Web Interface No longer accessible after restarting GraylogServer service

1. Describe your incident:
To keep it simple, I was finally able to access the web interface on 9000 after opening the port of the local firewall in Centos. After I accessed the web interface, I notice the password was not working.
I went into the Server conf and noticed at the tail end of the sha2 some syntax has been accidentally added. I verified the correct sha2 output, updated the file and attempted to utilize my password. Didn’t work. The last thing I did was restart the GrayLog Server service, after that I’m not longer able to access the web interface.

I have checked to see if the server is listening for port 9000, which I verified before in troubleshooting, it’s no longer listening on the port.

I checked the conf file to see if I misplaced or accidentally deleted any lines, but everything looks good.

2. Describe your environment:
Working in a Centos 8 VM.

* Service logs, configurations, and environment variables:

# If you are running more than one instances of Graylog server you have to select one of these
# instances as master. The master will perform some periodical tasks that non-masters won't perform.
is_master = true

# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog server from init scripts or similar.
node_id_file = /etc/graylog/server/node-id

# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
# Generate one by using for example: pwgen -N 1 -s 96
# ATTENTION: This value must be the same on all Graylog nodes in the cluster.
# Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens)
password_secret = 

# The default root user is named 'admin'
#root_username = admin

# You MUST specify a hash password for the root user (which you only need to initially set up the
# system and in case you lose connectivity to your authentication backend)
# This password cannot be changed using the API or via the web interface. If you need to change it,
# modify it in this file.
# Create one by using for example: echo -n yourpassword | shasum -a 256
# and put the resulting hash value into the following line
root_password_sha2 = 


# HTTP settings

#### HTTP bind address
# The network interface used by the Graylog HTTP interface.
# This network interface must be accessible by all Graylog nodes in the cluster and by all clients
# using the Graylog web interface.
# If the port is omitted, Graylog will use port 9000 by default.
# Default:
http_bind_address =
#http_bind_address = [2001:db8::1]:9000

#### HTTP publish URI
# The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all
# clients using the Graylog web interface.
# The URI will be published in the cluster discovery APIs, so that other Graylog nodes will be able to find and connect to this Graylog node.
# This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address,
# for example if the machine has multiple network interfaces or is behind a NAT gateway.
# If $http_bind_address contains a wildcard IPv4 address (, the first non-loopback IPv4 address of this machine will be used.
# This configuration setting *must not* contain a wildcard address!
# Default: http://$http_bind_address/
http_publish_uri = http://$http_bind_address

#### External Graylog URI
# The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API.
# The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer
# and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address).
# When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
# This setting can be overriden on a per-request basis with the "X-Graylog-Server-URL" HTTP request header.
# Default: $http_publish_uri
http_external_uri = $http_publish_uri

4. How can the community help?
I just want to have a second pair of eyes to do a sanity check to keep me from going down unnecessary troubleshooting paths.

Thank you for any help or wisdom you can offer. I’ll keep cracking at this on my own in the mean time.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

After reviewing my logs, there was an issue with my configuration. My time zone was setup wrong, and I had exposed some other part of the configuration by removing #.
After that, I ensured that the local firewall on my centos 8 instance was allowing port 9000

firewall-cmd --zone=public --add-port=9000/tcp --permanent

Then reloaded.

I continued to tail the server logs to make sure the graylog server was getting through all of its startup steps, and until port 9000 was being listened too

tail -f /var/log/graylog-server/server.log
netstat -tulnp ( for checking which ports are being listened to)

After that, the web interface become available.

Just wanted to post this here for anyone else having trouble. 9 times out of 10, if you tail the server log, it will tell you were it’s not able to do. If you have no logs running, then ensure that the service is running.

service --status-all

service service-name status

I hope this helps anyone else having this issue. 
This post can be closed.

Hello @diana-moon

First, I corrected your post ,hope you don’t mind but it was difficult to read.

You have some minor issues. For a basic startup should have something like this in Graylog Config file…


[root@graylog elasticsearch]# cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = epOqmLi7r7CdZxl76QOQxr8bRUPYstNdcBuajsaSNfG5bkXXFxyHAAsdgmCfyHhSKlKXjMQG9ojc0bn22EBT17elgGTUJgbD
root_password_sha2 =ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f
root_email = "diana.crowley@domain.com"
root_timezone = America/Chicago
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address =
http_enable_cors = true
elasticsearch_hosts = http://localhost:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = true
allow_highlighting = false
elasticsearch_analyzer = standard
elasticsearch_index_optimization_timeout = 1h
output_batch_size = 5000
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_size = 12gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost:27017/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
http_connect_timeout = 10s
proxied_requests_thread_pool_size = 32
[root@graylog elasticsearch]#

completed, restart Graylog service, Also tail the Graylog log file to ensure there are no errors

root # tail -f /var/log/graylog-server/server.log

Hope that helps

Thank you for the recommendation!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.