Hi everyone,
i have been trying to figure out how to get my graylog to function correctly and i have been having some issues. Before i explain the issues, here is a general view of my setup:
My log server has 64 gb of RAM total.
graylog = 8gb of RAM
elasticsearch = 32 GB of RAM with 16gb heap size
Inputbuffer_processors 2
Outputbuffer_processors 4
Processbuffer_processors4
ring_size 65536
inputbuffer_ring_size 65536
Output_batch_size10000
i have about 15 servers sendings logs to Graylog and i noticed that i have to many messages in the journal which are unprocessed. i have checked elasticssearch logs and noticed i keep getting warnings about " timed out getting mappings". I was wondering if that could be the case that the processing of messages takes longer than it should which creates a bottleneck resulting in too mnay unprocessed messages.
i dont know how i can fix these issues. I have tried looking up for some documentations and no results.
And also, i am able to see my logs in the search section but it is 1 hr before to real time. The input that receives the logs from the 15 servers was not running for test purposes and i was able to see the logs from my other inputs in real time. It makes me beleive that since messages are yet processed, there is a delay in receiving logs in real time. The timezone is correct before someone asks me this quesiton 