Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
I upgraded a working Graylog Enterprise installation today to the latest version 5.2.3. I am able to login into Graylog, but after that I get http 400 responses for all subsequent request. A valid license is installed.
I do not see any error message in the logfiles with a hint for the reason.
2. Describe your environment:
OS Information:
Ubuntu 20.04.6
Package Version:
I had a Graylog 5.1.6 installation using elastic search 7.2 and MongoDB 5.0.24 and tried to upgrade to Graylog 5.2.3. I updated using:
I am using the included JVM, that ist “Eclipse Adoptium 17.0.9” or
openjdk version “17.0.9” 2023-10-17
OpenJDK Runtime Environment Temurin-17.0.9+9 (build 17.0.9+9)
OpenJDK 64-Bit Server VM Temurin-17.0.9+9 (build 17.0.9+9, mixed mode, sharing)
reported on the command line.
sudo systemctl status graylog-server.service
returns
graylog-server.service - Graylog server
Loaded: loaded (/lib/systemd/system/graylog-server.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2024-01-27 18:45:28 CET; 16h ago
Docs: http://docs.graylog.org/
Main PID: 63405 (graylog-server)
Tasks: 167 (limit: 38067)
Memory: 1.3G
and
sudo systemctl status elasticsearch.service
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2024-01-27 18:59:10 CET; 17h ago
Docs: https://www.elastic.co
Main PID: 67371 (java)
Tasks: 84 (limit: 38067)
Memory: 2.7G
CGroup: /system.slice/elasticsearch.service
└─67371 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -D>
sudo systemctl status mongod.service
mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2024-01-27 15:07:20 CET; 20h ago
Docs: https://docs.mongodb.org/manual
Main PID: 535 (mongod)
Memory: 270.5M
CGroup: /system.slice/mongod.service
└─535 /usr/bin/mongod --config /etc/mongod.conf
And I see 2 other messages in /var/log/graylog-server/server.log:
WARN [LookupTableService] Unable to load data adapter watchlist-mongo of type mongodb, missing a factory. Is a required plugin missing?
WARN [LookupTableService] Lookup table watchlist is referencing a missing data adapter 61ae04c47c4cd047cfc17221, check if it started properly.
But I have a second installation, same environment, with the same messages and that server ist running fine.
Out of sheer desperation and because I had run out of ideas, I set the maximum header size in Graylog from 8192 to 16384. And now it’s working again. A log entry would have been really helpful.
Yes. Setting this to a higher value solved my problem.
Graylog is running behind an ALB in AWS and an ID-Provider. That results in a lot of headers. However, I do not know why it was working with Graylog 5.1.x and not with 5.2.3