2019-08-27T09:50:26.126Z INFO [NetworkListener] Started listener bound to [127.0.0.1:9000]
2019-08-27T09:50:26.128Z INFO [HttpServer] [HttpServer] Started.
2019-08-27T09:50:26.128Z INFO [JerseyService] Started REST API at <127.0.0.1:9000>
2019-08-27T09:50:26.129Z INFO [ServiceManagerListener] Services are healthy
2019-08-27T09:50:26.130Z INFO [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2019-08-27T09:50:26.130Z INFO [ServerBootstrap] Services started, startup times in ms: {OutputSetupService [RUNNING]=75, GracefulShutdownService [RUNNING]=75, KafkaJournal [RUNNING]=78, BufferSynchronizerService [RUNNING]=94, InputSetupService [RUNNING]=319, JobSchedulerService [RUNNING]=331, EtagService [RUNNING]=331, JournalReader [RUNNING]=333, ConfigurationEtagService [RUNNING]=367, MongoDBProcessingStatusRecorderService [RUNNING]=611, StreamCacheService [RUNNING]=808, PeriodicalsService [RUNNING]=817, LookupTableService [RUNNING]=3603, JerseyService [RUNNING]=34758}
2019-08-27T09:50:26.182Z WARN [PersistedInputsImpl] Cannot instantiate persisted input. No such type [org.graylog.aws.inputs.cloudtrail.CloudTrailInput].
2019-08-27T09:50:26.377Z WARN [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogTCPInput{title=Syslog TCP, type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=760cc826-3cbd-49a6-95f3-8a701af1c70a} (channel [id: 0xe994b7f8, L:/172.17.1.87:5046]) should be 1048576 but is 425984.
2019-08-27T09:50:26.383Z WARN [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input GELFTCPInput{title=gelf-tcp, type=org.graylog2.inputs.gelf.tcp.GELFTCPInput, nodeId=760cc826-3cbd-49a6-95f3-8a701af1c70a} (channel [id: 0x776a8d13, L:/172.17.1.87:5044]) should be 104857600 but is 425984.
2019-08-27T09:50:26.386Z WARN [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input GELFTCPInput{title=ADFS Gelf TCP, type=org.graylog2.inputs.gelf.tcp.GELFTCPInput, nodeId=null} (channel [id: 0xf9edb473, L:/172.17.1.87:5045]) should be 1048576 but is 425984.
2019-08-27T09:50:26.488Z INFO [ServerBootstrap] Graylog server up and running.
2019-08-27T09:50:26.489Z ERROR [AuditLogger] Unable to write audit log entry because there is no valid license.
2019-08-27T09:50:26.493Z INFO [InputStateListener] Input [GELF TCP/5a71782464058a23adcfc111] is now STARTING
2019-08-27T09:50:26.508Z INFO [InputStateListener] Input [Syslog TCP/5bdbfadd64058a26d83fb324] is now STARTING
2019-08-27T09:50:26.510Z INFO [InputStateListener] Input [Syslog TCP/5bdbfadd64058a26d83fb324] is now RUNNING
2019-08-27T09:50:26.521Z INFO [InputStateListener] Input [GELF TCP/5b9f16f664058a26d8fda7d1] is now RUNNING
2019-08-27T09:50:26.522Z INFO [InputStateListener] Input [GELF TCP/5a71782464058a23adcfc111] is now RUNNING
2019-08-27T09:50:26.524Z INFO [InputStateListener] Input [GELF TCP/5b9f16f664058a26d8fda7d1] is now STARTING
2019-08-27T09:50:52.083Z INFO [AggregatesMaintenance] Removed 0 history items
The graylog server.conf file looks ok to me. Selinux status is set to disabled & firewalld isn’t loaded.
Any pointers what might went wrong post update, and how to revive graylog?
I have left the mongodb to version 3.2 as i was running into upgrade issues.
I have updated server.conf with new settings. Restarted the server, graylog server.log shows graylog is up & running, quite similar to what was before.
However, the web interface isn’t up & running yet.
Here is the copy of snippet of server.conf file where changes were done
# If you are running more than one instances of Graylog server you have to select one of these
# instances as master. The master will perform some periodical tasks that non-masters won't perform.
is_master = true
# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog server from init scripts or similar.
node_id_file = /etc/graylog/server/node-id
# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
# Generate one by using for example: pwgen -N 1 -s 96
password_secret =xxxxxxx
# The default root user is named 'admin'
#root_username = admin
# You MUST specify a hash password for the root user (which you only need to initially set up the
# system and in case you lose connectivity to your authentication backend)
# This password cannot be changed using the API or via the web interface. If you need to change it,
# modify it in this file.
# Create one by using for example: echo -n yourpassword | shasum -a 256
# and put the resulting hash value into the following line
root_password_sha2=xxxxxxx
# The email address of the root user.
# Default is empty
root_email = "siem@noreply.domain.com"
# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
# Default is UTC
#root_timezone = UTC
# Set the bin directory here (relative or absolute)
# This directory contains binaries that are used by the Graylog server.
# Default: bin
bin_dir = /usr/share/graylog-server/bin
# Set the data directory here (relative or absolute)
# This directory is used to store Graylog server state.
# Default: data
data_dir = /var/lib/graylog-server
# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin
###############
# HTTP settings
###############
#### HTTP bind address
#
# The network interface used by the Graylog HTTP interface.
#
# This network interface must be accessible by all Graylog nodes in the cluster and by all clients
# using the Graylog web interface.
#
# If the port is omitted, Graylog will use port 9000 by default.
#
# Default: 127.0.0.1:9000
#http_bind_address = 127.0.0.1:9000
#http_bind_address = [2001:db8::1]:9000
#### HTTP publish URI
#
# The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all
# clients using the Graylog web interface.
#
# The URI will be published in the cluster discovery APIs, so that other Graylog nodes will be able to find and connect to this Graylog node.
#
# This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address,
# for example if the machine has multiple network interfaces or is behind a NAT gateway.
#
# If $http_bind_address contains a wildcard IPv4 address (0.0.0.0), the first non-loopback IPv4 address of this machine will be used.
# This configuration setting *must not* contain a wildcard address!
#
# Default: http://$http_bind_address/
http_publish_uri = http://graylog.domain.com:9000/
#### External Graylog URI
#
# The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API.
#
# The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer
# and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address).
#
# When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
#
# This setting can be overriden on a per-request basis with the "X-Graylog-Server-URL" HTTP request header.
#
# Default: $http_publish_uri
#http_external_uri =
#### Enable CORS headers for HTTP interface
#
# This is necessary for JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve resources from the server.
# This is enabled by default. Uncomment the next line to disable it.
#http_enable_cors = false
#### Enable GZIP support for HTTP interface
#
# This compresses API responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
#http_enable_gzip = false
# The maximum size of the HTTP request headers in bytes.
#http_max_header_size = 8192
# The size of the thread pool used exclusively for serving the HTTP interface.
#http_thread_pool_size = 16
################
# HTTPS settings
################
#### Enable HTTPS support for the HTTP interface
#
# This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping.
#
# Default: false
http_enable_tls = true
# The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
http_tls_cert_file = /etc/graylog/graylog-certificate.pem
# The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
http_tls_key_file = /etc/graylog/graylog-key.pem
# The password to unlock the private key used for securing the HTTP interface.
http_tls_key_password = xxxxxxx
Your Graylog is bound to localhost on the Graylog server, but announce http://graylog.domain.com:9000/ as reachable endpoint. Do you work on localhost of your server?
Thanks for the clarification @jan I figured it wasn’t a hard requirement as his system is working, but since it’s listed in the documentation as a requirement, I mention it