
       Docs: https://www.elastic.co
    Process: 1155 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet (code=exited, status=1/FAILURE)
   Main PID: 1155 (code=exited, status=1/FAILURE)

Oct 06 12:49:50 ubuntu systemd[1]: Starting Elasticsearch...

Thanks again for your support!!

Hello,

Correct me if I’m wrong. but from what you posted all services (i.e. GL , ES & Mongo) are active?

If this is correct what does the logs show?

root@graylog:/usr/local/bin# tail -f /var/log/graylog-server/server.log