Ed, as Tristan already said, if you constantly sending in more messages than Graylog or Elasticsearch can process, you will always fill up your journal. Disabling the journal does not really fix the problem, because you will now lose messages.
Please check the node details page (System -> Nodes -> click on the node name) and check the disk journal stats. If you writing more into the journal than reading from it, you have a problem with processing throughput. Regards, Bernd On 26 February 2015 at 00:50, Tristan Rhodes <tristan.rho...@gmail.com> wrote: > Ed, > > I had this same problem. However, increasing the journal size will only > help if your rate of messages periodically decreases below what your system > can process. (For example, you will grow the journal during peak hours of > the day, and drain the journal when fewer logs are being sent to Graylog). > > If you are always sending more messages than your Elasticsearch can ingest, > the journal will not help. I increased my Elasticsearch ingesting > performance by changing this setting in elasticsearch.yml: > > index.refresh_interval: 30s > > You can read more about this setting here: > > http://blog.sematext.com/2013/07/08/elasticsearch-refresh-interval-vs-indexing-performance/ > http://www.elasticsearch.org/blog/performance-considerations-elasticsearch-indexing/ > > Disclaimer: I am new to graylog+elastisearch and barely know what I am > doing. :) > > Cheers! > > Tristan > > On Mon, Feb 23, 2015 at 10:41 AM, Ed Totman <etot...@gmail.com> wrote: >> >> I deployed the latest appliance from the ova file. Graylog2 worked fine >> for several days, but then the journal files grew to 5GB which is the >> default limit and search returns no current results. On the System page >> this error appeared: >> >> Journal utilization is too high a few seconds ago >> Journal utilization is too high and may go over the limit soon. Please >> verify that your Elasticsearch cluster is healthy and fast enough. You may >> also want to review your Graylog journal settings and set a higher limit. >> (Node: 43a9cc82-dc5a-4492-936b-418e1bc98f5e, journal utilization: 96.0%) >> >> I increased the journal limit to 10GB but this did not fix the problem. I >> restarted all services and checked the logs, but could not find any obvious >> problem. The VM is running on very fast storage with lots of CPU and >> memory. I set "message_journal_enabled = false" which seems to have >> temporarily resolved the problem. >> >> How do I troubleshoot the journal? All of the other components are >> working fine. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "graylog2" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to graylog2+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > Tristan Rhodes > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog company Steckelhörn 11 20457 Hamburg Germany Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
