Web gui graylog

Hello!

My graylog works fine, but sometimes the web gui doesn’t open.

After reboot, graylog will work again.

Pfsense ip: port => graylog ip: 9000

Hello @Galymzhan can you post this portion of your server.conf, specifically I am interested in

http_bind_address
http_publish_uri
http_external_uri

http_bind_address = 0.0.0.0:9000

http_publish_uri = http://$http_bind_address/

#http_external_uri =

Hi,

Per the documentation

# If $http_bind_address contains a wildcard IPv4 address (0.0.0.0), the first non-loopback IPv4 address of this machine will be used.
# This configuration setting *must not* contain a wildcard address!

Installed http_bind_address = graylog lan ip: 9000 and reloaded graylog.
systemctl restart graylog-server
While working.
Thanks!

Doesn’t work again. What to do?

My problem is still not resolved. Help me please. Graylog still opens with a blank screen.

Hello,

Sorry about your issue. For us to help you further we would need some more information.
Please take a look at this post and it will clarify on what is needed to get a quicker response.

Thanks

Since the issue is sporadic, and a reboot (presumably only of Graylog Server) gets things working, I’d suggest:

  1. Checking for exceptions in the Graylog Server logs around the time the issue starts
  2. Determining whether Graylog Server has enough memory (and Java heap space)
  3. Determining whether message processing is also impacted when the Web UI becomes unavailable
  4. Looking at the failing HTTP(S) requests in your browser to determine if only certain requests are failing, if there is useful information in the response body, etc.

As mentioned, more information would be useful.

yum info graylog-server
Installed Packages
Name        : graylog-server
Arch        : noarch
Version     : 4.1.3
Release     : 1
Size        : 208 M
Repo        : installed
From repo   : graylog
Summary     : Graylog server
URL         : https://www.graylog.org/
License     : SSPL
Description : Graylog server

cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

mongod --version
db version v4.2.15

curl -XGET 'http://localhost:9200'
{
  "name" : "XXX.XXX.loc",
  "cluster_name" : "graylog",
  "cluster_uuid" : "-------",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "rpm",
    "build_hash" : "747---",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

firewall-cmd --list-all
ports: 10051/tcp 9000/tcp 10000-20000/udp 5044/tcp 5045/tcp
grep -vE '(^[[:space:]]*([#;!].*)?$)' /etc/graylog/server/server.conf

is_master = true

node_id_file = /etc/graylog/server/node-id

password_secret = Password

root_password_sha2 = rootPassword

root_timezone = Asia/Tashkent

bin_dir = /usr/share/graylog-server/bin

data_dir = /var/lib/graylog-server

plugin_dir = /usr/share/graylog-server/plugin

http_bind_address = 192.168.X.X:9000

http_publish_uri = http://$http_bind_address/

rotation_strategy = count

elasticsearch_max_docs_per_index = 20000000

elasticsearch_max_number_of_indices = 20

retention_strategy = delete

elasticsearch_shards = 4

elasticsearch_replicas = 0

elasticsearch_index_prefix = graylog

allow_leading_wildcard_searches = false

allow_highlighting = false

elasticsearch_analyzer = standard

output_batch_size = 500

output_flush_interval = 1

output_fault_count_threshold = 5

output_fault_penalty_seconds = 30

processbuffer_processors = 5

outputbuffer_processors = 3

processor_wait_strategy = blocking

ring_size = 65536

inputbuffer_ring_size = 65536

inputbuffer_processors = 2

inputbuffer_wait_strategy = blocking

message_journal_enabled = true

message_journal_dir = /var/lib/graylog-server/journal

lb_recognition_period_seconds = 3

mongodb_uri = mongodb://localhost/graylog

mongodb_max_connections = 1000

mongodb_threads_allowed_to_block_multiplier = 5

transport_email_enabled = true

transport_email_hostname = smtp.gmail.com

transport_email_port = 587

transport_email_use_auth = true

transport_email_auth_username = XXXX@gmail.com

transport_email_auth_password = emailPassword

transport_email_subject_prefix = [graylog_email]

transport_email_from_email = XXXX@gmail.com

transport_email_use_tls = true

proxied_requests_thread_pool_size = 32
ls -lh /usr/share/graylog-server/plugin
total 209M
-rw-r--r--. 1 root root  22M Aug  4 21:02 graylog-plugin-aws-4.1.3.jar
-rw-r--r--. 1 root root 6.8M Aug  4 21:02 graylog-plugin-collector-4.1.3.jar
-rw-r--r--. 1 root root  54M Aug  4 21:03 graylog-plugin-enterprise-4.1.3.jar
-rw-r--r--. 1 root root  17K Aug  4 21:03 graylog-plugin-enterprise-es6-4.1.3.jar
-rw-r--r--. 1 root root  17K Aug  4 21:03 graylog-plugin-enterprise-es7-4.1.3.jar
-rw-r--r--. 1 root root  35M Aug  4 21:04 graylog-plugin-enterprise-integrations-4.1.3.jar
-rw-r--r--. 1 root root  32M Aug  4 21:03 graylog-plugin-integrations-4.1.3.jar
-rw-r--r--. 1 root root 2.4M Aug 15 08:27 graylog-plugin-telegram-notification-2.3.6.jar
-rw-r--r--. 1 root root 8.2M Aug  4 21:02 graylog-plugin-threatintel-4.1.3.jar
-rw-r--r--. 1 root root  23M Aug  4 21:02 graylog-storage-elasticsearch6-4.1.3.jar
-rw-r--r--. 1 root root  29M Aug  4 21:02 graylog-storage-elasticsearch7-4.1.3.jar
-rw-r--r--. 1 root root   48 Aug  4 21:03 LICENSE-ENTERPRISE
top

