Hi guys!
I set up a Graylog instance and everythings it’s working smoothly.
After start receiveign a couple of logs I notice that the default JVM Heap size it’s a bit short (1 GB) and I read a little in google to increase it. The prefered way to do it it’s seems to be adding the tag “ES_HEAP_SIZE=xxg” in /etc/default/elasticsearch, but after doing this and reboot elasticsearch I noticed that in Graylog web platform the node it’s still showing a max size of 972.8MB.
Now, if I modified the settings in /etc/default/graylog-server it works and I can see it in the Node section in the web platform.
So far so good, but I noticed that if I run the command “curl -sS -XGET “localhost:9200/_cat/nodes?h=heap*&v””, the result shows me two results like this:
heap.current heap.percent heap.max
429.7mb 44 972.8mb
353.5mb 2 11.9gb
The thing is I only have one node, I don’t know why it shows me two results and if this is a normal behavior.
So now I’m unsure if I have to change the settings in the elasticsearch file and increasing the heap size theree (even if it doesn’t show up in the Graylog Node) or change it in graylog-server.
My system:
Ubuntu 16.04
Graylog 2.2.2
Elasticsearch 2.4.4
Thanks for the replay and the clarification Jan!
I wanted to raise the HEAP for Elastix because I read that it needs the 50% of the RAM in order to have a good performance and avoid bottlenecks as I’m going to start feeding it with a lot of logs.
So, the HEAP size in Graylog is it good if I leaved it as is or is better to increase it a little to have a better performance?
Currently my server have 30 GB of ram memory.
Cheers!
If you run a server with 30GB RAM and everything on one box, give Elasticsearch ~12GB Heap and Graylog ~2GB - said that you will have some Memory left for the OS and everything else.
So the web interface GUI shows us the “Pulse” node graphically but not the elasticsearch? What is “Pulse” and what is “graylog-c14015b6-b090-4e4c-a37a-2b5f3b241cc9”?
The math matches up if I assume that’s what the GUI shows me. What about that area which is NOT used up (circled in blue):
“Pulse” is the name of your Elasticsearch node, “graylog-c14015b6-b090-4e4c-a37a-2b5f3b241cc9” is the name of the embedded Elasticsearch node inside your Graylog process (the name is simply a concatenation of “graylog-” and the node ID).
The chart on the web interface shows the heap memory of the Graylog node (i. e. the same numbers shown for the “graylog-c14015b6-b090-4e4c-a37a-2b5f3b241cc9” Elasticsearch node).
sorry for this newbie question but i want to allocate 4g to elasticsearch container but should the ulimit option match it ? Any correlation between the two? Can i keep it to 1g ?
ulimit it’s for the vm running the container and ES_JAVA_OPTS it’s for the elastic app right ?
