This has driven me up a wall for hours. I’m using the most recent versions of graylog and elastic search. Everything seems configured correctly until I get in the web inter face. Under the messages tabs it says " **While retrieving data for this widget, the following error(s) occurred:*Connection is closed.". I’ve tried all possible combinations of ip in the graylog and elastic search configuration file. The error in the elastic search log says not ssl/tls record and unable to index audit log. If you have anything for me I’d be greatly appreciated. The github to the configuration files and log file
Hello && Welcome @Herald
This error could be a couple different things.
Ok, so I went over you Elasticsearch and Graylog configuration. I was going to tell you to try a couple different settings, but instead going off of your information you gave us I did a mockup instead.
Double check to make sure the info below is correct.
Graylog_config_suggestion
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = 2nzTCxwgz51WOv4UJ099j9YZ6VbdcyN2luumku4rwd8H5Rt2meLmYnyaN0ibtUA8SvCiypNRAMK2dXUXuTzccW99wQCiDyYB
root_password_sha2 = 91b32b192b6e1e4c48a939d3b49387e14c9f00982d7b9664c6dc7d5f2723479b
root_email = "my_email_address"
root_timezone = America/Chicago
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 10.169.16.17:9000
http_enable_cors = true
elasticsearch_hosts = http://10.169.16.17:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = true
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 5000
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_size = 12gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost:27017/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
http_connect_timeout = 10s
Elasticsearch_config_suggestion
cluster.name: graylog
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 10.169.16.17
http.port: 9200
action.auto_create_index: false
discovery.type: single-node
And since you using public IP address for elasticsearch
hosts_file_suggestion
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.169.16.17 some.domain.com or localhost
You may want to re-read of the documentation
https://docs.graylog.org/docs/ubuntu
https://docs.graylog.org/docs/debian
https://docs.graylog.org/docs/centos
Hope that helps
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.