Loading field information failed with status: cannot GET http://x.x.x.x:9000/api/system/fields (500)

It’s my first post. I’m not fluent whit English or Linux so be patient please. I try gather some log from server using nxlog. But I have error 500.
I do step by step from this site www.osradar.com/how-to-install-graylog-on-ubuntu-18-04/.
In web browser I can log into graylog but when configure input udp and click “show recived …” then see only loading and in bottom of site there is message like in topic.

In /etc/graylog/server/server.conf I have set:

  • is_master = true
  • password_secret and root_password_sha2
  • rest_listen_uri = http://my_server:9000/api/
  • rest_transport_uri = http://my_server:9000/api/
  • web_listen_uri = http://my_server:9000/
  • elasticsearch_hosts = http://my_server:9200,http://user:password@node2:19200

In elastisearch.yml cluster.name: graylog

Ps How I can put in this topic log file?

What version of Elasticsearch and What Version of Graylog did you use?

On what Server does the Elasticsearch server listen on? Why did you have one Elasticsearch Host configured with user:password and one without any authentification?

I have only one server on Ubuntu 18.04 where is installed Graylog, MongoDB, Elasticsearch and Java.

I dont know how to check what version I have. I think it is 2.4 for Graylog and Elasticsearch is 5.x.

I wrote in shell: curl -XGET ‘http://my_server:9200’ but it says: curl: (7) Failed to connect to my_server port 9200: Connection refused

ufw status says firewall is inactive.

for me it looks like you did not follow the guide you have linked - but with your redacted information that is hard to tell. Just check every step and check if you might have made additional changes to any of the configuration files.

You can simply copy and paste it into the message. However, please note:

  • For legibility, please enclose the logs in a codeblock. You can do this by putting three backquotes above and below the text. For example:
    This is a codeblock

  • If it’s a very long logfile, it would be better to hide them in your post. You can do this by putting the block inside a summary field, like so:

[details="Here is my full log"]
paste the whole code here.

Now… You also showed this configuration line, but at the same time you say that you only have ONE host, that runs Mongo+Graylog+Elastic.

Why are there two URIs configured? And why does one point at port 19200?

Thanks for you advice. But when I do such thing and post my answer I see message “Sorry, new users can only put 2 links in a post.”

That’s not my question @michal .

My question is:

  1. You say you have ONE Elastic host.
  2. Your configuration says you have TWO Elastic hosts.
  3. Your configuration says your second Elastic host has a different port (19200 instead of 9200).

Something’s wrong there, no? :wink:

Can I send you my server.conf on you e-mail? I can’t past here.

No, I will not disclose my email.

But you can put it up on PasteBin and then link the file over here. Of course, you would have to strip out all the identifying information before doing that. You would not want your whole internal config to show up online, would you?

Ok thx again this is my config file https://pastebin.com/yjH7JvST

Dude, you left all your secret information in there. Your bleeping “password_secret” and your “root_password_sha2” are in there. :exploding_head:

Also, as I have said before, this line is nonsense:

elasticsearch_hosts = http://my_server:9200,http://user:password@node2:19200

That will NOT work unless your server is actually called “my_server”, or “node2”. Also, are the username and password really “username” and “password”?!.

Again, your servername is not really “my_server”, is it?. Or did you add that name to /etc/hosts?

Aside from that, it’s a miracle your MongoDB is working… You left all the default entries in the config file as well.

It does not matter. This is a virtual machine hidden deep behind nat. In a moment he will delete her anyway. This is not a production environment.

But the lines that have ‘#’ at the beginning are not taken into account ??
#elasticsearch_hosts = http://my_server:9200,http://user:password@node2:19200

I wrote “my_server” not to show the IP address.
There was nothing written about the mongodb from the guide I used

Ahh! I see, sorry. On my browser the line wrapping was such that the line was split into two lines. Thus I did not notice the # at the front. It also does not help that in your very first post you literally said that you DID use those values.

