Handle "System messages" in the "Overview" section

mma · April 25, 2022, 8:48pm

Problem:
The Graylog GUI shows two years history of “System Messages” (“System / Overview” → “Overview” → “System message” section.

My environment:

Ubuntu 20.04.4 LTS
Graylog-server 4.2.8
MongoDB 4.0.28
Elasticsearch 6.8.23

Steps done so far:
I reduced the “Indices & Index Sets” retention and did delete all, but the latest / Index Sets.
The Graylog GUI still lists all (2 years) “System messages”.

**

Is it correct, that the “System messages” are stored in the MongoDB?
How can I delete the ?“System messages”?

Thanks and regards
Michael

gsmith · April 26, 2022, 3:49am

Hello,

MongoDb hold metadata.

I believe its stored in elasticsearch in binary files, but I’m not 100% sure

gsmith · April 26, 2022, 5:00am

@mma

I was looking into this, If you goto System/Node ->> API Browser.
Under System/Messages : Internal Graylog messages

You can see you System Messages.
Request URL

https://graylog.domain.com:9000/api/system/messages

Here is the Response header. Maybe you can do something with that.

{"Content-Encoding":"gzip","Content-Type":"application/json","Transfer-Encoding":"chunked","X-Graylog-Node-Id":"8e947fe4-fe2a-48a3-9f2c-786652326c9a","X-Runtime-Microseconds":"77031"}

patrickmann · April 26, 2022, 6:54am

System messages are stored in Mongo DB in collection system_messages.
We already have an issue to make an improvement to this:

github.com/Graylog2/graylog2-server

housekeeping for `system.messages` in MongoDB

opened 12:46PM - 10 Jul 19 UTC

jalogisch

feature triaged

## Context Graylog does not provide the option or the ability to make some kind… of house keeping on the mongoDB collection that is filled continuously. That might end in a huge mongoDB with an enormous `system.messages` collection that is of nearly no use. We should add one configuration flag (online available?) that holds the number of records or the time the internal logfile in the database should not go over. This will prevent Graylog server issues based on enormous MongoDB Databases. ## Your Environment * Graylog Version: 3.0 [Z#2485]

mma · April 26, 2022, 11:29am

Thanks gsmith and pattrickmann,

@gsmith: I’m able to query the logs. When I got it right, there are more than 360.000 log entries.

@patrickmann: The git issue for improvement contains the “command” needed for my purpose, but some additional steps have been needed for me to take benefit:

Install mongosh
Start mongosh and select the graylog db:

mongosh
show dbs
use graylog

Enter the sequence to delete system messages older than one month:

db.getCollection('system_messages').deleteMany({
    "timestamp":{
            $lt: new Date(new Date().setMonth(new Date().getMonth()-1))
    }
})

Result:“{ acknowledged: true, deletedCount: 362963 }”

(The system messages older than one month have been deleted)

Afterwards, I did release unneeded disk space:

db.getCollectionNames().forEach(function(collectionName){
print('Compacting: '+collectionName);
db.runCommand({compact: collectionName});
});

Thanks for your fast and helpful support!

Michael

gsmith · April 26, 2022, 10:11pm

@patrickmann

Good find This also had me puzzled.

system · May 10, 2022, 10:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog Messages Graylog Central (peer support)	4	358	December 10, 2018
Only message from the last 7 days are beeing displayed / Where are the old messages? Index/Streams Question Graylog Central (peer support)	11	1519	April 21, 2021
Messages are in indices but not able to show up on search query Graylog Central (peer support)	4	641	November 1, 2019
New messages left unprocessed Graylog Central (peer support)	1	762	August 29, 2017
Graylog not processing messages after crash (ran out of space) Graylog Central (peer support)	5	3628	April 20, 2020

Handle "System messages" in the "Overview" section

Related topics