Unable to POST (400)

Hi,

I’m hoping someone can help more with this issue: Unable to Add or Delete Enterprise License - Error 400 - I thought I’d got somewhere, but I’m still having issues.

Our install version details are:

  • custom install on Ubuntu 16.04 - single server hosting all roles (Graylog / MongoDB / Elasticsearch)
  • Graylog 2.5.2+4f6d123 on ASP-GRAYLOG (Private Build 1.8.0_222 on Linux 4.4.0-166-generic)

(I’ve been holding off on updating to 3.0 until we can get this working - i don’t want to compound the issue by upgrading the entire install, unless you think this will help rather than hinder.)

I wasn’t sure what was meant in the last post about:

Jan: “The Graylog in your Browser tries to connect to the configured Graylog (http_external_uri) but the Graylog server itself tries to communicate to itself (http_publish_uri) so I guess that something is wrong with that.”
What does this mean? How do I fix what may be wrong with this?

I will be honest and say I got confused and distracted by other jobs when I was implementing SSL about 18months ago, and since everything kind of “worked” (niggles, but the main logging feature was ok), it never got revisited.
I had assumed (and Jan guessed) that the (400) issue with POST was maybe linked to communication failing because we hadn’t implemented our internally-created ssl cert into the jvm keystore.

I thought, since the issue seemed to be with SSL, I’d be clever, and to get the license for Enterprise working, I’d simply comment out those lines in the server.conf file.
Well - Graylog seems to be working a bit better now. I get to see the nice “msgs in/out” figures, and in general it seems happy… EXCEPT I’m still unable to upload the new license file… :’(

Like before, I still get “Valid License” when pasting:

image

But when I click import…:

I don’t know whether it’s worth uninstalling and reinstalling the Enterprise features again - i don’t know how to ensure theyre fully removed before reinstalling - is just removing the packages from the plugins folder and restarting the server enough to clear them?

This is really important for us to solve. Our PCI compliance relies on logging, and needs the Enterprise features working. I appreciate any help given!!

Kind Regards,

Matt

I should mention that I’m happy to provide my server.conf file (without password secrets etc) or anything else which is required - just ask.

you might want to share the server.conf and maybe some parts of your server.log from the time you try to post the license.

The tail of server.log is here:
https://pastebin.com/WcmZaJMi
I disabled all the threat lookup modules as they were making the logs hard to read, restarted the server, and tried to import the license again, these are the only logs for since the server came up again I believe.

My server.conf file is here… https://pastebin.com/CwdhYaVX

Thanks for your help Jan.

I know it’s been the weekend - did anyone get a chance to have a look at the 2 files posted?
Any hints?

the logs does not reveal anything. But some other idea:

Is your Graylog Enterprise Plugin the same Version as you Graylog server? Because that might be the solution.

That’s what I’ve been looking at this morning. My Graylog install is still only 2.5.3.
Not sure what the version of the enterprise is, the contents of the /usr/share/graylog-server/ folder is:

It looks like the only available downloads for enterprise start at 3.0.0 now:


Manually changing the link (for example, to xxxxxx.2.5.0.tar.gz from 3.0.0.tar.gz) shows a dead link/no file to download.

What would be your recommended steps here?

If the server config etc looks ok, do you think it would be worth doing the update to Graylog 3.X (latest version) and installing the latest enterprise tools?
(I do have full backups of the server, so if it got destroyed I should be ok to recover with only downtime being the issue).

you can change the version of the documentation to fit to your Graylog Version (sidebar Menu a green v:X.X indicate the version). So if you look at the 2.5 https://docs.graylog.org/en/2.5/pages/enterprise/setup.html

you actually see the link for 2.5.1 (just change the last number) and it will work. You actually have 2.4.6 Plugins for archive, license and audit log. Remove them and install the new ones.

Your System > Node > NODE NAME > details page show the installed plugins per Graylog node.

@jan
I’d just like to say a HUGE thank you for your help with this issue.
You were instrumental in resolving it.
I have finally managed to get this sorted:


And I am 100% sure I wouldnt have made it without your guidance.
Graylog really is the absolute best OpenSource / Free resource I’ve ever found,

Massively grateful for your help.