Stream alerts stop working after upgrading to cluster

Graylog Central (peer support)
1

Hi,

i’ve just upgraded my installation and switch from one graylog server to 3 clusters members graylog.
But since i’ve done this, my streams alert had stop working. So there is some special config in order to get back online my alerts?

Thank you for helping

2

From which version to which version did you upgrade?

What’s the complete configuration of all three Graylog nodes?
http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

3

I’m stayed in version 2.4

Before :
1 graylog server with mongodb
1 cluster elastic search : 3 servers

After:
3 graylog server with mongodb (replica set)
1 cluster elastic search : 3 servers

Is it the graylog master which is responsible to trigger alerts?

Slave

is_master = false

Master :

is_master = true

Common conf (except url) :

node_id_file = /etc/graylog/server/node-id
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://nil-adm.cines.fr:9000/api/
rest_enable_gzip = false
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/ssl/nil.crt
rest_tls_key_file = /etc/graylog/server/ssl/pkcs8-plain.nil.key
web_listen_uri = http://nil-adm.cines.fr:9000/
web_enable_gzip = false
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/ssl/nil.crt
web_tls_key_file = /etc/graylog/server/ssl/pkcs8-plain.nil.key
elasticsearch_hosts = http://x.y.z.1:9200,http://x.y.z.2:9200,http://x.y.z.3:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 5000
output_flush_interval = 5
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 3
outputbuffer_processors = 4
processor_wait_strategy = sleeping
ring_size = 262144
inputbuffer_ring_size = 65536
inputbuffer_processors = 1
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /mnt/graylog/graylog_journal
message_journal_max_age = 240h
message_journal_max_size = 50gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://yyy:xxx@x.y.z.129:27017,x.y.z.137:27017,x.y.z.138:27017/graylog?replicaSet=rs_graylog01
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = localhost
transport_email_port = 25
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_subject_prefix = [graylog]
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

Just a little precision there is only one slave which serving web ui.

Lionel.

4

Please post the full configuration of all Graylog nodes and not just what you think the difference is.
Also, make sure that /etc/graylog/server/node-id has a unique content for each Graylog node.

5

Ok so node-id are unique on each node, and here full graylog configuration :

Master :

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret > = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root_password_sha2 = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root_timezone = Europe/Paris
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://A.B.C.138:9000/api/
rest_enable_gzip = false
rest_enable_tls = false
web_listen_uri = http://A.B.C.138:9000/
web_enable_gzip = false
web_enable_tls = false
elasticsearch_hosts = http://X.Y.Z.173:9200,http://X.Y.Z.174:9200,http://X.Y.Z.175:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 5000
output_flush_interval = 5
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 3
outputbuffer_processors = 4
processor_wait_strategy = sleeping
ring_size = 262144
inputbuffer_ring_size = 65536
inputbuffer_processors = 1
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_age = 96h
message_journal_max_size = 50gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://XXX:YYY@A.B.C.129:27017,A.B.C.137:27017,A.B.C.138:27017/> graylog?replicaSet=rs_graylog01
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = localhost
transport_email_port = 25
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@FQDN
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

Salve

is_master = false
node_id_file = /etc/graylog/server/node-id
password_secret > = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root_password_sha2 = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root_timezone = Europe/Paris
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://A.B.C.137:9000/api/
rest_enable_gzip = false
rest_enable_tls = false
web_listen_uri = http://A.B.C.137:9000/
web_enable_gzip = false
web_enable_tls = false
elasticsearch_hosts = http://X.Y.Z.173:9200,http://X.Y.Z.174:9200,http://X.Y.Z.175:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 5000
output_flush_interval = 5
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 3
outputbuffer_processors = 4
processor_wait_strategy = sleeping
ring_size = 262144
inputbuffer_ring_size = 65536
inputbuffer_processors = 1
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_age = 96h
message_journal_max_size = 50gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://XXX:YYY@A.B.C.129:27017,A.B.C.137:27017,A.B.C.138:27017/> graylog?replicaSet=rs_graylog01
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = localhost
transport_email_port = 25
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@FQDN
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

Slave + Web UI + Web API (backup in load balancer algorithm):

is_master = false
node_id_file = /etc/graylog/server/node-id
password_secret > = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root_password_sha2 = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root_timezone = Europe/Paris
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://nil-adm.FQDN:9000/api/
rest_enable_gzip = false
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/ssl/nil.crt
rest_tls_key_file = /etc/graylog/server/ssl/pkcs8-plain.nil.key
web_listen_uri = http://nil-adm.FQDN:9000/
web_enable_gzip = false
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/ssl/nil.crt
web_tls_key_file = /etc/graylog/server/ssl/pkcs8-plain.nil.key
elasticsearch_hosts = http://X.Y.Z.173:9200,http://X.Y.Z.174:9200,http://X.Y.Z.175:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 5000
output_flush_interval = 5
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 2
outputbuffer_processors = 2
processor_wait_strategy = sleeping
ring_size = 262144
inputbuffer_ring_size = 65536
inputbuffer_processors = 1
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /mnt/graylog/graylog_journal
message_journal_max_age = 240h
message_journal_max_size = 500gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://XXX:YYY@A.B.C.129:27017,A.B.C.137:27017,A.B.C.138:27017/> graylog?replicaSet=rs_graylog01
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = localhost
transport_email_port = 25
transport_email_use_tls = false
transport_email_use_ssl = false
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@FQDN
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

6

What’s in the logs of all Elasticsearch and Graylog nodes?

7

i tried to trigger an alert in order to have usefull log, and now it work again. So i does not understand.
Is it alert triggered when graylog have lot of message to process in queue?

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.