top - 10:41:22 up 54 days, 22:25,  1 user,  load average: 0.00, 0.01, 0.06
Tasks: 225 total,   1 running, 224 sleeping,   0 stopped,   0 zombie
%Cpu(s):  2.5 us,  1.6 sy,  0.0 ni, 95.7 id,  0.1 wa,  0.0 hi,  0.2 si,  0.0 st
KiB Mem : 16266128 total,  2365780 free,  5250100 used,  8650248 buff/cache
KiB Swap:  4063228 total,  3914236 free,   148992 used. 10250156 avail Mem

In my case I did not define this, I left it commented out

cat /etc/graylog/server/server.conf | grep http_publish_uri
#http_publish_uri = http://192.168.1.1:9000/
# Default: $http_publish_uri

What shows in the Graylog server log when you go to the UI and get the error?

tail -f /var/log/graylog-server/server.log

Make sure to show only what is relevant and use the forum tools such as </> to help with formatting

thank you, @tmacgbay
/var/log/graylog-server/server.log nothing, only errors:

ERROR [AuditLogger] Unable to write audit log entry because there is no valid license.
ERROR [MongoAuditLogPeriodical] Not running cleanup for auditlog entries in MongoDB because there is no valid license.

Hello,

If there are no errors and you have a blank web page check your firewall rules. For troubleshooting purposes save your IPTABLES configuration. Once saved set all your chain/s to ACCEPT (Chain OUTPUT (policy ACCEPT), Chain INPUT (policy ACCEPT) ).

Save configuration and restart iptables but In your case Firewalld.
While you at it check you Selinux for any errors.
If your Selinux is enabled either forced or passive you can find out if there is any problems by executing this command

# sealert -a /var/log/audit/audit.log

If none of those work check permissions on Graylog directory . Make sure Graylog has access.

Question have you tried to comment out what @tmacgbay suggested earlier and restart Graylog service?

@gsmith
Hello!
Thanks for the help!
After rebooting the graylog service, everything works fine for me until a certain time. I don’t know exactly how many minutes it works, say, for example, 30 minutes.
SELinux is disabled.

#sestatus
SELinux status:                 disabled

Firewalld all required ports are open. I cannot turn off firewalld due to other systems (Asterisk, FreePBX, Zabbix-docker).

services: http https sip ssh
ports: 10051/tcp 9000/tcp 8081/tcp 5060/udp 5061/udp 5060/tcp 5061/tcp 4569/udp 5038/tcp 5038/udp 10000-20000/udp 5044/tcp 5045/tcp

Graylog permissions

# ls -lh /etc/graylog/
total 0
drwxr-xr-x. 2 root root 84 Nov 3 08:45 server
# ls -lh /etc/graylog/server/
total 71M
-rw-r--r-- 1 root root 71M Sep 30 01:57 GeoLite2-City.mmdb
-rw-r--r--. 1 root root 1.9K Aug 4 21:02 log4j2.xml
-rw-r--r--. 1 root root 37 Aug 14 21:22 node-id
-rw-r--r-- 1 root root 35K Nov 2 10:25 server.conf

At the moment, my server.conf is like this

grep -vE '(^[[:space:]]*([#;!].*)?$)' /etc/graylog/server/server.conf

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = xxxxxx
root_password_sha2 = xxxxx
root_timezone = Asia/Tashkent
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 192.168.x.x:9000
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = smtp.gmail.com
transport_email_port = 587
transport_email_use_auth = true
transport_email_auth_username = xxxxx@gmail.com
transport_email_auth_password = xxxxx
transport_email_subject_prefix = [graylog]
transport_email_from_email = xxxx@gmail.com
transport_email_use_tls = true
proxied_requests_thread_pool_size = 32

Yes I commented out http_publish_uri and reloaded the graylog service. But it did not help.

Hello,

Sorry, misunderstanding. I wasn’t asking to turn off your firewall I was ask to open all ports.
I do understand, but if you have to have ports opened it look like a couple are missing not sure if that would help but if your dropping connection randomly it might be worth a shot.

I think that if Elasticsearch and mongodb connect to graylog locally, then there is no need to open ports 9200, 9300, 27017 on firewalld

These are all running on the same machine as Graylog/MongoDB/Elastic? That’s more than I would want to put on a single machine - too much risk of conflict and (unless perhaps, it’s testing) difficult to work on particularly during business hours. Check for conflicts… web UI, inputs…