Graylog node memory leak / OOM

Graylog Central (peer support)
, ,
11

Graylog Node 1

1 ~]# cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = [snip]
root_password_sha2 = [snip]
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://10.2.81.244:9000/api/
web_listen_uri = http://10.2.81.244:9000/
web_endpoint_uri = http://10.2.81.244:9000/api/
elasticsearch_hosts = http://elastic1.local:9200,http://elastic2.local:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 20
outputbuffer_processors = 15
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://graylog:[snip]@graylog1.local:27017,graylog2.local:27017,graylog3.local:27017/graylog?replicaSet=rs01
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = apprelay.local
transport_email_port = 25
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_from_email = graylog@graylog.local
transport_email_web_interface_url = https://graylog.local
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

Graylog Node 2

2~]# cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
is_master = false
node_id_file = /etc/graylog/server/node-id
password_secret = [snip]
root_password_sha2 = [snip]
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://10.2.81.245:9000/api/
web_listen_uri = http://10.2.81.245:9000/
web_endpoint_uri = http://10.2.81.245:9000/api/
elasticsearch_hosts = http://elastic1.local:9200,http://elastic2.local:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 20
outputbuffer_processors = 15
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://graylog:[snip]@graylog1.local:27017,graylog2.local:27017,graylog3.local:27017/graylog?replicaSet=rs01
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = apprelay.local
transport_email_port = 25
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_from_email = graylog@graylog.local
transport_email_web_interface_url = https://graylog.local
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

Graylog Node 3

3~]# cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
is_master = false
node_id_file = /etc/graylog/server/node-id
password_secret = [snip]
root_password_sha2 = [snip]
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://10.2.81.246:9000/api/
web_listen_uri = http://10.2.81.246:9000/
web_endpoint_uri = http://10.2.81.246:9000/api/
elasticsearch_hosts = http://elastic1.local:9200,http://elastic2.local:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 20
outputbuffer_processors = 15
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://graylog:[snip]@graylog1.local:27017,graylog2.local:27017,graylog3.local:27017/graylog?replicaSet=rs01
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = apprelay.local
transport_email_port = 25
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_from_email = graylog@graylog.local
transport_email_web_interface_url = https://graylog.local
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32