Unprocessed messages are currently in the journal

Graylog Central (peer support)
, , ,
1

I am using graylog-2.4.0-1.ova.

Below is a message in System / Nodes / Disk Journal / Utilization:
1,066,447 unprocessed messages are currently in the journal, in 2 segments.

I believe that is an error message and will cause incomplete search result.

I am a really newer.
Is any SOP that can help me to find out the problem or ask graylog to process the unprocessed messages?

Capture
Capture.PNG1894×926 60.6 KB

2

Hi Kevin,

When I have seen this it usually indicated a performance problem in that the graylog server has experienced a high peak of events and is waiting to write events to the journal whilst trying to process incoming events.

Can you give your vm extra resources? It would also be helpful if you can provide some information on your setup such as :-1:

How many log sources and types of logs eg 10 windows and one linux server
Current VM resources assigned

Though in your screen shot your journal utilisation looks very low - 0.18%

Are you seeing a historical message.

Try and give some more information when posting as it may enable someone here to help you easily. Obviously, don’t include sensitive config info.

Jake

3

Hi Magneton,

I re-create a new graylog server as below:
Graylog VM(5GB RAM) that running in Windows 10(i5-4310U, 8GB RAM)

I have 515 log files in a folder(c:\temp) that total size is 21GB.

I move 5~ 6 files every time from temp folder to filebeat log folder(c:\BELogs) and wait graylog become 0 unprocessed messages
When BELogs contain 200 files that total size is 8.44 GB, Unprocessed number is slowly increasing.
I do not see any error message.
What can I do?

GLGUI
GLGUI.PNG1886×985 70.1 KB

4

GLtop
GLtop.PNG798×626 25.7 KB

5

df

6

What are the JVM settings for Elasticsearch and Graylog on that machine?
:arrow_right: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

7

JVM settings for Elasticsearch and Graylog are the same file.

JVMofraylog_09_01_2018_17_15_30
JVMofraylog_09_01_2018_17_15_30.png800×600 3.56 KB

BTW, I have two NICs, eth0:10.0.2.9 and eth1:192.168.56.3
I am using http://192.168.56.3 as web GUI address and http://192.168.56.3:9000/api as server_url
I am not sure current_address and last_address as 10.0.2.9 are right or wrong.

8

Kevin,

First start by using one ip address to make things less complicated.

Set elasticsearch correctly in /elasticsearch.yml.

cluster.name: graylog

Set the following(Graylog) server.conf - /etc/graylog/erver/server.conf

is_master = true
rest_listen_uri = http://10.0.1.177:9000/api/
web_listen_uri = http://10.0.1.177:9000/
elasticsearch_hosts = http://10.0.1.177:9200

You will now have everything on the one interface.

I would suggest that your log files are probably too big for the size of your VM.

Try sending logs on from a windows or linux host to start. I like to use NxLog rather than filebeat, just a personnel preference.

See that your logs are received and processed correctly, then try your large file.

This is from the graylog sizing guie which suggests that it will not work due to large file size without increasing VM performance.

graylog-sizing
graylog-sizing.JPG856×211 30.1 KB

Regards

Jake

1 Like
9

@Magneton if @kevin_bolton would not use the OVA - the virtual appliance - your suggestions would be correct.

@kevin_bolton did you run graylog-ctl reconfigure after you had changed anything? Some details about the script and how you work with the OVA can be found here in the documentation

http://docs.graylog.org/en/stable/pages/configuration/graylog_ctl.html

10

Jan and Kevin,

I am using a VM built on top of Ubuntu built with bash script.

Jake

11

Any errors in the Elasticsearch or Graylog log files?

12

I ran “graylog-ctl reconfigure” after
both of listen_uri IP from 0.0.0.0 to 192.168.56.3
and
elasticsearch_hosts IP from 10.0.2.9 to 192.168.56.3

then I check /opt/graylog/conf/graylog.conf again, it back to before (0.0.0.0 and 10.0.2.9)
I don’t know why, but,

  1. unprocessed messages become 0
  2. Graylog back to work
  3. In overview page,
    3.1 Elasticsearch cluster
    Elasticsearch cluster is yellow. Shards: 8 active, 0 initializing, 0 relocating, 8 unassigned,
    3.2 Indexer failures
    There were 702 failed indexing attempts in the last 24 hours.
    error
    error.PNG1271×314 22.4 KB
13

if

14

Do you have Elasticsearch replicas=1 ?

If you have just one node, you need to have 0 replicas. After editing index settings, you can use curl to change that setting to the existing ones. See https://www.elastic.co/guide/en/elasticsearch/guide/current/replica-shards.html

15

Yes,
/opt/graylog/conf/graylog.conf > Elasticsearch replicas=1

I done
sudo vi /opt/graylog/conf/graylog.conf > Elasticsearch replicas=0
sudo graylog-ctl reconfigure
/opt/graylog/conf/graylog.conf > Elasticsearch replicas back to 1

why?

16

you would like to re-read http://docs.graylog.org/en/stable/pages/configuration/graylog_ctl.html

You use the OVA - with onyl limited abilities to customize.

17

Setting the number of replicas happens in the UI (System/Indices). It is in the index set settings.

After setting that, you can use curl to modify the existing indices.

18

And another thing; check your elasticsearch logs. I suspect you ran out of ES disk space. See disk watermark settings of ES.

19

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.