So, I came to work today and found out 2 notifications waiting for me in graylog: uncommited messages deleted from journal" and “journal utilization is too high”. Since the second mentions “verify that your Elasticsearch cluster is healthy and fast enough” I thought: the easier/faster way should be cloning the VM, changing it’s IP and following graylog’s docs:
vm3> sudo graylog-ctl set-cluster-master <ip-of-vm1>
vm3> sudo graylog-ctl reconfigure-as-datanode
So I did. But nothing seems to have changed. On Nodes page I can see the journal has 1,900k unprocessed messages. Am I doing something wrong? What should/could I do instead?
(edit) In time, I think the cluster is doing fine and has been recognized by master, since Elasticsearch cluster info on Overview page changed from yellow (for having everything on just one VM) to green…
(edit2) meh, never mind. I tried a couple things, broke the machine, restored a previous VM snapshot, cloned it twice and executed the whole proccess of the documentation. Everything is running ok now =)
vm1> sudo graylog-ctl reconfigure-as-server
vm2> sudo graylog-ctl set-cluster-master <ip-of-vm1>
vm2> sudo graylog-ctl reconfigure-as-datanode
vm1> sudo graylog-ctl reconfigure-as-server
vm3> sudo graylog-ctl set-cluster-master <ip-of-vm1>
vm3> sudo graylog-ctl reconfigure-as-datanode
vm1> sudo graylog-ctl reconfigure-as-server
vm2> sudo graylog-ctl reconfigure-as-datanode