Input show messages is hanging

Graylog Central (peer support)
1

Hi, I (re)installed the complete environment using your web page: https://docs.graylog.org/en/3.1/pages/installation/os/centos.html
I have the following versions:
mongodb 4.0
elasticsearch 6.8.6
graylog v3.1.3+cda805f

I few remarks re installation document:
sudo yum install elasticsearch-oss does not work. sudo yum install elasticsearch works.
/usr/lib/systemctl/system/etc/elasticstack.service has the weong user and groep id and therefore elastic stack does not start. After setting te correct id it works.
auto_create_index: yes does not work.

I created an input

Syslog TCP Syslog TCP 1 RUNNING

  • allow_override_date:true
  • bind_address:***** (secret)
  • expand_structured_data:false
  • force_rdns:false
  • max_message_size:2097152
  • number_worker_threads:2
  • override_source:
  • port:514
  • recv_buffer_size:1048576
  • store_full_message:false
  • tcp_keepalive:false
  • tls_cert_file:
  • tls_client_auth:disabled
  • tls_client_auth_cert_file:
  • tls_enable:false
  • tls_key_file:
  • tls_key_password:********
  • use_null_delimiter:false

and a result of:

Throughput / Metrics

1 minute average rate: 1 msg/s
Network IO: 0B 0B (total: 103.3KiB 0B )
Active connections: 1 (1 total)
Empty messages discarded: 0

So I do receive messages.
But as soon as I click on Show received messages I get the pages which hangs on loading
Also the search messages page does not show any message.

I tried the elastic stack query using ** curl -X GET ‘localhost:9200/graylog_0’ -b '{**, and got the following result:
{“graylog_0”:{“aliases”:{“graylog_deflector”:{}},“mappings”:{“message”:{“all":{“enabled”:true},“dynamic_templates”:[{“internal_fields”:{“match”:"gl2",“mapping”:{“type”:“keyword”}}},{“store_generic”:{“match”:"”,“mapping”:{“index”:“not_analyzed”}}}],“properties”:{“application_name”:{“type”:“keyword”},“facility”:{“type”:“keyword”},“full_message”:{“type”:“text”,“analyzer”:“standard”},“gl2_message_id”:{“type”:“keyword”},“gl2_remote_ip”:{“type”:“keyword”},“gl2_remote_port”:{“type”:“keyword”},“gl2_source_input”:{“type”:“keyword”},“gl2_source_node”:{“type”:“keyword”},“level”:{“type”:“long”},“message”:{“type”:“text”,“analyzer”:“standard”},“process_id”:{“type”:“keyword”},“sequenceId”:{“type”:“keyword”},“source”:{“type”:“text”,“analyzer”:“analyzer_keyword”,“fielddata”:true},“streams”:{“type”:“keyword”},“timestamp”:{“type”:“date”,“format”:“yyyy-MM-dd HH:mm:ss.SSS”}}}},“settings”:{“index”:{“number_of_shards”:“4”,“provided_name”:“graylog_0”,“creation_date”:“1577789837512”,“analysis”:{“analyzer”:{“analyzer_keyword”:{“filter”:“lowercase”,“tokenizer”:“keyword”}}},“number_of_replicas”:“0”,“uuid”:“q9bNvm4lTeqFakMjBCOCWg”,“version”:{“created”:“5061699”,“upgraded”:“6080699”}}}}}

I am out of my options I can think of.
Do you have any clue?

Thanks in advance

2

I finally got this working. I erased all of it (including /var/lib dirs) and reinstalled. There is version elasticsearch 7.x, but that is not supported by graylog!, so install elasticsearch 6.x.
Then I changed the syslog-ng destination from tcp to udp 1514 (tcp is not allowed !?!) and made an input port Syslog UDP 1514.

The only part what I cannot get in my graylog web page is my own custom plug-in. It is loaded in graylog-server (/var/log/server.log), but not displayed.

3

he @hdehaan

after your comment I just made a copy&paste install from the documentation on CentOS, but I did not run into the elasticsearch problems you run into - did you maybe had some leftovers on this system?

