Graylog not functioning


(Donny Jekels) #1

I inherited this setup and with graylog running on Ubuntu 16.04.4 LTS

graylog-server version is 2.3.2-1
elasticsearch is version 5.6.7
mongodb is version` 3.6.3~rc1

here is a synopsis of the current situation.
In the Default Index Set, we have 1 indices but it’s not attached or something.

here:
1 indices with a total of 0 messages under management, current write-active index is .

the ES cluster shows up green.
the inputs are gelf udp and syslog udp. i can see lots of messages coming in but under search. it shows

Nothing found

Any help in this matter would be greatly appreciated.
Thank you


(Donny Jekels) #2

the search produces zero results. so took the json from the output hyperlink that reads “show the jason output” and ran it against the ES server

got this:

{
“error” : {
“root_cause” : [
{
“type” : “action_request_validation_exception”,
“reason” : “Validation Failed: 1: no settings to update;”
}
],
“type” : “action_request_validation_exception”,
“reason” : “Validation Failed: 1: no settings to update;”
},
“status” : 400
}


(Jochen) #3

Check the logs of your Graylog and Elasticsearch nodes.
:arrow_right: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html


(Donny Jekels) #4

I don’t see anything in the logs that is clear, should I be looking for anything in particular.

Also this keeps popping up in the graylog console.

Deflector exists as an index and is not an alias. (triggered 12 hours ago)
The deflector is meant to be an alias but exists as an index. Multiple failures of infrastructure can lead to this. Your messages are still indexed but searches and all maintenance tasks will fail or produce incorrect results. It is strongly recommend that you act as soon as possible.

I tried deleting it without luck.


(Jochen) #5

http://docs.graylog.org/en/2.4/pages/faq.html#how-do-i-fix-the-deflector-exists-as-an-index-and-is-not-an-alias-error-message


(Donny Jekels) #6

alright, I do not understand what they mean by

Stop all Graylog nodes ???
is this done via the linux command line “systemctl stop graylog-server” because if i do this then the webconsole goes away


(Jochen) #7

On Ubuntu Linux with official DEB package, that would work.


(Donny Jekels) #8

OK, If I do that then my webconsole no longer works.


(Jochen) #9

Yes, because you’ve stopped Graylog. :thinking:


(Donny Jekels) #10
  1. Stop all Graylog nodes
  2. Delete the graylog_deflector index via Elasticsearch Delete Index API
    (i don’t know how to do this)

(Jochen) #11

That’s why there is a link to https://www.elastic.co/guide/en/elasticsearch/reference/5.6/indices-delete-index.html in the documentation you’ve quoted.

# curl -X DELETE 'http://127.0.0.1:9200/graylog_deflector'

(Donny Jekels) #12

ok great,

i ran this on the elasticsearch machine after I stopped the graylog-server

root@ip-10-200-18-77:~# curl -X DELETE ‘http://127.0.0.1:9200/graylog_deflector
{“acknowledged”:true}
root@ip-10-200-18-77:~#

so it looks like the Default Index Set uses
1 indices with a total of 8,304 messages under management, current write-active index is graylog_0.

and we have logs in the search field; thank you very much Juston


(system) #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.