Should I restart Graylog?

(Monchito) #1

Hi all. When i get the Graylog slow, i restarted it, but every time that i do it something happens, for example : “unassigned shards” , and at this time the alerts stop working too, but i solved already (i think) deleting old indices.

So my question: ¿Is oK to make : sudo reboot or sudo graylog-crt restart ?

Thanks!
PS: Graylog v2.0.3

(Jan Doberstein) #2

@monchito

welcome to the community - with that little information give about your setup it is impossible to give you an answer that will help you.
You could always restart a service or a server and in most times this might help. But you should find the reason why graylog is becoming slow.

But first, it looks like you are using the OVA in Production, that is not recommend as you are not able to make all necessary settings to tune your setup to the max.

Have a good day
Jan

(Monchito) #3

Hi Jan, thanks for your kindly reply, and sorry for my late response.

What kind of data should i collect for troubleshooting?
If OVA is not recommended for production, which version do you suggest?

Thanks, and have good day you too.
bye
Monchito.

(Jan Doberstein) #4

hej @monchito

you should install the environment yourself - following the step-by-step guides. What OS you prefer is up to your defaults.

The description that it is “slow” and you fixed it somehow is that generic like “my phone rings, and then stops making noise”.

Did you check your disk usage? how many messages you are ingesting? how many resources does the server have? All services up and running? How much processing did you do with your messages? What happens short before the server becoming slow? What did you have done to fix it? What was the result?

(Monchito) #5

Hi Jan, your are right, my question is really ambiguous, sorry for that. I’m brand new on Graylog and i’m not a sysadmin, I read forums and some documentation to try to solve this thing. Sometimes work fine, but sometime not.

Here are some data:

Errors:

imagen
imagen.png1488x87 9.93 KB

And:
imagen
imagen.png1756x379 44.9 KB

CPU:
imagen

Memory and Buffer

imagen
imagen.png1888x665 59.1 KB

Elasticsearch data
imagen

Services running:
imagen

Inputs running:

imagen
imagen.png322x529 22.5 KB

Disk:
imagen

Things than I try:

  1. When i delete all indices, the shards gone, but later i get shards again.
  2. I send very less message to the 3th input (changing logging level), and get better

imagen
imagen.png1883x771 65.2 KB

So, i think someone change the configuration of one device, modifying the logging level, so graylog exploted. I don’t know if this the definitive solution, but i’ll see it in these days.

Thanks the reply, and the pacience ;).

Have a good friday, and sorry my English
Monchito

(Jan Doberstein) #6

what is your index retention and sharding settings? you can see them in system > indices in the web interface.

i think that your available resources are to low for the given ingest rate.

(Monchito) #7

You mean this?

imagen
imagen.png588x597 27.1 KB

Got small disk:
imagen

(Jochen) #8

You configured to keep 20 indices with 1 GB (approx.) each but you don’t have 20 GB of free disk space.

(Monchito) #9

Hi @jochen ,because are already occupied in other indices. For example:

imagen
imagen.png1009x798 79 KB

Or i my wrong?

(system) #10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.