Lot of unprocessed messages

alban · August 27, 2018, 8:38am

Hi,

I have an issue with my graylog.
A lot of messages aren’t integrate since the 22 August.
How can i do to integrate all unprocessed message ?

Please help

jan · August 27, 2018, 8:42am

he @alban check your Graylog server.log why this happens.

I guess your Elasticsearch is having issues…

alban · August 27, 2018, 8:51am

I have only this errors :

2018-08-27T10:27:22.605+02:00 ERROR [LookupDataAdapter] Couldn't start data adapter <abuse-ch-ransomware-domains/5b3639a41e32bb32fb57817c/@5ccf13f>
org.graylog.plugins.threatintel.tools.AdapterDisabledException: Abuse.ch service is disabled, not starting adapter. To enable it please go to System / Configurations.
        at org.graylog.plugins.threatintel.adapters.abusech.AbuseChRansomAdapter.doStart(AbuseChRansomAdapter.java:80) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.startUp(LookupDataAdapter.java:59) [graylog.jar:?]
        at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [graylog.jar:?]
        at com.google.common.util.concurrent.Callables$4.run(Callables.java:122) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
		
2018-08-27T10:27:22.615+02:00 ERROR [LookupDataAdapter] Couldn't start data adapter <spamhaus-drop/5b3639a41e32bb32fb57817d/@106c98cf>
org.graylog.plugins.threatintel.tools.AdapterDisabledException: Spamhaus service is disabled, not starting (E)DROP adapter. To enable it please go to System / Configurations.
        at org.graylog.plugins.threatintel.adapters.spamhaus.SpamhausEDROPDataAdapter.doStart(SpamhausEDROPDataAdapter.java:68) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.startUp(LookupDataAdapter.java:59) [graylog.jar:?]
        at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [graylog.jar:?]
        at com.google.common.util.concurrent.Callables$4.run(Callables.java:122) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]

2018-08-27T10:27:22.629+02:00 ERROR [LookupDataAdapter] Couldn't start data adapter <abuse-ch-ransomware-ip/5b3639a41e32bb32fb578178/@6fef56d2>
org.graylog.plugins.threatintel.tools.AdapterDisabledException: Abuse.ch service is disabled, not starting adapter. To enable it please go to System / Configurations.
        at org.graylog.plugins.threatintel.adapters.abusech.AbuseChRansomAdapter.doStart(AbuseChRansomAdapter.java:80) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.startUp(LookupDataAdapter.java:59) [graylog.jar:?]
        at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [graylog.jar:?]
        at com.google.common.util.concurrent.Callables$4.run(Callables.java:122) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
		
2018-08-27T10:27:22.639+02:00 WARN  [OTXDataAdapter] OTX API key is missing. Make sure to add the key to allow higher request limits.

2018-08-27T10:27:22.640+02:00 ERROR [LookupDataAdapter] Couldn't start data adapter <tor-exit-node/5b3639a41e32bb32fb57817b/@36749d8a>
org.graylog.plugins.threatintel.tools.AdapterDisabledException: TOR service is disabled, not starting TOR exit addresses adapter. To enable it please go to System / Configurations.
        at org.graylog.plugins.threatintel.adapters.tor.TorExitNodeDataAdapter.doStart(TorExitNodeDataAdapter.java:73) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.startUp(LookupDataAdapter.java:59) [graylog.jar:?]
        at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [graylog.jar:?]
        at com.google.common.util.concurrent.Callables$4.run(Callables.java:122) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]

What does that mean ?

jan · August 27, 2018, 9:10am

That is related to the thread-intel plugin and the created lookup tables. Not related to your issue.

alban · August 27, 2018, 9:56am

i saved directory /var/lib/graylog-server/journal/ , stopped elasticsearch and graylog and deleted directory journal.
Now, i don’t have anymore unprocessed messages.

But i would like to know if it’s possible that graylog can integrate files “index/log” waiting stored on journal directory ?

jan · August 27, 2018, 1:32pm

The journal holds all unproccessed messages. If you deleted the content and restart Graylog the messages are lost.

You should have tried to find the reason that the journal is not drained before doing that.

alban · August 27, 2018, 1:58pm

FS / var / lib / elasticsearch was complete (98% this morning). For me, it’s the root cause

system · September 10, 2018, 1:58pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Could not load quick values (500) Graylog Central (peer support)	14	4230	February 12, 2018
Unable to decode raw message RawMessage cause 100% ProcessBuffer [Solved Partial] Graylog Central (peer support)	4	6742	May 4, 2017
Problem graylog + input kafka Graylog Central (peer support)	2	481	September 27, 2021
After Creating Long Search String Graylog Server Restarts and No Longer Processes Messages Graylog Central (peer support)	1	407	August 31, 2017
CSV Adapter cannot parse file, but Lookup still works Graylog Central (peer support)	4	1623	July 12, 2017

Lot of unprocessed messages

Related Topics