Hello,
I assume your taking about your Journal? If so not sure why your server would do that. The journal was created for this purpose if Graylog crashed. By rebooting you mimic a crash.
I assume there is a wait time that is given before the next reboot? Basically not just rebooting the server randomly and giving time for Graylog to catch up?
Is ulimit properly configured?
Seams that this problem has been around before.
I looked over your other posts and they all look similar, Either to many fields, Output buffer fills up, Processor buffer files up or Journal is filling up.
These are all pointing to your elasticsearch/configurations but looking at your ES & GL configuration files comparing it to mine, I really don’t see anything sticking out that I can Identify the source of the issue.
Seams Elasticsearch is having hard time with the message coming in and perhaps Indexing them. I would really look into this. It maybe the source or part of the issue.
Some Ideas:
- Perhaps look into GL garbage collection this could have an impacted on performance.
- Not sure how your ingesting log/s or shipping them. Perhaps, adjust your Log shippers to send the minimal amount of logs.
- Insure the correct input is used for each device sending log to Graylog.
- Ensure the Elasticsearch version is no greater the 7.10
If none of that works, I would start small for example:
- Input Syslog UDP for my Windows devices.
- Input Raw/Plaintext for my network work devices.
Double check other logs on this system /var/log maybe you can get a clue or some type of direction on why this issue is happening.