Issues with upgrading Graylog from 2.5 to 3.0

(Waqas) #1

Hi,

I am new to Graylog, i have been tasked with upgrading Graylog from 2.5 to 3.0. I have been consulting this page;
http://docs.graylog.org/en/3.0/pages/upgrade/graylog-3.0.html

Current setup
So we are using docker and deploy using docker-compose, there are three containers;

  • Mongo : latest
  • Elasticsearch : 6.6.0
  • Graylog: 3.0

We have a Dockerfile for elasticsearch and graylog;

graylog:
  build:
    context: ./graylog
    dockerfile: Dockerfile
  image: graylog:3.0
  container_name: graylog
  environment:
    - GRAYLOG_HTTP_BIND_ADDRESS=graylog:XXXX
    - GRAYLOG_HTTP_PUBLISH_URI=http://${LOGSERVER}:XXXX/
    - GRAYLOG_HTTP_EXTERNAL_URI=http://${LOGSERVER}:XXXX/
    - GRAYLOG_ELASTICSEARCH_HOSTS=http://elasticsearch:YYYY/
  depends_on:
    - elasticsearch
    - mongo
  restart: unless-stopped
  ports:
    - "XXXX:XXXX"
   # - "ZZZZZ:ZZZZZ/udp" #commented at the moment because of contentpacks issue

elasticsearch:
  build:
    context: ./elasticsearch
    dockerfile: Dockerfile
  image: com.numerix/elasticsearch:6.6.0
  container_name: elasticsearch
  ulimits:
    memlock:
      soft: -1
      hard: -1
    nofile:
      soft: 65536
      hard: 65536
  restart: unless-stopped
  ports:
    - "9200:9200"

Here are a couple of problems i have been facing:

1. Contentpacks

My initial approach is to increment the version numbers and see what breaks and this was the first problem i encountered;

mkdir: cannot create directory ‘/usr/share/graylog/data/contentpacks’: File exists

This is because i copy over a contentpack in to that directory in my Dockerfile, so i read in the upgrade that contentpacks have been fundamentally reworked but there was no further explanation on how to get the old ones working?

So i commented this out in the meantime, in my Dockerfile

# Configure an UDP input
# COPY --chown=graylog udp-input-graylog.json /usr/share/graylog/data/contentpacks
# ENV GRAYLOG_CONTENT_PACKS_AUTO_LOAD udp-input-graylog.json
# ENV GRAYLOG_CONTENT_PACKS_LOADER_ENABLED true
# ENV GRAYLOG_CONTENT_PACKS_DIR data/contentpacks

2. No login page showing when application spins up

Having managed to get the application started, when i hit the web page localhost:9000 i don’t get the familiar graylog login screen instead i just get a blank page with nothing on it.

graylog log: https://pastebin.com/kW51Bm3C
elasticsearch log: https://pastebin.com/rWK5XV2f
mongo log: https://pastebin.com/QvbRNkJS

Here i have posted some of the outputs of the commands suggested;

  • curl -i http://localhost:9000/
HTTP/1.1 200 OK
X-UA-Compatible: IE=edge
X-Graylog-Node-ID: e5ae6a7e-4dad-47c6-9b88-9e6eb28f86d3
Content-Type: text/html
Date: Mon, 15 Apr 2019 10:22:57 GMT
Content-Length: 1494

