Prematurely reached end of stream

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

My Opnsense-Monitoring Stack, based off elasticsearch, mongodb and graylog is not working anymore. The culprit seems to be graylog that cannot connect to mongodb, yet mongodb is healthy. Every 60 seconds, graylog looses connection to mongodb, yet it connects again successfully, then after 60 seconds again the error “Prematurely reached end of stream” and so on.

2. Describe your environment:

  • OS Information: Debian 13 Docker VM,

  • Package Version: graylog:6.0.5

  • Service logs, configurations, and environment variables:

  • my stack:

version: ‘3’
services:
mongodb:
image: “mongo:7.0.26”
hostname: “mongo”
command: mongod --bind_ip 0.0.0.0
volumes:

  • “/srv/dockerdata/opnsense-monitoring/mongodb_data:/data/db”
    environment:
  • MONGO_INITDB_ROOT_USERNAME=graylog_user
  • MONGO_INITDB_ROOT_PASSWORD=nPjuPE8ssiMH7WbxUhEwruywg
    networks:
    vlan20:
    ipv4_address: 10.10.20.209
    restart: “on-failure”

elasticsearch:
container_name: elasticsearch
image: docker .elastic.co/elasticsearch/elasticsearch:7.10.2
volumes:

  • /srv/dockerdata/opnsense-monitoring/elasticsearch/data:/usr/share/elasticsearch/data
    environment:
  • TZ=XXX
  • http.host=0.0.0.0
  • transport.host=localhost
  • network.host=0.0.0.0
  • “ES_JAVA_OPTS=-Xms512m -Xmx512m”
  • ELASTIC_PASSWORD=XXX # password for default user: elastic
  • xpack.security.enabled=true
    restart: “unless-stopped”
    networks:
    vlan20:
    ipv4_address: 10.10.20.207
    ports:
  • 9200:9200

graylog:
container_name: graylog
image: graylog/graylog:6.0.5
volumes:

  • /srv/dockerdata/opnsense-monitoring/geolite/GeoLite2-Country.mmdb:/usr/share/graylog/data/GeoLite2-Country.mmdb
  • /srv/dockerdata/opnsense-monitoring/graylog/config:/usr/share/graylog/data/config
  • /srv/dockerdata/opnsense-monitoring/graylog/journal:/usr/share/graylog/data/journal
    environment:
  • TZ=Europe/Zurich
  • ROOT_TIMEZONE=XXX
  • GRAYLOG_TIMEZONE=XXX
  • GRAYLOG_PASSWORD_SECRET=XXX
  • GRAYLOG_ROOT_PASSWORD_SHA2=XXX
  • GRAYLOG_HTTP_EXTERNAL_URI=http://10.10.20.208:9000/
  • GRAYLOG_NODE_ID_FILE= /usr/share/graylog/data/config/node-id
  • GRAYLOG_ELASTICSEARCH_HOSTS=http://elastic:fGCxaGxskgkcdjD35qkxw2EJX@10.10.20.207:9200
  • GRAYLOG_MONGODB_URI=mongodb://XXX:XXX@10.10.20.209:27017/graylog
    entrypoint: /usr/bin/tini – wait-for-it elasticsearch:9200 – /docker-entrypoint.sh
    networks:
    vlan20:
    ipv4_address: 10.10.20.208
    depends_on:
  • elasticsearch
    ports:
  • 9000:9000
  • 1514:1514/udp
    restart: “unless-stopped”
    logging:
    driver: “json-file”
    options:
    max-size: “100m” # Maximum size for a single log file
    max-file: “3” # Maximum number of log files to keep

geolite:
container_name: geolite
image: maxmindinc/geoipupdate
environment:

  • GEOIPUPDATE_ACCOUNT_ID=XXX
  • GEOIPUPDATE_LICENSE_KEY=XXX
  • GEOIPUPDATE_EDITION_IDS=GeoLite2-Country
  • GEOIPUPDATE_FREQUENCY=24
    volumes:
  • /srv/dockerdata/opnsense-monitoring/geolite:/usr/share/GeoIP
    restart: “always”

networks:
vlan20:
external: true
name: vlan20

Logs Graylog:

