Graylog stopped working randomly

beepjeep · September 7, 2020, 10:08am

Graylog randomly stopped working and I can’t find any hints to why in the log files. My current Graylog Version is “3.3” and it is running on Centos 7 on Linux. If you need any additional Information please tell me and I will provide the necessary data.

Best regards,
beepjeep

PS: All the Processes are “Running” and “Active”.

Ponet · September 7, 2020, 11:07am

What exactly do you mean by “it stops working”?

beepjeep · September 7, 2020, 11:09am

Everything is apparently “running” but I don’t receive any messages anymore. I’ve looked into all the log files and even deleted some to have a fresh log file to look at and I don’t see anything that’s wrong. @Ponet

Ponet · September 7, 2020, 11:12am

If you run tcpdump on your graylog server, can you see packets being received on your input ports?

Have you checked the message buffers under System > Nodes ?

Is elasticsearch healthy? Are the indexes writable?

beepjeep · September 7, 2020, 11:16am

Could you tell me how I can do that? I’m really fresh to Linux and Centos. Elasticsearch is “Healthy” and the indexes are writable. Would you like to have a look at the log files maybe? I’ve seen something along the lines of "Winlogbeat expected [winlogbeat_user_name] but got [keyword] instead."
@Ponet (sorry for the ping, wasn’t sure if you would see this)

Ponet · September 7, 2020, 11:26am

To check the message buffers, go to the node page on in the web interface.
You’ll find it under System > Nodes in the navbar.

For using tcpdump, see the below link:

From the error message, it sounds like there is a datatype mapping issue which could also be causing the problem.

beepjeep · September 7, 2020, 11:39am

This is what is on “Nodes”. Packets are being received. What exactly do you mean by “datatype missing issue” ?

Ponet · September 7, 2020, 11:53am

Click on the node to view the details.

As for the ES mapping, that isn’t really my strong suit but, when ES receives messages it analyses the fields and assigns a datatype in the field mappings. From that error, it looks as though the datatype ES is picking up for winlogbeat_user_name field value is ‘keyword’ but, that is not what it was expecting.
I’d recommend looking at the documentation:
https://docs.graylog.org/en/3.3/pages/configuration/elasticsearch.html#custom-index-mappings

beepjeep · September 7, 2020, 12:02pm

I’ll take a look into that but I’ll post this now.

I’ll keep you updated.

beepjeep · September 7, 2020, 12:49pm

Sadly I can’t seem to get it working… I don’t know what to do… Is there anyone on this community that you would recommend? @Ponet

ihe · September 10, 2020, 1:53pm

Hi,

do you run a cluster or a standalone?

Go on the Overview of the nodes https://yourgraylog.example/system/nodes
click on “More actions” on your stopped node:

Have a look at the thread dump and the process-buffer dump. Is there anything suspicous? We had this once with a runaway grok pattern.

system · September 24, 2020, 1:53pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog not receiving logs Graylog Central (peer support) sidecar	1	436	March 20, 2020
Graylog stops processing messages seemingly at random times Graylog Central (peer support)	7	1820	June 19, 2020
[Graylog sidecar] Winlogbeat working but no logs can be retrieved in Graylog GUI Graylog Central (peer support) sidecar , winlogbeat	6	1298	February 9, 2023
Graylog Randomly Stops Processing Graylog Central (peer support)	2	573	January 21, 2022
Graylog not getting logs Graylog Central (peer support)	3	774	February 20, 2022

Graylog stopped working randomly

Related topics