Or did you mix some documentations for the installation?

Did you remember why auto_create_index: yes is not working for you?

What kind of custom plugin did you have?

4

Leftovers might be. That’s why I tried to completely reinstalled MongoDB, elasticSearch and GrayLog.
The auto_create_index: yes provides the error:
Caused by: java.lang.IllegalArgumentException: the [action.auto_create_index] setting value [false] is too restrictive. disable [action.auto_create_index] or set it to [.watches,.triggered_watches,.watcher-history-*]

But my problem is the plugh-in.
I created my project with graylog-project-cli.
If I write in my implementation:

public class PrettyPrintDecorator implements SearchResponseDecorator {
{

public interface Factory extends SearchResponseDecorator.Factory {
@Override
PrettyPrintDecorator create(Decorator decorator);

     @Override
     PrettyPrintDecorator getConfig();

     @Override
     PrettyPrintDecorator getDescriptor();
}

I get the compile error:
…/PrettyPrintDecorator.java:[48,10] method does not override or implement a method from a supertype

while the super Factory seams correct to me. Omitting this override I get the runtime error:
2020-01-06T14:11:20.074+02:00 ERROR [CmdLineTool] Guice error (more detail on log level debug): No implementation for nl.avialogic.pretty_print.Decorator annotated with @com.google.inject.assistedinject.Assisted(value=) was bound.

I think it has to do with each other.

5

import org.graylog2.plugin.decorators.SearchResponseDecorator;

From where is this import coming from?

6

The plugin is just a copy from a gitlab graylog sample.

7

From github:

graylog-plugin-sample

Sample plugin for Graylog 2.0 including web ui parts.

is unfortunately only for 2.0 and doesn’t comile either. To many old dependencies.

8

vi ./graylog-project-repos/graylog2-server/graylog2-server/src/main/java/org/graylog2/plugin/decorators/SearchResponseDecorator.java

@FunctionalInterface
public interface SearchResponseDecorator extends Function<SearchResponse, SearchResponse> {
interface Factory {
SearchResponseDecorator create(Decorator decorator);
Config getConfig();
Descriptor getDescriptor();
}

interface Config {
    ConfigurationRequest getRequestedConfiguration();
}

abstract class Descriptor extends DescriptorWithHumanName {
    public Descriptor(String name, String linkToDocs, String humanName) {
        super(name, false, linkToDocs, humanName);
    }
}

}

It is only the crearte that causes the compile error

9

If I use the recommended command in graylog-project:
graylog-project bootstrap github://Graylog2/graylog-project.git

i get in the pom.xml the version:3.2.0-beta.2-SNAPSHOT
but my runtime graylog-server (official release) is 3.1.3.

10

The auto_create_index: yes provides the error:
Caused by: java.lang.IllegalArgumentException: the [action.auto_create_index] setting value [false] is too restrictive. disable [action.auto_create_index] or set it to [.watches,.triggered_watches,.watcher-history-*]

That indicate that you did not install the OSS Version of Elasticsearch - what is what we do in the Documentation … you installed the Version with X-Pack included and that needs different settings. That is what the error is indicating.

i get in the pom.xml the version:3.2.0-beta.2-SNAPSHOT
but my runtime graylog-server (official release) is 3.1.3.

The current development version is 3.2 beta - that is the latest version so that is what you get. BUT you can change the version. I do not recall the commands - but using the help of the CLI tool should reveal the how that works.

11

Thank you for the info. I am searching for an elasticsearch OSS but using Google I come on the side https://www.elastic.co/downloads/elasticsearch. Hwoever, they do not day it is an OSS version.

After installing the plugin, first the decorators list did not show my decorator, but FINALLY after a refresh my decorator is in the list!!!

Thanks for your help.

12

maybe our search engines return different … but for example:

image
image893×431 70.9 KB

And this Post explain the mess:

https://www.elastic.co/what-is/open-x-pack

and when you look at the installation manual: https://www.elastic.co/guide/en/elasticsearch/reference/6.8/rpm.html#rpm-repo

image
image774×202 18.4 KB

13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.