That leaves the question though, which URI did you configure for Elastic? I don’t see an active “elasticsearch_hosts” entry in your config file. And Graylog certainly needs one.

EDIT: Ahh, the article uses Zen discovery and tells you to put that at the end of the config file. Blegh, why would they say that?! To keep things legible, config changes should be made in their own section. Elastic settings should stay with the rest of the Elastic settings. I see that that’s what you’ve done though; you followed their instructions to the letter.

Graylog relies upon MongoDB to store all of its configuration. As far as I know, you can’t run Graylog without Mongo.

Also, check heading number 3 of that OSRadar article :wink: It tells you to install MongoDB.

EDIT : So, stupid question…

I wrote in shell: curl -XGET ‘http://my_server:9200’ but it says: curl: (7) Failed to connect to my_server port 9200: Connection refused

Did you actually start Elastic? :smiley:
netstat -an | grep LISTEN | grep ^tcp
ps -ef | grep elastic

According to this guide, I installed everything. Even to Ubuntu 18.04 I added a universal repository for Java version 8. As I said, I’m not fluent in English. I am using the translator.

Which tutorial should I choose?

to be honest - using the official documentation and the given step-by-step guides would be the best solution, even if that does not include that much pictures …



What I did for my environment was to combine the official Graylog documentation with the official ElasticSearch and MongoDB documentation. Each of these three products offers extensive HOWTO docs and guidelines on how to set up a working system.

Sure, it’s not a ready-to-run and type-along website, but it will get you good results in the end. And to be honest, when dealing with complex materials such as these, can you really expect a simple walkthrough to cover it all? My final documentation of installing my clusters covers 60+ pages, including tests along the way.

According to this guide, I installed everything.

If you did not install MongoDB, then you did not follow the linked article correctly.

  1. ubuntu 18737 15036 0 13:32 pts/0 00:00:00 grep --color=auto elastic
  2. tcp6 0 0 :::* LISTEN
  3. tcp6 0 0 :::* LISTEN

Systemcl show elastic is active when I refresh web page and have the same error 500 systemcl show that elastic failed
Believe me i do step by step.

I still doubt what the port is that you have set up for Elastic, because your copy/paste of the netstat and ps output looks off; you have left out lots of details.

  • The ps output does NOT show Elastic running, it only shows your grep that searches for “elastic”.
  • The netstat output shows a listening port on 12900 and on 9000.
  • Port 9000 would be Graylog, but I have no clue what 12900 would be.

So once again, can you please paste the full output of:

ps -ef | grep elastic
sudo netstat -apn | grep ^tcp | grep -i listen   # sudo is needed for the -p

Thing is, with your config you are telling Graylog that it should find the Elastic interconnect at (the ZenDiscovery port), but that one is NOT listed as running. Your Elastic and MongoDB are NOT available, they are NOT up and running.

I deleted this vm. It was on Ubuntu 18.04. In official documentation there is only 16.04 LTS. I will try configure new vm on Centos 7 using official documentation from this point http://docs.graylog.org/en/2.4/pages/installation/os/centos.html. When I do all this steps should I do this http://docs.graylog.org/en/2.4/pages/configuration.html ??

Then Tess if you would help me I will be grateful.

The CentOS tutorial that you found is a very good place to start. It gets you up and running with the MVP, the minimal viable product. You’ll have Graylog, Elastic and Mongo all running on one box.

A few caveats:

  • Even this tutorial does not hold your hand all the way through. You may need to do some troubleshooting if something reacts differently than expected.
  • The tutorial does not mention adjusting the MongoDB and ElasticSearch settings in the Graylog server.conf. Be prepared to adjust these manually, despite the tutorial not mentioning this.
  • This tutorial assumes that your system has an Internet connection and that you can pull all the required packages from the YUM repositories of their respective vendors. In my environment this is NOT possible, so I had to download all the required packages by hand and installl them manually using rpm or dpkg.