Virtualizing my Graylog Server for Testing Purposes

#1

In order to prepare to upgrade Graylog from 2.4 to 3.0 I made a virtualized version of my Graylog server (hostname Graylog, IP 192.168.1.1), including its 4TB worth of elasticsearch indexes.

I’d now like to get this VM clone working independently (hostname Graylog2, IP 192.168.1.2) so I can mess around with it and practice upgrading. So, to do this, I have gone through every config file I can think of, and changed the IP from 192.168.1.1 to 192.168.1.2

Once complete I fireup Graylog-server, and visit my new IP 192.168.1.2 … Graylog loads up fine, and I see my old log entries in there, great.

But to my surprise this new Graylog2 appears to be receiving 500 log entries per second, about the same as my old Graylog. Somehow both servers appear to be receiving logs - which isn’t possible. It becomes clear my new server is still using my old server’s elastic search - or something like that.

Looking deeper under “System - Nodes” I see that my new clone is still somehow connected to the old Graylog node “a002c9da”. If I click the node, it gives me more info, and under REST API it says http://192.168.1.1:12900 (the old IP).

I’ve searched through config files again and I cannot find where this node is defined - nowhere in my config files does it use the old .1 IP address.

Can anyone point me in the right direction? How do I make this cloned system completely separate from the old system?

(Jan Doberstein) #2

without knowledge about the configurations that is not possible. But I guess that both use the same mongoDB?
In addition the loadbalancer recognise the second node as valid option and include that and at least elasticsearch use the same cluster name and both nodes build a cluster …

but - all of that is guessing as I do not have enough information to verify.

#3

Thanks for the reply Jan.

I agree this problem is very strange (and should not be possible!). I have even put in firewall entries so the clone cannot talk to the original machine, yet syslog entries keep coming through to both Graylog systems simultaneously! Whatever is going on is very strange.

Somehow this clone is still tied to the original system. I need to get running independently. On the clone when I click System/Nodes it shows the node hostname/nodeID the same as my original system, plus the REST API there lists my old IP (despite the fact that I’ve updated all my IPs in graylog server.conf and elasticsearch.yml and that old IP is not listed anywhere in any config file I can find - is it coming from mongodb?).

I think I need to delete this cloned node, create a new one, get it tied into the cloned ES… Am I on the right track?

Any suggestions would be welcomed!

(Jan Doberstein) #4

I guess you messed your rest_listen_* and web_listen_* settings so that the new Graylog thinks it connects to himself but actually is connected to the old system …