Graylog stopped saving data to Elasticsearch after output had been configured

In our company we are running Graylog server (free version) 4.0.1 (single-node) with Elasticsearch 7.10 and Kibana also in 7.10 version (both are in the same server like Graylog). But in last couple of days we’ve encountered Graylog’s strange behavior. When we’ve configured Graylog outputs (GELF Output - TCP) on one stream and the destination server was at that moment unavailable, Graylog stopped saving messages into Elasticsearch, but only into Elasticsearch journal. When we’ve deleted the created outputs, everything worked correctly.

So I would like to ask, if there is a possibility to save messages into Elasticsearch (and simultaneously into journal) eventhough the destination Graylog server (configured in Gelf output) is temporarily unavailable?

Thanks for your time,

He Milan,

at the moment the outputs are done in serial - where the elasticsearch output is always the last.

As you have used TCP the receiver needs to be present to deliver a message proper. After the outputs are done (proper) the last output is elasticsearch.

This can’t be changed (at the moment of writing) but might be in future. Use non-blocking methods like UDP or be aware that a not available receiver is creating issues in your Graylog.

Hi Jan,
thank you so much for your time and helpful explanation.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.