Preflight Graylog Web interface Setup

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I’ve installed Graylog Open with Data Node for Red Hat Installation: Single Graylog Node (RHEL 9.5)
After the installation has been successfully completed, I am in the Graylog intial setup which is the preflight login to access the Graylog web interface.

In step 1 : Under Configure Certificate Authority i.e. “Create new CA” it asks you to put Organization Name and I did that .

In step 2 : Under “Configure a renewal policy”, it asks for the renewal policy and certificate lifetime. I’ve set the renewal policy to automatic and certificate lifetime to 2 years and proceeded to click on “Create Policy”. It immediately gives a message “Renewal Policy Successfully Completed”

In step 3 : Under Provision certificates, it doesn’t give me the option to “Provision and Continue” and it shows a message “At least one Graylog data node needs to run before the certificate can be provisioned.” Instead it gives me the option to “Skip Provisioning”

In Step 4 : Once I clicked on “Skip Provisioning”, the next step shows up under " Configuration finished" which says “Resume Startup” . When I click on it gives me the following message
“Are you sure you want to resume startup without a running Graylog data node? This will cause the configuration to fall back to using an Opensearch instance on localhost:9200”

My question is that I haven’t installed Opensearch since I’ll use Data Node. I’m not sure why it’s redirecting me to Opensearch port 9200.

2. Describe your environment:

• OS Information: Red Hat Enterprise Linux release 9.5 (Plow)

• Package Version:
  MongoDB-org 7.0
  Graylog-6.1

3. What steps have you already taken to try and solve the problem?

I’ve checked if all my services are running such as datanode, mongodb and graylog. They are all active and running. Also, I’ve checked all the ports if they are open and added permanently to the firewall and they are listed below -
Graylog: 9000;
MongoDB:27017
Data Node : 9300 (Even though I never had to add this port in my mongod.conf , datanode.conf or server.conf)

4. How can the community help?
I would really appreciate if someone from this awesome community can point me in the right direction how to Provision the certificate from graylog that is Creating New CA instead of skipping the provision. That option for "Create New CA’ is not coming for me at all. Let’s say if i skip the previsioning and continue to the next step then why is it showing me the below message
“Are you sure you want to resume startup without a running Graylog data node? This will cause the configuration to fall back to using an Opensearch instance on localhost:9200”

And what happens if I agree to this message? I am concerned since I do not have any port 9200 added to my firewall for OpenSearch.
My final goal is that I wanted to get into the web interface and add my devices to get the logs.

If you need more details about my setup, please feel free to ask! Thanks in advance everyone for all the help!

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hi @arafat16,
It seems that your data node is not running correctly or can’t connect to your mongodb, which is the communication/connection link between data nodes and graylog servers.

Let’s figure out what’s happening to your data node and why you can’t see it in the preflight. As you have already skipped the preflight, you’ll need to delete content of your mongodb (at least the graylog database) and restart graylog server. This should send you to the preflight again.

Now let’s figure our what’s wrong with your data node. Can you check that you have configured the same mongodb connection string for both data node and server? Are there any exceptions in the datanode log? Can you give me the datanode.log?

The 9300 port is the transport port of opensearch (opensearch cluster communication), managed by the data node. You don’t need to configure it anywhere, but it should be accessible to successfully form a data node/opensearch cluster.

Best regards,
Tomas

Hi @Tdvorak
Thank you for your reply. I apologize for asking what may seem like a silly question, but could you please guide me on how to delete the content from the MongoDB and Graylog databases you mentioned?

Are the steps below the right way to delete the MongoDB content?

1. Connect to MongoDB : mongosh
2. List Databases : show dbs
3. Delete the Graylog Database : use graylog
   db.dropDatabase()
   and a confirmation will be showing up like this { ok: 1 }

For the second part of your question:

Yes, I have set the mongodb_uri for both the data node.conf and server.conf to this : mongodb_uri = mongodb://10.35.4.20:27017/graylog

Upon checking the datanode.log file I can see the following error:

Preflight check failed with error: /proc/sys/vm/max_map_count value should be at least 262144 but is 65530 (set via “vm.max_map_count” sysctl)
2025-04-22T03:49:25.968-05:00 ERROR [CmdLineTool] Startup error:
org.graylog2.bootstrap.preflight.PreflightCheckException: /proc/sys/vm/max_map_count value should be at least 262144 but is 65530 (set via “vm.max_map_count” sysctl)

So,I use the following to command to check the current value :
sysctl -w vm.max_map_count=262144

Upon checking the current value of vm.max_map_count, I found out it’s still showing 262144 for me. I am not entirely sure why the error I got was showing the settings to 65530.

I am not unable to attach all the screenshots because of new user restrictions is set to only one file in this forum.

However, I’ve attached the screen shot of the error it is showing

Screenshot 2025-04-22 1037261907×948 102 KB

I appreciate the clarification of port 9300.

Once again, thank you for all your help

Hi @arafat16,
Thanks for all the information.

The mongodb steps sound good, that should work fine.

The max_map_count then explains why you aren’t seeing any data node in the preflight. The data node stops because of the problem.

I’d suggest following what opensearch recommends: Installing OpenSearch - OpenSearch Documentation

To increase the value, add the following line to /etc/sysctl.conf:
vm.max_map_count=262144

Then run sudo sysctl -p to reload.

This is a persistent setting, so afterwards you can reboot your machine and start the data node service again. Then you should be able to see your data node in the preflight.

Let me know if this helps or I can assist you further.

Best regards
Tomas

Thank you so much @Tdvorak !! It has fixed the it! I really appreciate your help!!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.