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="robots" content="noindex, nofollow">
    <meta charset="UTF-8">
    <title>Graylog Web Interface</title>
    <link rel="shortcut icon" href="http://XOXO.YOYO.com:XXXX/assets/favicon.png">
  </head>
  <body>
    <script src="http://XOXO.YOYO.com:XXXX/config.js"></script>
    <script src="http://XOXO.YOYO.com:XXXX/assets/vendor.4024e2a8db732781a971.js"></script>
    <script src="http://XOXO.YOYO.com:XXXX/assets/polyfill.dac1b68c62ef0b247bef.js"></script>
    <script src="http://XOXO.YOYO.com:XXXX/assets/builtins.dac1b68c62ef0b247bef.js"></script>
    <script src="http://XOXO.YOYO.com:XXXX/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/plugin.org.graylog.plugins.threatintel.ThreatIntelPlugin.bf0c248defaeb24ab9bd.js"></script>
    <script src="http://XOXO.YOYO.com:XXXX/assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.efcf3e73cc52fa5816bf.js"></script>
    <script src="http://XOXO.YOYO.com:XXXX/assets/plugin/org.graylog.aws.AWSPlugin/plugin.org.graylog.aws.AWSPlugin.c67a2cee2c1fab9173f1.js"></script>
    <script src="http://XOXO.YOYO.com:XXXX/assets/app.dac1b68c62ef0b247bef.js"></script>
  </body>
</html>
  • curl -i -H ‘Accept: application/json’ http://localhost:9000/api
HTTP/1.1 200 OK
X-Graylog-Node-ID: e5ae6a7e-4dad-47c6-9b88-9e6eb28f86d3
X-Runtime-Microseconds: 1190
Content-Type: application/json
Date: Mon, 15 Apr 2019 10:24:19 GMT
Content-Length: 232
{"cluster_id":"a8779248-279a-4a30-92cb-c11f9c5e0d16","node_id":"e5ae6a7e-4dad-47c6-9b88-9e6eb28f86d3","version":"3.0.1+de74b68","tagline":"Manage your logs in the dark and have lasers going and make it look like you're from space!"}

Please help

0 Likes

(Jan Doberstein) #2

I guess that you messed up something with your settings:

    - GRAYLOG_HTTP_BIND_ADDRESS=graylog:XXXX
    - GRAYLOG_HTTP_PUBLISH_URI=http://${LOGSERVER}:XXXX/
    - GRAYLOG_HTTP_EXTERNAL_URI=http://${LOGSERVER}:XXXX/

But as all looks reducted inconsistent I’m not really able to help here.

0 Likes

(Waqas) #3

please explain what you mean by messed up?

GRAYLOG_HTTP_BIND_ADDRESS=graylog:XXXX
graylog here is the container name in docker, XXXX is a port number, this is consistent with anywhere else you see XXXX in the logs and post

GRAYLOG_HTTP_PUBLISH_URI=http://${LOGSERVER}:XXXX/

here $LOGSERVER is a global environment variable injected and i know it resolves to the right value at container runtime XXXX is consistent with the above

GRAYLOG_HTTP_EXTERNAL_URI=http://${LOGSERVER}:XXXX/
here’s i am using the same as PUBLISH_URI

is there anything i can clarify?

0 Likes

(Jan Doberstein) #4

is there anything i can clarify?

yes - without the knowledge what is given in ${LOGSERVER} and if that fits into your infrastructure nobody will be able to help.

I’m sorry but all settings look like it should work so the only reason it does not is that something is not working with this variable I guess.

0 Likes

(Waqas) #5

ok sure, so given all the other information you know can you infer what it should be? let’s assume it’s set to “XOXO.YOYO.com” (that’s in the curl output above)

does that help?

0 Likes

(Waqas) #6

@jan you were right, it was the ${LOGSERVER} variable, it had XOXO.YOYO.com in it but it should have been localhost!, when i changed it to that and span it up it started running!

can you help me regarding the contentpack? how should i migrate it over to 3.0?

0 Likes

(Waqas) #7

So i know you can manually upload them after the server has started, in version 2.5 we were using these commands in the Dockerfile;

COPY --chown=graylog udp-input-graylog.json /usr/share/graylog/data/custom_contentpacks/
ENV GRAYLOG_CONTENT_PACKS_AUTO_LOAD=udp-input-graylog.json
ENV GRAYLOG_CONTENT_PACKS_LOADER_ENABLED=true
ENV GRAYLOG_CONTENT_PACKS_DIR=/usr/share/graylog/data/custom_contentpacks

custom_contentpacks; i am trying to use this directory as i was getting a directory already exists error when starting the container with “contentpacks”, this didn’t help since the values did not go to the graylog.conf file so when the container starts it’s still looking in the old place for the contentpacks

After the container starts up, i exec in to it and having a look at the graylog.conf, it doesn’t have the values i am passing in above?

Has something changed?

0 Likes

(Waqas) #8

having seen this, i think the issue is relevant and is as a result of a feature being removed in graylog 3.0

0 Likes

(Jan Doberstein) #9

you are right

a) the old content packs are not compatible anymore and you need to recreate them first with 3.0 to export them and have them available

b) the auto load is not given anymore - you would need to upload it via the API after the server is up.

0 Likes