no, 1 interface with a private 172. address and a public 131 address.
I’m using a cloud virtual machine which I can access via 131.
I’m reading the docs and blogs online about ‘graylog behind NAT’, but can’t find the right way to configure this.
I only want the graylog to be reached via it’s Public P
gotcha… I believe you have to set the trusted proxy setting…
i configured this
trusted_proxies = 84.85.28.128/32
sudo tcpdump -i ens3 port 9000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:02:51.171398 IP 84-85-28-128.fixed.kpn.net.60480 > graylog-759158.esbcmanagement.esbcnetworks.oraclevcn.com.9000: Flags [S], seq 3871046994, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3793941827 ecr 0,sackOK,eol], length 0
22:02:51.190924 IP 84-85-28-128.fixed.kpn.net.60481 > graylog-759158.esbcmanagement.esbcnetworks.oraclevcn.com.9000: Flags [S], seq 3531507931, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3793941852 ecr 0,sackOK,eol], length 0
quick question… sorry if it seems silly… are you restarting graylog after each of the config changes?
yes
sudo systemctl restart graylog-server.service
in the MongoDb, Elastic and Graylog logs I only see 1 error mentioned.
Oct 05 23:08:51 graylog systemd[1]: Stopped Elasticsearch.
Oct 05 23:08:51 graylog systemd[1]: Started Elasticsearch.
Oct 05 23:08:51 graylog elasticsearch[14534]: warning: Falling back to java on path. This behavior is deprecated. Specify JAVA_HOME
Oct 05 23:08:51 graylog elasticsearch[14534]: Java HotSpot™ 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
I’m assuming then that all three are working fine.
for S’s and G’s, let’s do this…
http_bind_address = 127.0.0.1:9000
#http_publish
#http_external
#trusted_proxies
restart graylog, ssh to ubuntu and curl -i http://127.0.0.1:9000/api
If that works, I’m thinking the issue is a networking/security group issue with your cloud instance.
ubuntu@graylog:~$ sudo systemctl restart graylog-server.service
ubuntu@graylog:~$ curl -i http://127.0.0.1:9000/api
curl: (7) Failed to connect to 127.0.0.1 port 9000: Connection refused
server.conf =
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret =
root_password_sha2 =
root_timezone = Europe/Amsterdam
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 127.0.0.1:9000
web_enable = true
elasticsearch_hosts= http://172.16.0.145:9200/
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
proxied_requests_thread_pool_size = 32
ubuntu@graylog:~$
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.