(Still) Unable To Edit Extractors

I realize there are two other (old) topics that attempted to address and resolve this issue, however, I didn’t see or find a resolution. That said, I thought I’d post about this and see if anyone has any input or new information.

I have a handful of extractors that I can no longer edit. I can create new ones and delete them, but cannot edit any, even those that are newly created. I’ve attempted the troubleshooting below to see if I can fix this but to no avail. Any help is welcome and should I need to provide anything further, please let me know. Thanks.

  • Create a new input, add an extractor and attempt to edit
  • Upgraded and restarted all services associated with Graylog (Elastic and Mongo)
  • Upgraded and rebooted OS (Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
  • Upgraded Graylog (minor and major versions) by moving within 3.3 and then moving to 4.1
  • Recalculated the indices
  • Rotated the active index
  • Tailed server.log when creating, deleting, and trying to edit extractor. Log file shows evidence of creation or deletion, but nothing is writing to the log file when trying to edit.

Hello,
Maybe I can help.

When you navigate to your INPUT and click on " Manage Extractors" which will direct you to all your Extractors for that input what happens when you click on the Edit button?

If the edit button does work and Graylog redirects you to edit page are you unable to type into the edit box or is it when you click on the "Update extractor’ button it doesnt save it.
Does this Graylog user have permission?

Did you look in Elasticsearch log files and/or MongoDb for anything that would pertain to this issue?

Hi gsmith,
I have not looked at the Elastic and Mongo logs yet but will. Here’s what happens when I click on edit. It never loads no matter how long I stay on this page.

Ok I understand now.
When that is stuck on loading can you tail you Elasticsearch log file to see if there are any errors/warnings that may pertain to this issue.
Maybe something like this.

tail -f /var/log/elasticsearch/elasticsearch.log

Maybe the same with MongoDb

tail -f /var/log/mongodb/mongod.log

If you can post you logs and/or configuration files here that would be great.

EDIT: Check your permission for Graylog config directory.

chown graylog:graylog -R /etc/graylog/

Should look something like this.

Try to diff graylog’s config file from old and new verstion. It’s problem especially from older versions, where some parameters are missing or have different default values. Use vimdiff or your favourite diff program and merge 2 config files.

Try to enable cors in config file, as it was enabled by default in versions older than 4.0.
http_enable_cors = true

1 Like

I tailed the Elastic and Mongo log files and nothing shows up when I attempt to edit the extractor. When I add or delete an extractor I do see activity and I’m able to do so without issue.

As for the chown for the Graylog directory; is it supposed to be that way? I’ve always had the owner as root and never had an issue. I have more than one instance of Graylog running in my environment and root owns that directory. No issues with editing the extractors on that instance. Just curious if that should be changed. Thanks.

Hey shoothub,
I diffed the files and here are the only differences I found.

Old Config
#Global request timeout for Elasticsearch requests (e. g. during search, index creation, or index time-#range calculations) based on a best-effort to restrict the runtime of Elasticsearch operations.
#Default: 1m
#elasticsearch_request_timeout = 1m

New Config
#Mute the logging-output of ES deprecation warnings during REST calls in the ES RestClient
#elasticsearch_mute_deprecation_warnings = true

Old Config
#Disable the use of SIGAR for collecting system stats
#disable_sigar = false

New Config
#Disable the use of a native system stats collector (currently OSHI)
#disable_native_system_stats_collector = false

I also checked the cors and it was disabled in my old config file prior to upgrading to 4.1.

Hello

Well if its working for you on other graylog servers. So I take it you have graylog running as root? For troubleshooting it only take 2 seconds to see if it makes a difference. Probably might not but you never know.

Do you see anything when check the status of Elasticsearch?
systemctl status elasticsearch
or
systemctl status garylog-server
Did you check what @shoothub suggested

Did you try enabling cors then restarting Graylog service? If so, what was the outcome?
What type of installation is this? ( Docker, Deb, RPM, OVA, etc…)

Just an Idea have you tried to clear the cache in the browser and relaunching it?
It is hard to notice what is creating your issue without seeing your confgiurations and/or logs.
Can you post your Graylog and/or elasticsearch config file?

I’m also running into this issue but in my case i’m seeing ES errors where graylog is trying to search indexes that no longer exist (for deleted index sets) and I get the following exception in the browser console.

Uncaught (in promise) FetchError: There was an error fetching a resource: Internal Server Error. Additional information: Unable to perform search query

I think i’m only seeing the ES error becase I have security setup and the old indexes don’t match the index permission pattern I have on the ES security role.

Also to add I also see the same error from ES when trying to add a new extractor to a completely different new input as well.

Ok i’ve managed to figure this out (in my case at least), the old indexes pointed me in the right direction and I found several orphaned index_ranges in the mongo config DB referring to the old indexes. Removed the relevant documents from the collection and problem solved I can add/edit extractors again.