Graylog not functioning

Graylog Central (peer support)
1

I inherited this setup and with graylog running on Ubuntu 16.04.4 LTS

graylog-server version is 2.3.2-1
elasticsearch is version 5.6.7
mongodb is version` 3.6.3~rc1

here is a synopsis of the current situation.
In the Default Index Set, we have 1 indices but it’s not attached or something.

here:
1 indices with a total of 0 messages under management, current write-active index is .

the ES cluster shows up green.
the inputs are gelf udp and syslog udp. i can see lots of messages coming in but under search. it shows

Nothing found

Any help in this matter would be greatly appreciated.
Thank you

2

the search produces zero results. so took the json from the output hyperlink that reads “show the jason output” and ran it against the ES server

got this:

{
“error” : {
“root_cause” : [
{
“type” : “action_request_validation_exception”,
“reason” : “Validation Failed: 1: no settings to update;”
}
],
“type” : “action_request_validation_exception”,
“reason” : “Validation Failed: 1: no settings to update;”
},
“status” : 400
}

3

Check the logs of your Graylog and Elasticsearch nodes.
:arrow_right: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

4

I don’t see anything in the logs that is clear, should I be looking for anything in particular.

Also this keeps popping up in the graylog console.

Deflector exists as an index and is not an alias. (triggered 12 hours ago)
The deflector is meant to be an alias but exists as an index. Multiple failures of infrastructure can lead to this. Your messages are still indexed but searches and all maintenance tasks will fail or produce incorrect results. It is strongly recommend that you act as soon as possible.

I tried deleting it without luck.

5

http://docs.graylog.org/en/2.4/pages/faq.html#how-do-i-fix-the-deflector-exists-as-an-index-and-is-not-an-alias-error-message

6

alright, I do not understand what they mean by

Stop all Graylog nodes ???
is this done via the linux command line “systemctl stop graylog-server” because if i do this then the webconsole goes away

7

On Ubuntu Linux with official DEB package, that would work.

8

OK, If I do that then my webconsole no longer works.

9

Yes, because you’ve stopped Graylog. :thinking:

10
  1. Stop all Graylog nodes
  3. Delete the graylog_deflector index via Elasticsearch Delete Index API
    (i don’t know how to do this)
11

That’s why there is a link to Delete Index | Elasticsearch Reference [5.6] | Elastic in the documentation you’ve quoted.

# curl -X DELETE 'http://127.0.0.1:9200/graylog_deflector'
12

ok great,

i ran this on the elasticsearch machine after I stopped the graylog-server

root@ip-10-200-18-77:~# curl -X DELETE ‘http://127.0.0.1:9200/graylog_deflector
{“acknowledged”:true}
root@ip-10-200-18-77:~#

so it looks like the Default Index Set uses
1 indices with a total of 8,304 messages under management, current write-active index is graylog_0.

and we have logs in the search field; thank you very much Juston

13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.