[graylog2] Graylog stop sending messages to elasticsearch after adding extractor
Hi I have the problem that right after adding a grok extractor to an input the system immediately stopps sending messages to elasticsearch (out = 0). Does somebody had the same experience? My pattern looks like "client\s%{IPV4:src_ip}#%{BASE10NUM:src_port}\s\(([a-zA-Z0-9.\-_]*)+\):\squery:\s%{NOTSPACE:dns_name}\sIN\s%{WORD:dns_type}\s%{NOTSPACE:dns_flags}\s\(%{IPV4:dns_server}\)" and is for bind messages. I have the latest 1.2.1 version installed. Graylog-server, -web and elasticsearch are on different machines. Thank you and kind regards -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/88f8a45e-8e14-4ec8-945a-4a47f4cad399%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Graylog stop sending messages to elasticsearch
Hi I hope someone can give me a hint. After search for two weeks now I cannot find the solution for my problem. Graylog stops sending messages to elasticsearch (throuput In: xxx / Out: 0). If I restart graylog messages are beeing sent to elasticsearch but not with the same performance as it did a few weeks ago, where the situation was normal. It begins fast and the drops until it reaches 0 for outgoing messages. Both elasticsearch and graylog logs don't give useful information in debug mode. Shortly before the problem occured I did some changes to the graylog configuration and changed the shard configuration (primary and replica). I think that was a bad idea and the reason for the problems right now. I think that a complete flush of all the data and restart with a new elasticsearch instance could solve the problem. But I don't know how to perform this correctly. my questions are 1) did anybody have the same or similar problems and can give me some hints where else to search? 2) how do I flush all the data correctly from the graylog database and start over with a fresh instance of elasticsearch? What I found was the following article: https://groups.google.com/forum/#!topic/graylog2/Dfw6uKtUF5k. But the solution mentioned in mongo db doesn't work as I don't have those options. Think the version is too old (mine is 2.6.11). Thank you in advance for any help on this. Kind regards -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/b5acd505-a4ed-4c99-a659-942946ee5a6b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.