How to increase out messages

Graylog Central (peer support)
1

Hi:
this is a chinese user of graylog,i have a question like this :

01
011323×608 145 KB
.
my cluster has 8 hosts for elastic and 5 hosts for graylog, every host is 128GB RAM and 48 cpus,my graylog config is like this:

is_master = false
node_id_file = /etc/graylog/server/node-id

root_timezone = Asia/Shanghai

allow_leading_wildcard_searches = false
allow_highlighting = true
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 30
outputbuffer_processors = 30
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true

message_journal_dir = /home/richmail/project/graylog-server/journal
message_journal_max_size = 20gb
lb_recognition_period_seconds = 3

mongodb_uri = mongodb://172.16.137.93/cx_graylog
mongodb_max_connections = 2000
mongodb_threads_allowed_to_block_multiplier = 5
proxied_requests_thread_pool_size = 32

when the Rotation happend,the out of message is very low,how to resolve this ? please。。。

by the way ,I have 6 indices ,every indice config is
Index prefix:push-mesgdel
Shards:4
Replicas:0
Field type refresh interval:30 seconds
Index rotation strategy:Index Time
Rotation period:P1D (1d, a day)
Index retention strategy:Delete
Max number of indices:20

2

you might need to adjust the configuration for elasticsearch. As your outputbuffer is filled I guess that Elasticsearch is not working proper.

If you share the configuration of Elasticsearch, the JVM Settings and your architecture we might be able to help.

3

elasticsearch.yml

cluster.name: cx_graylog
action.auto_create_index: false
node.name: es-node-108
path.data: /home/richmail/project/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
bootstrap.system_call_filter: false

network.host: 172.16.137.108
http.port: 9200
discovery.zen.ping.unicast.hosts: [“172.16.137.50”, “172.16.137.51”, “172.16.137.108”]
discovery.zen.minimum_master_nodes: 2

jvm.options
-Xms32g
-Xmx32g
I just change Xms to 32g about jvm.options

Global inputs

  • bind_address:0.0.0.0
  • no_beats_prefix:false
  • number_worker_threads:24
  • override_source:
  • port:8044
  • recv_buffer_size:1048576
  • tcp_keepalive:false
  • tls_cert_file:
  • tls_client_auth:disabled

architecture
I use sidecar to control filebeat
filebeat —> graylog(beats)----->es

4

what kind of storage did you use for elasticsearch?

You might want to create 8 shards that for all indices you have a shard on each elasticsearch server - or even 16 to be able to scale that if needed. Currently you push the load each day to 4 elasticssearch servers only.

5

thanks, i will try to creat 8 shards

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.