Server log file empty

Graylog Central (peer support)
1

I’m having an issue implementing SSL with my Graylog Server and am finding that the service isn’t generating any log messages. There’s a server.log file at /var/log/graylog-server/ but it’s completely empty and was created way back in March (presumably when I first deployed this server). There are also 10 archives of logs in that folder that were all created on the same day in March.

When I start the service and check it’s status, I see the messages:

main ERROR Null object returned for RollingFile in Appenders.
main ERROR Unable to locate appender "rolling-file" for logger config "root"

Are these the cause of my missing logs? How should I go about fixing this?

2

I guess that your log4j.xml is not really valid and might be tampered in some way.

You should roll back to the original one and check again.

Jan

3

I’ve seen this file mentioned, but I’ve never configured one. I’ve searched the drive and there are no files with this name. I also don’t see such a file mentioned as an argument mentioned in the init script. Can you think of any place else to check for such a file?

4

depending on your installation: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

The file would look something similar to: https://github.com/Graylog2/graylog-docker/blob/2.4/config/log4j2.xml

5

Since I do not have this file, should I try to create one? Is there supposed to be one by default? Should it work without this?

6

the question is - how did you install Graylog and what version did you run?

7

I installed from a deb file onto a Ubuntu server. When I first installed, I believe it was version 2.1 but I’ve just recently updated to 2.4.

8

this file should be their then - but it might have happened something. I can’t think of. So yes, you should create that from the defaults.

You can extract that out of the .deb package or get if from github.

9

I took your advice. I went to the Graylog-server GitHub and used what I found there and restarted the service. The two errors in my OP were gone, but still no contents in the log file. I then extracted the original from the deb file and found it was not the same as what I found online. This one has references to the local file, so I’m thinking it’s right. I put it in and restarted the service and now I’m getting the same errors about not being able to locate the rolling file appender.

Perhaps I’m just missing the appender? I don’t know why that would be or how to go about reinstalling it.

10

Here’s the contents of the file

 <?xml version="1.0" encoding="UTF-8"?>
    <Configuration packages="org.graylog2.log4j" shutdownHook="disable">
    <Appenders>
        <RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
            <Policies>
                <SizeBasedTriggeringPolicy size="50MB"/>
            </Policies>
            <DefaultRolloverStrategy max="10" fileIndex="min"/>
        </RollingFile>

        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
        <Memory name="graylog-internal-logs" bufferSize="500"/>
    </Appenders>
    <Loggers>
        <!-- Application Loggers -->
        <Logger name="org.graylog2" level="info"/>
        <Logger name="com.github.joschi.jadconfig" level="warn"/>
        <!-- This emits a harmless warning for ActiveDirectory every time which we can't work around :( -->
        <Logger name="org.apache.directory.api.ldap.model.message.BindRequestImpl" level="error"/>
        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
        <Logger name="org.elasticsearch.script" level="warn"/>
        <!-- Disable messages from the version check -->
        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
        <!-- Suppress crazy byte array dump of Drools -->
        <Logger name="org.drools.compiler.kie.builder.impl.KieRepositoryImpl" level="warn"/>
        <!-- Silence chatty natty -->
        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
        <!-- Silence Kafka log chatter -->
        <Logger name="kafka.log.Log" level="warn"/>
        <Logger name="kafka.log.OffsetIndex" level="warn"/>
        <!-- Silence useless session validation messages -->
        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
        <Root level="warn">
            <AppenderRef ref="rolling-file"/>
            <AppenderRef ref="graylog-internal-logs"/>
        </Root>
    </Loggers>
    </Configuration>
11

I’ve figured it out. The server.log file in /var/log/graylog was owned by root when everything else in the directory was owned by graylog. I deleted the server.log file and restarted the service and it started working. Thanks for the help!

12

is that file readable by Graylog? because the appender is in the configuration file present.

13

Which file are you asking about? log4j2.xml or server.log?

14

both - to be exact. Can Graylog read the log4j2.xml ? Can Graylog write to the server.log location?

15

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.