2025-12-11 08:59:16,049 INFO : org.mongodb.driver.cluster - Waiting for server to become available for operation with ID 44833. Remaining time: 30000 ms. Selector: ReadPreferenceServerSelector{readPreference=primary}, topology description: {type=UNKNOWN, servers=[{address=10.10.20.209:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketOpenException: Exception opening socket}, caused by {java.net.ConnectException: Connection refused}}].
2025-12-11 08:59:17,501 INFO : org.mongodb.driver.cluster - Monitor thread successfully connected to server with description ServerDescription{address=10.10.20.209:27017, type=STANDALONE, state=CONNECTED, ok=true, minWireVersion=0, maxWireVersion=21, maxDocumentSize=16777216, logicalSessionTimeoutMinutes=30, roundTripTimeNanos=884734}
2025-12-11 09:00:17,627 INFO : org.mongodb.driver.cluster - Exception in monitor thread while connecting to server 10.10.20.209:27017
com.mongodb.MongoSocketReadException: Prematurely reached end of stream
at com.mongodb.internal.connection.SocketStream.read(SocketStream.java:196) ~[graylog.jar:?]
at com.mongodb.internal.connection.SocketStream.read(SocketStream.java:178) ~[graylog.jar:?]
at com.mongodb.internal.connection.InternalStreamConnection.receiveResponseBuffers(InternalStreamConnection.java:716) ~[graylog.jar:?]
at com.mongodb.internal.connection.InternalStreamConnection.receiveMessageWithAdditionalTimeout(InternalStreamConnection.java:580) ~[graylog.jar:?]
at com.mongodb.internal.connection.InternalStreamConnection.receiveCommandMessageResponse(InternalStreamConnection.java:428) ~[graylog.jar:?]
at com.mongodb.internal.connection.InternalStreamConnection.receive(InternalStreamConnection.java:381) ~[graylog.jar:?]
at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.lookupServerDescription(DefaultServerMonitor.java:221) [graylog.jar:?]
at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:153) [graylog.jar:?]
at java.base/java.lang.Thread.run(Unknown Source) [?:?]
2025-12-11 09:00:17,628 INFO : org.mongodb.driver.cluster - Exception in monitor thread while connecting to server 10.10.20.209:27017
at com.mongodb.internal.connection.SocketStream.lambda$open$0(SocketStream.java:86) ~[graylog.jar:?]
com.mongodb.MongoSocketOpenException: Exception opening socket
at java.base/java.util.Optional.orElseThrow(Unknown Source) ~[?:?]
at com.mongodb.internal.connection.SocketStream.open(SocketStream.java:86) ~[graylog.jar:?]
at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:201) ~[graylog.jar:?]
at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.lookupServerDescription(DefaultServerMonitor.java:193) [graylog.jar:?]
Caused by: java.net.ConnectException: Connection refused
at java.base/sun.nio.ch.Net.pollConnect(Native Method) ~[?:?]
at java.base/sun.nio.ch.Net.pollConnectNow(Unknown Source) ~[?:?]
at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(Unknown Source) ~[?:?]
at java.base/sun.nio.ch.NioSocketImpl.connect(Unknown Source) ~[?:?]
at java.base/java.net.SocksSocketImpl.connect(Unknown Source) ~[?:?]
at java.base/java.net.Socket.connect(Unknown Source) ~[?:?]
at com.mongodb.internal.connection.SocketStreamHelper.initialize(SocketStreamHelper.java:76) ~[graylog.jar:?]
at com.mongodb.internal.connection.SocketStream.initializeSocket(SocketStream.java:105) ~[graylog.jar:?]
at com.mongodb.internal.connection.SocketStream.open(SocketStream.java:80) ~[graylog.jar:?]
… 4 more

Mongodb:

3. What steps have you already taken to try and solve the problem?

I repaired the MongoDB, checked various things online and using LLM, yet I found no solution.

I also tried this parameter ?socketKeepAlive=true at the end of GRAYLOG_MONGODB_URI, but that didn’t help.

4. How can the community help?

Help me find the root cause so I can mitigate this issue.

2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.