Set graylog2 to keep log in 1 week

Graylog Central (peer support)
1

Hi everyone,
I want to set graylog retention to keep log in 1 week, so I set indices like the image below, but it sill only keep 1 days

image
image1042×703 37.5 KB

When I try to reach a oldest log, Graylog show:

Could not execute search
There was an error executing your search. Please check your Graylog server logs for more information.

Error Message:
Unable to fulfill search request: cannot GET http://192.168.70.89:9000/api/search/universal/relative?query=gl2_source_input%3A5955e9b96454d00c2889491c&range=28800&limit=150&offset=10350&sort=timestamp%3Adesc (500)
Search status code:
500

I follow the instruction from the link logging - Graylog2- how to config logs retention to 1 week - Stack Overflow, please advise me how to fix the issue.

2

Why don’t you set the rotation period to 1 week (P1W) if you want to keep logs for 1 week?

3

For me, 15 indices sounds good; you always have at most 12 hours extra.

The error message sounds weird. What does the list of indices in the default index set look like? Did you already try to recalculate index ranges?

4

I tried to set 1 week, even in retention strategey, I tried to set “Do nothing”, but log file still be keep in only 1 day.
Here is my default index set. I tried to recalculate index range. In log file there is a warning:

2017-07-31T09:26:32.499+07:00 WARN [SearchResource] Unable to execute search: all shards failed

image
image1881×435 32.4 KB

Another thing, why anytime I changed elasticsearch_max_time_per_index in server.conf, in Default index set not changes?

5

Please click tha blue “Default index set” text. This screen does not show the indices, but the index sets.

I think the error messages tell about something other than retention settings. Is your Elasticsearch cluster green? Any errors in the Elasticsearch log?

6

This issue: https://github.com/Graylog2/graylog2-server/issues/2917 has similar symptom; one possibility is that there is not enough memory on the Elasticsearch node, or the parameter max_result_window. Also this issue has the same message: https://github.com/Graylog2/graylog2-server/issues/3571

1 Like
7

the ES cluster is green with no error.

image
image1631×990 82.3 KB

root@log-center:/etc/elasticsearch# curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true’
{
“cluster_name” : “graylog”,
“status” : “green”,
“timed_out” : false,
“number_of_nodes” : 2,
“number_of_data_nodes” : 1,
“active_primary_shards” : 44,
“active_shards” : 44,
“relocating_shards” : 0,
“initializing_shards” : 0,
“unassigned_shards” : 0,
“delayed_unassigned_shards” : 0,
“number_of_pending_tasks” : 0,
“number_of_in_flight_fetch” : 0,
“task_max_waiting_in_queue_millis” : 0,
“active_shards_percent_as_number” : 100.0
}
root@log-center:/etc/elasticsearch# curl -X get http://localhost:9200/_cat/indices
green open graylog_9 4 0 50882127 0 15.2gb 15.2gb
green open graylog_8 4 0 6386896 0 1.8gb 1.8gb
green open graylog_7 4 0 16745766 0 5gb 5gb
green open graylog_6 4 0 6332252 0 1.8gb 1.8gb
green open graylog_1 4 0 48887836 0 14.6gb 14.6gb
green open graylog_0 4 0 1948195 0 821.3mb 821.3mb
green open graylog_10 4 0 814210 0 267mb 267mb
green open graylog_5 4 0 17187699 0 5.1gb 5.1gb
green open graylog_4 4 0 6567495 0 1.9gb 1.9gb
green open graylog_3 4 0 8971211 0 2.6gb 2.6gb
green open graylog_2 4 0 30630332 0 9.2gb 9.2gb

base on your link, I increase all index to 50000

curl -XPUT “http:// localhost:9200/graylog_10/_settings” -d ‘{ “index” : { “max_result_window” : 50000} }’
curl -XPUT “http:// localhost:9200/graylog_9/_settings” -d ‘{ “index” : { “max_result_window” : 50000} }’
curl -XPUT “http:// localhost:9200/graylog_8/_settings” -d ‘{ “index” : { “max_result_window” : 50000} }’



after did it, I can go past more than 66 page in search results, but it still only 1 day log, I have some graylog input which no much log, you can see in picture below, I go to last page with only log in current day. :frowning:

[Album] imgur.com
8

hi,

you can switch from relative to absolute time in your search screen and try to query just events more than 24h ago. To me it looks like the index graylog_9 contains older messages than one day. See http://docs.graylog.org/en/2.3/pages/queries.html#time-frame-selector

1 Like
9

awesome, my bad, I leave the search bar default, so it only show in the last 8 hours. After I set relative time as you suggest, I can see log from another days. Thanks for your kind support, I appreciate it.

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.