Graylog on single server


I have configured on AWS ec2 instance Graylog, on Single instance everything is running on single machine, is it creates any problems.


Do you have a specific question?
Maybe elaborate on your problem.

Does it creates any problem Web portal, elastic search and gralylog2 on single instance.


No, that should work totally fine if the machine has sufficient resources (e. g. minimum of 4 GB of memory).

thank you,

/var/lib/elasticsearch/ currently my data store path is default one if i change to different directory /esdata/data , changed in configuration also vim /etc/elasticsearch/elasticsearch.yml but process is getting failed due to data store path is different.

Please elaborate and provide all necessary details to reproduce the issue.

want to change default data store index directory

after changing the logs and data directory i am getting below error.

Caused by: java.nio.file.AccessDeniedException: /esdata/data/nodes/0/indices/6vNyq9htSXOWBrqL9mgI_A/_state/.es_temp_file
        at sun.nio.fs.UnixException.translateToIOException( ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException( ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException( ~[?:?]
        at sun.nio.fs.UnixFileSystemProvider.newByteChannel( ~[?:?]

Does the system user running Elasticsearch have sufficient permissions to access that path?
What’s the output of the following commands?

# namei -l /esdata/data/nodes/0/indices/
# namei -l /esdata/data/nodes/0/indices/6vNyq9htSXOWBrqL9mgI_A/_state/
# namei -l /esdata/data/nodes/0/indices/6vNyq9htSXOWBrqL9mgI_A/_state/.es_temp_file

Thank you its working now

Great! What was the problem?

Permission issue for particular directory

Now after rebooting machine,
getting below error in dashboard
Could not execute search
There was an error executing your search. Please check your Graylog server logs for more information.

Error Message:
Unable to perform search query.
Search status code:
Search response:
cannot GET http://pulicip:9000/api/search/universal/relative?query=*&range=300&limit=150&sort=timestamp%3Adesc (500)

Maybe you should do this…


I am not able to see the full logs, i have installed on client machine nxlog,
in portal shows only the below mentioned out put, not complete logs.

2018-02-23 13:06:19.000 ip-x.x.x.x
[2018-02-23 07:36:19.197][http-nio-8080-exec-4][INFO][c.c.a.d.Us


Sorry, but if you don’t provide the respective logs, we’re unable to help you.

You can probably download the log files from the machine running Graylog (and Elasticsearch) with an SSH or SCP client.

Graylog-server logs

ERROR [DecodingProcessor] Error processing message RawMessage{id=0c7f2d47-187d-11e8-828a-02824ea336b6, journalOffset=3264785, codec=gelf, payloadSize=124, timestamp=2018-02-23T09:36:39.444Z, remoteAddress=/x.x.x.x:38659}
com.fasterxml.jackson.core.JsonParseException: Illegal character ((CTRL-CHAR, code 6)): only regular white space (\r, \n, \t) is allowed between tokens

for elasticsearch there is no error
[o.e.c.r.a.AllocationService] [_Y24BH1] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[graylog_0][0]] …

curl -XGET ‘localhost:9200/_cluster/health?pretty’
“cluster_name” : “graylog”,
“status” : “green”,
“timed_out” : false,
“number_of_nodes” : 1,
“number_of_data_nodes” : 1,
“active_primary_shards” : 1,
“active_shards” : 1,
“relocating_shards” : 0,
“initializing_shards” : 0,
“unassigned_shards” : 0,
“delayed_unassigned_shards” : 0,
“number_of_pending_tasks” : 0,
“number_of_in_flight_fetch” : 0,
“task_max_waiting_in_queue_millis” : 0,
“active_shards_percent_as_number” : 100.0

This points to an invalid GELF message received by a GELF TCP or UDP input.

I am using both side TCP only

Problem is resolved after adding this parameter in ShortMessageLength -1 in nxlog.conf parameter.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.