License violation problem

Hi all,

I have Graylog v.3.3.9 and until today I didn’t have any license violation due to traffic volume. However, from today my graylog started showing a red banner with the message " Graylog Enterprise License Violation". How can I reset this message and allow the Graylog features work as expected?
I tried to install a new license but still the message appears. Our traffic volume is shown below and it seems some systems increased their load rapidly.

I would appreciate if you know any fast solution to this problem because the system monitors critical systems and we need to have the archive/indexing feature enabled.

Free Enteprise license have daily traffic limit 5GiB, and you are allowed to violate it 5 times in 30 days.
Daily traffic limit: 5.0GiB (allowed violations per 30 days: 5)
Requires remote checks: Yes (allowed consecutive check failures: 72)
License expiration warning: 30 days before

Check in Enterprise section, what was the reason for violation, if traffic or remote checks.

  • If traffic, you need to wait for 30 day window, so traffic is not violating no more than 5 times in it.
  • If remote check, than your connection to graylog api is not working, and this also violate license. Check that your graylog box have allowed access to
  • Note: Graylog log also contains information for license violation

There is also special metric org.graylog2.traffic.output to monitor daily traffic.
You can check actual output traffic using Rest API:
Or web interface:

System - Nodes - Metrics - org.graylog2.traffic.output

There is also graylog’s internal field gl2_message_size with size of message.

Thanks for the explanation. Is there any way to immediately reset this counter?
Can I delete some existing indexes to reduce the size and make graylog continue its normal operation?

I want to find a way to overcome this issue and not just wait for the 30 day window to pass.

Hi there,

The short answer is that without applying another license, no. There’s no way past that. If there were, you could simply use enterprise for free and just keep resetting those violations, which doesn’t make much sense in an enterprise product. You’ll have to wait for 30 days from the initial violation for it to roll off. As @shoothub mentioned, there are a number of ways to monitor your ingestion (see License — Graylog 4.1.0 documentation for further details on the metrics).

I’ll also note that deleting indices won’t remove the violations. Your licensed ingestion volume is based on what’s ingested into Elasticsearch from Graylog. So once the data is accounted for, it’s set. Graylog doesn’t go back after the fact and see if the size of your indices changes.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.