Journal & JVM HeapSize Tweeks

Graylog Central (peer support)
1

Hi All,

Is there any way to Increase the Journal Size? its 1G at the moment. I loaded some hosts onto the system (16 via a script) they all started sending their messages to graylog and the Journal filled. I then had a message saying that messages had been discarded and not logged due to over utilization.

Also, How do i edit ES_HEAP_SIZE environment variable as mentioned : http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html?highlight=ES_HEAP_SIZE

Thanks
Paul.

2

Hi Paul,

Yes, of course.

This depends on how youā€™ve installed Elasticsearch. See http://docs.graylog.org/en/2.2/pages/configuration/file_location.html for some hints.

3

Hi jochen

Thanks for getting back to me.

I managed to change the journal size, but found that after I run a graylog-ctl reconfigure, the changes are wiped out so in this case, restart keeps the settings :
ubuntu@graylog:/$ sudo vi /opt/graylog/conf/graylog.conf
ubuntu@graylog:/$ sudo graylog-ctl restart
ok: run: elasticsearch: (pid 31331) 0s
ok: run: etcd: (pid 31358) 1s
ok: run: graylog-server: (pid 31408) 0s
ok: run: mongodb: (pid 31431) 1s
ok: run: nginx: (pid 31449) 0s
ubuntu@graylog:/$ sudo cat /opt/graylog/conf/graylog.conf | grep ā€œmessage_journal_max_sizeā€
message_journal_max_size = 4gb

The same seems to be true for ā€œindices.store.throttle.max_bytes_per_secā€ that you can put into /opt/graylog/elasticsearch/config/elasticsearch.yml. After a reconfigure, it wipes the changes.
indices.store.throttle.max_bytes_per_sec: 150mb

The heapsize, I have set ā€¦ but still only using 1.4G even though I have set it to 4.
Reconfigure and restart donā€™t seem to wake it up ā€¦ Also tried sticking it into /etc/environment but that didnā€™t do it either.

ubuntu@graylog:/$ sudo cat /etc/default/elasticsearch | grep ā€œES_HEAP_SIZEā€
.# Set ES_HEAP_SIZE to 50% of available RAM, but no more than 31g
ES_HEAP_SIZE=4g
.# in elasticsearch.yml (ES_HEAP_SIZE must also be set).

ubuntu@graylog:/$ sudo cat /etc/elasticsearch/elasticsearch.yml | grep ā€œES_HEAP_SIZEā€
.# Make sure that the ES_HEAP_SIZE environment variable is set to about half the memory
ES_HEAP_SIZE=4g

ubuntu@graylog:/$ sudo cat /opt/graylog/elasticsearch/config/elasticsearch.yml | grep ā€œES_HEAP_SIZEā€
ES_HEAP_SIZE=4g

ubuntu@graylog:/$ cat /etc/environment | grep ā€œES_ā€
ES_HEAP_SIZE=4G

Almost there!!

4

If youā€™re using the Graylog virtual machine appliance, you have to use the graylog-ctl command to configure it. Otherwise your changes will be overwritten: http://docs.graylog.org/en/2.2/pages/configuration/graylog_ctl.html

5

Thanks jochen.

Iā€™m not seeing anything for Journal Size and heap size in those commands ? Am I missing something ?

6

hej @Paulpretorius

you need to scroll down until you see the advanced setting

But just to have once written:

  • the journal is just a buffer, if this get filled up and the data is not written to elasticsearch, you need more elasticsearch power to be able to ingest at the given message rate
  • you should not use the omnibus package/the appliance in production
  • just because you are not able to change all settings that you might want to tune
  • read the docs, what you can set http://docs.graylog.org/en/2.2/pages/configuration/graylog_ctl.html#
  • journal size is not editable
7

Thanks Jan!

I have edited the .json and reconfigured / restart ā€¦ But still only using 1.4G

ā€œenforce_sslā€: false,
ā€œjournal_sizeā€: 8,
ā€œnode_idā€: false,
ā€œinternal_loggingā€: true,
ā€œweb_listen_uriā€: false,
ā€œweb_endpoint_uriā€: false,
ā€œrest_listen_uriā€: false,
ā€œrest_transport_uriā€: false,
ā€œexternal_rest_uriā€: false,
ā€œcustom_attributesā€: {
ā€œelasticsearchā€: {
ā€œmemoryā€: ā€œ4400mā€
}
}
}

The journal grew past 5G and over 20000000 unprocessed messages. I was hoping to increase the RAM on the JVM to help with processing lol

8

@Paulpretorius

as already written - you are bound to the defaults https://github.com/Graylog2/graylog2-server/blob/2.2.1/misc/graylog.conf#L405-L409

The Omnibus Package does not give you the option to modify that.

if you have that amount of messages in your journal the elasticsearch you like to ingest is way underpowered for what you put in.

9

Haha I realise its touch and go yes :slight_smile:

We have about 150 Windows Clients and 20 Linux Client sending into it ā€¦ Somes clients are quite old, so Iā€™m hovering historical events.

10

if you had left the defaults of the virtual appliance and you have some noisy clients the appliance is way underpowered for that.

You can create a cluster with some more appliances but I would recommend to build your own environment for this.

11

To change the Java heap size for the graylog-server do the following ;

sudo vi /opt/graylog/service/graylog-server/run

and change the Xms and Xmx values.
I use -Xms=2000m and -Xmx2500m on three graylog-server appliances with two elasticsearch appliances.

I also increased the journal size to ā€˜4gā€™ in the /opt/graylog/conf/graylog.conf file

I can process around 30000 messages per minute without causing a journal file backlog.

Ensure that you configure your graylog-server and elasticsearch servers with the correct CPU/memory configurations as per the documentation.

1 Like
13

When you are running OVA please do not edit configuration ā€œby handā€ on the next Update or run of graylog-ctl this will be overwritten.

We have covered raising heap in our documentation.

14

I shall give this a go! Thanks Harry :slight_smile: