We are receiving this message at every minute.
Already checked the NTP and GC, both looks ok.
[ ~]# jhsdb jmap --heap --pid 99383
Attaching to process ID 99383, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 11.0.6+10-LTS
using thread-local object allocation.
Garbage-First (G1) GC with 23 thread(s)
Heap Configuration:
MinHeapFreeRatio = 40
MaxHeapFreeRatio = 70
MaxHeapSize = 17179869184 (16384.0MB)
NewSize = 1363144 (1.2999954223632812MB)
MaxNewSize = 8589934592 (8192.0MB)
OldSize = 5452592 (5.1999969482421875MB)
NewRatio = 1
SurvivorRatio = 8
MetaspaceSize = 21807104 (20.796875MB)
CompressedClassSpaceSize = 1073741824 (1024.0MB)
MaxMetaspaceSize = 17592186044415 MB
G1HeapRegionSize = 8388608 (8.0MB)
Heap Usage:
G1 Heap:
regions = 2048
capacity = 17179869184 (16384.0MB)
used = 5469285728 (5215.917327880859MB)
free = 11710583456 (11168.08267211914MB)
31.835432909429073% used
G1 Young Generation:
Eden Space:
regions = 405
capacity = 9017753600 (8600.0MB)
used = 3397386240 (3240.0MB)
free = 5620367360 (5360.0MB)
37.674418604651166% used
Survivor Space:
regions = 1
capacity = 8388608 (8.0MB)
used = 8388608 (8.0MB)
free = 0 (0.0MB)
100.0% used
G1 Old Generation:
regions = 248
capacity = 8153726976 (7776.0MB)
used = 2071899488 (1975.9173278808594MB)
free = 6081827488 (5800.082672119141MB)
25.41045946348842% used
http_bind_address set to 0.0.0.0:9000 on all nodes (http_publish_uri is not set).
In the log theres this error about the event processor but I dont know if it is a consequence or cause of the master āfailureā. The alert page does not load.
2020-04-17T15:34:00.694-03:00 ERROR [EventProcessorEngine] Caught an unhandled exception while executing event processor <aggregation-v1/Teste CDNPS/5dc031b6785c9de74c0fe418> - Make sure to modify the event processor to throw only EventProcessorExecutionException so we get more context!
com.google.inject.ProvisionException: Unable to provision, see the following errors:
1) Error injecting constructor, java.lang.RuntimeException: Couldn't get node ID
at org.graylog.events.event.EventProcessorEventFactory.<init>(EventProcessorEventFactory.java:34)
while locating org.graylog.events.event.EventProcessorEventFactory
The message is shown basically on all nodes but mainly on master.
We have the master node(note receiving data) and six data nodes with the same config:
Graylog 3.1.2
JVM Oracle Corporation 11.0.6 on Linux 3.10.0-1062.9.1.el7.x86_64
32 CPU, 32 GB (16 heap)
Has this been working and this issue is now coming up or is this a new install and you are trying to solve this issue as part of the initial deploy?
without pointing a finger. keep in mind that Graylog 3.x is the first version to support Java 11, so there may be some issues to iron out there. not blaming itā¦ just mentioning.
Canāt tell you when it started. It is a legacy problem from other people. What I can say is that we upgraded to Java11 to try to solve the problem, what didnt happen.
sounds like something is intermittently interrupting comms between the graylog nodesā¦ is anything between them that could be causing connectivity issues? Not sure if thereās a way to debug the heartbeat between nodes, but if you do a packet capture on the master node for all traffic between the master and slave nodes, you may see something.
Off the top of my head, things that can randomly block traffic include
firewalls shunning traffic
NGFW or IDS/IPS doing deep packet inspection
proxy-arp
duplicate IP address
and then thereās the malicious options too
@RCR Iām new to Graylog but hopefully I can be of some help. Based on looking at the EventProcessorEventFactory.java code the node ID is being retrieved by first retrieving the hostname of the node from the Graylog configuration. Unfortunately, there isnāt sufficient granularity in the code to determine if the hostname retrieval is the part that is failing or if itās still something related to the node ID lookup using the hostname. So we have to tackle one at a time to see what we find. I donāt think this is a connection issue from node to node because there isnāt any indication that communication is attempting to occur over the network. This seems to be an issue with the configuration in the database.
Can you provide the contents of your /etc/graylog/server/node-id files for review? The UUID in the file for each node should match the corresponding UUID in the Mongo database.
Additionally, the hostnames are set in Graylog when the nodes are registered.
To confirm the hostnames and UUIDs are correct you can connect to the Mongo db.
Run āmongoā at the command shell on your master node. Then execute the following 2 commands to retrieve the node config information in json format.
use graylog
db.nodes.find()
Provide this output for review.
Is it possible you have nodes that were registered multiple times?
The message is shown by the master, just a few times for the other nodes. Do you think that connection between nodes can be the cause? To make a test, I disabled firewalld and the problem didnt stop.
do you have the underlying MongoDB setup as a replica set? Iām not sure that it is a network issue, but that type of message is a typical heartbeat lost type of message/failover.
Iām curious what path @bmccombs is heading down, but if I were troubleshooting thisā¦ I would definitely try to rule out the network.
@RCR
Have your nodesā hostnames changed since they were registered? Maybe itās worthwhile to check /etc/hosts and/or DNS records to see if the hostnames differ from what Mongodb has stored for them.
Do you have these logs being sent to Graylog or some place where you can try searching to see when they first occurred? That can help to isolate and maybe identify the root cause.You asked initially if these errors are a cause or effect of the masterās failure. If you can search for these logs and target the timeframe when you know the master failed then you can see if these errors were occurring beforehand to confirm your initial question.
@cawfehman The code indicates itās trying to do a lookup of node id using the hostname (by using data either cached or hitting the db directly, I canāt tell which). So itās not yet trying to communicate with other nodes yet based on that. Agree? The code below is from latest revision rather than the version RCR is using.
public EventProcessorEventFactory(ULID ulid, NodeService nodeService, NodeId nodeId) {
this.ulid = ulid;
try {
// TODO: This can fail depending on when it's called. Check if we can load it in create() and cache it
this.source = nodeService.byNodeId(nodeId).getHostname();
} catch (NodeNotFoundException e) {
throw new RuntimeException("Couldn't get node ID", e);
}
}
Have your nodesā hostnames changed since they were registered? Maybe itās worthwhile to check /etc/hosts and/or DNS records to see if the hostnames differ from what Mongodb has stored for them.
I have checked, the hostname is correct in /etc/hosts. They are the same. Didnt check DNS, but tried to ping and theres no problem.
Do you have these logs being sent to Graylog or some place where you can try searching to see when they first occurred? That can help to isolate and maybe identify the root cause.You asked initially if these errors are a cause or effect of the masterās failure. If you can search for these logs and target the timeframe when you know the master failed then you can see if these errors were occurring beforehand to confirm your initial question.
We donāt have it stored anywhere else and also canāt tell when it started because when I started to work with it it was already happening and I we donāt have logs older than that. thats why I am trying anything.
Iāll set another node as master, to see what happens. We had an issue, so I am waiting the acumulated messages to be stored on elastic so Iāll try it.
Ping will use the hosts file first before DNS unless the /etc/nsswitch.conf file says differently. So most likely the ping didnāt actually test the DNS records. Iām not sure if formal name resolution is playing a part here or not but it was a simple enough issue to test so thatās why I mention this.
Iām no java expertā¦ hardly a beginner tbhā¦ so I could be off here, but after stumbling through some of the code, it seems to me that the NodeId is passed into the EventProcessorEventFactory method, so wouldnāt it be the other way around? trying to get the hostname based on the NodeID?
If that is true, then Iām thinking 3 things:
the Error is a bit misleading as it should say āCouldnāt get hostnameā.
what is the nodeID being passed in and where is it coming from?
could this be due to some underlying MongoDB issue? Replica set, etcā¦
I do agree with you now that I donāt think itās a network issue. At least not yet
@RCR do you have a MongoDB replica set setup across your nodes? If so, any errors there?
I was looking at Mongodb too but theres nothing on the logs so donāt know where else to look.
Yes, we a have a replicaset.
At 07:39 we got the message on Graylog and that is the the Mongodbās logs:
2020-04-24T07:38:24.072-0300 I NETWORK [conn102741] end connection x.x.x.x:xxxx (502 connections now open)
2020-04-24T07:38:39.568-0300 I STORAGE [WT OplogTruncaterThread: local.oplog.rs] WiredTiger record store oplog truncation finished in: 1ms
2020-04-24T07:38:54.072-0300 I NETWORK [listener] connection accepted from x.x.x.x:xxxx #102742 (503 connections now open)
2020-04-24T07:38:54.072-0300 I NETWORK [conn102742] end connection x.x.x.x:xxxx (502 connections now open)
2020-04-24T07:39:24.072-0300 I NETWORK [listener] connection accepted from x.x.x.x:xxxx #102743 (503 connections now open)
2020-04-24T07:39:24.073-0300 I NETWORK [conn102743] end connection x.x.x.x:xxxx (502 connections now open)
2020-04-24T07:39:31.746-0300 I STORAGE [WT OplogTruncaterThread: local.oplog.rs] WiredTiger record store oplog truncation finished in: 2ms
2020-04-24T07:39:54.072-0300 I NETWORK [listener] connection accepted from x.x.x.x:xxxx #102744 (503 connections now open)
2020-04-24T07:39:54.072-0300 I NETWORK [conn102744] end connection x.x.x.x:xxxx (502 connections now open)
2020-04-24T07:40:11.267-0300 I ACCESS [conn48611] Successfully authenticated as principal __system on local
2020-04-24T07:40:11.270-0300 I ACCESS [conn48611] Successfully authenticated as principal __system on local
2020-04-24T07:40:11.273-0300 I ACCESS [conn48611] Successfully authenticated as principal __system on local
And this is the Graylogās master logs:
2020-04-24T07:35:53.032-03:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering.
2020-04-24T07:38:02.220-03:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering.
2020-04-24T07:39:31.172-03:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering.
2020-04-24T08:18:54.164-03:00 INFO [IndexRangesCleanupPeriodical] Removing index range information for unavailable indices: [8acd95272406056f8beee0ce8eeee02f_testeteste_0, 464c5b1ef22aec3a75c016b5ca6b335b_testeteste_0, 823ee89f5d97dd3bc732e61265fa30a9_testeteste_0, d3dd23f23876edebb28778294dc6a922_pro_99999_sms_0, 5c915bb69de9b27d2b1e9e3ca8e2d16c_testeteste_0, 3b87da1cddaa60e2a6318e821413ecc8_testeteste_0]
Yesterday also tryed to disable firewalld on both nodes (Graylog Master and MongoDB primary) and had put another node as GL master but the problem persists.
Argh, yes, you are right. Apparently I was rushing too much when reviewing the code so I was misreading it. Itās retrieving the hostname based on the nodeId, which is passed into the method, so I agree with your assessment of that part.
So, yes, in my opinion the error should really be that it couldnāt get the hostname because the nodeID should already be known when the EventProcessorEventFactory method is called. It probably wouldnāt hurt to have a check for a null nodeID for that matter. And it would be great to have the error include the nodeID and what the retrieved hostname was to know, for example, if the hostname was empty string or some other value, in order to do some proper debugging/troubleshooting for future issues.
The best we can go on right now is the fact that the exception is called a NodeNotFoundException which would indicate that the nodeID being used simply doesnāt exist and therefore the hostname is probably null or an empty string. So another theory for @RCR might be that maybe a node was removed and not cleaned up properly and this code is still finding a reference to it somewhere.
Maybe this could have been the result of the masterās previous failure if the master node had to be re-registered which I assume would have generated a new UUID but, depending on how that issue was addressed, maybe there are still some references to the old UUID being used for some code paths.
How much youāll have to be concerned about Graylog in the process of doing that is not something I know the answer to. Iām not sure what you mean when asking if ES can be related.
I will discuss with the team if we should try the reset, thanks!
I was just wondering if there is any communication between Graylog and Elastic that could be causing this. Our cluster have 42 data nodes, 3 master and maybe some config could be wrong.
The fact is that the whole system is working, we are working with 15k m/s without problems.
I was just wondering if there is any communication between Graylog and Elastic that could be causing this. Our cluster have 42 data nodes, 3 master and maybe some config could be wrong.
The fact is that the whole system is working, we are working with 15k m/s without problems.
I canāt say for certain but I doubt ES or Graylog caused this. My theory is that it is a result of your previous failure that you mentioned but I donāt have a way to prove that theory right or wrong. I donāt know enough about Graylog and the underlying components to know how likely it is that these errors are a result of the master nodeās previous failure or a symptom. But hopefully the reset works.
thats why I am trying anything.