Discussion:
graylog 2.0 GA - issues with nginx and reverse proxy -
(too old to reply)
g***@gmail.com
2016-04-28 00:26:54 UTC
Permalink
Hi I have issues with graylog 2.0 GA release, cant get reverse proxy
working, i tried on ubuntu 14,04 rhel 6 and 7, always same error

my setup:
mongo 3.2
elastisearch 2.3.2
graylog 2.0 GA
nginx 1.9.5

When im trying to access remote machine (same network), im getting this
error in browser
If I access localhost directly on graylog machine it is working


Server currently unavailable
We are experiencing problems connecting to the Graylog server running on
http://127.0.0.1:12900//. Please verify that the server is healthy and
working correctly.
You will be automatically redirected to the previous page once we can
connect to the server.
Do you need a hand? We can help you.
Less details
Error message
Bad request
Original Request
GET http://127.0.0.1:12900/system/cluster/node
Status code
undefined
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by
Access-Control-Allow-Origin, the page is being unloaded, etc.
*My Nginx configuration:*

user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
"$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
location / {
proxy_pass http://localhost:9000/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffers 4 32k;
client_max_body_size 8m;
client_body_buffer_size 128k;
}
}
}
*graylog configuration file, i changed just field marked with red*

# If you are running more than one instances of Graylog server you have to
select one of these
# instances as master. The master will perform some periodical tasks that
non-masters won't perform.
is_master = true

# The auto-generated node ID will be stored in this file and read after
restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog server from
init scripts or similar.
node_id_file = /etc/graylog/server/node-id

# You MUST set a secret to secure/pepper the stored user passwords here.
Use at least 64 characters.
# Generate one by using for example: pwgen -N 1 -s 96
*password_secret = xxxxxxxxxx*

# The default root user is named 'admin'
#root_username = admin

# You MUST specify a hash password for the root user (which you only need
to initially set up the
# system and in case you lose connectivity to your authentication backend)
# This password cannot be changed using the API or via the web interface.
If you need to change it,
# modify it in this file.
# Create one by using for example: echo -n yourpassword | shasum -a 256
# and put the resulting hash value into the following line
*root_password_sha2 = xxxxxxxxxx*

# The email address of the root user.
# Default is empty
#root_email = ""

# The time zone setting of the root user. See
http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
# Default is UTC
#root_timezone = UTC

# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin

# REST API listen URI. Must be reachable by other Graylog server nodes if
you run a cluster.
# When using Graylog Collectors, this URI will be used to receive heartbeat
messages and must be accessible for all collectors.
rest_listen_uri = http://127.0.0.1:12900/

# REST API transport address. Defaults to the value of rest_listen_uri.
Exception: If rest_listen_uri
# is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4
system address is used.
# If set, this will be promoted in the cluster discovery APIs, so other
nodes may try to connect on
# this address and it is used to generate URLs addressing entities in the
REST API. (see rest_listen_uri)
# You will need to define this, if your Graylog server is running behind a
HTTP proxy that is rewriting
# the scheme, host name or URI.
#rest_transport_uri = http://192.168.1.1:12900/

# Enable CORS headers for REST API. This is necessary for JS-clients
accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve
resources from the server.
# This is enabled by default. Uncomment the next line to disable it.
#rest_enable_cors = false

# Enable GZIP support for REST API. This compresses API responses and
therefore helps to reduce
# overall round trip times. This is disabled by default. Uncomment the next
line to enable it.
#rest_enable_gzip = true

# Enable HTTPS support for the REST API. This secures the communication
with the REST API with
# TLS to prevent request forgery and eavesdropping. This is disabled by
default. Uncomment the
# next line to enable it.
#rest_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the
REST API.
#rest_tls_cert_file = /path/to/graylog.crt

# The PKCS#8 private key file in PEM format to use for securing the REST
API.
#rest_tls_key_file = /path/to/graylog.key

# The password to unlock the private key used for securing the REST API.
#rest_tls_key_password = secret

# The maximum size of the HTTP request headers in bytes.
#rest_max_header_size = 8192

# The maximal length of the initial HTTP/1.1 line in bytes.
#rest_max_initial_line_length = 4096

# The size of the thread pool used exclusively for serving the REST API.
#rest_thread_pool_size = 16

# Enable the embedded Graylog web interface.
# Default: true
#web_enable = false

# Web interface listen URI
#web_listen_uri = http://127.0.0.1:9000/

# Web interface endpoint URI. This setting can be overriden on a
per-request basis with the X-Graylog-Server-URL header.
# Default: $rest_transport_uri
#web_endpoint_uri =

# Enable CORS headers for the web interface. This is necessary for
JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve
resources from the server.
#web_enable_cors = false

# Enable/disable GZIP support for the web interface. This compresses HTTP
responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next
line to disable it.
#web_enable_gzip = false

# Enable HTTPS support for the web interface. This secures the
communication of the web browser with the web interface
# using TLS to prevent request forgery and eavesdropping.
# This is disabled by default. Uncomment the next line to enable it and see
the other related configuration settings.
#web_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the
web interface.
#web_tls_cert_file = /path/to/graylog-web.crt

# The PKCS#8 private key file in PEM format to use for securing the web
interface.
#web_tls_key_file = /path/to/graylog-web.key

# The password to unlock the private key used for securing the web
interface.
#web_tls_key_password = secret

# The maximum size of the HTTP request headers in bytes.
#web_max_header_size = 8192

# The maximal length of the initial HTTP/1.1 line in bytes.
#web_max_initial_line_length = 4096

# The size of the thread pool used exclusively for serving the web
interface.
#web_thread_pool_size = 16

# Configuration file for the embedded Elasticsearch instance in Graylog.
# Pay attention to the working directory of the server, maybe use an
absolute path here.
# Default: empty
#elasticsearch_config_file = /etc/graylog/server/elasticsearch.yml

# Disable checking the version of Elasticsearch for being compatible with
this Graylog release.
# WARNING: Using Graylog with unsupported and untested versions of
Elasticsearch may lead to data loss!
#elasticsearch_disable_version_check = true

# Disable message retention on this node, i. e. disable Elasticsearch index
rotation.
#no_retention = false

# How many Elasticsearch shards and replicas should be used per index? Note
that this only applies to newly created indices.
*elasticsearch_shards = 1*
elasticsearch_replicas = 0

# Prefix for all Elasticsearch indices and index aliases managed by Graylog.
elasticsearch_index_prefix = graylog

# Name of the Elasticsearch index template used by Graylog to apply the
mandatory index mapping.
# # Default: graylog-internal
#elasticsearch_template_name = graylog-internal

# Do you want to allow searches with leading wildcards? This can be
extremely resource hungry and should only
# be enabled with care. See also:
https://www.graylog.org/documentation/general/queries/
allow_leading_wildcard_searches = false

# Do you want to allow searches to be highlighted? Depending on the size of
your messages this can be memory hungry and
# should only be enabled after making sure your Elasticsearch cluster has
enough memory.
allow_highlighting = false

# settings to be passed to elasticsearch's client (overriding those in the
provided elasticsearch_config_file)
# all these
# this must be the same as for your Elasticsearch cluster
#elasticsearch_cluster_name = graylog

# The prefix being used to generate the Elasticsearch node name which makes
it easier to identify the specific Graylog
# server running the embedded Elasticsearch instance. The node name will be
constructed by concatenating this prefix
# and the Graylog node ID (see node_id_file), for example
"graylog-17052010-1234-5678-abcd-1337cafebabe".
# Default: graylog-
#elasticsearch_node_name_prefix = graylog-

# A comma-separated list of Elasticsearch nodes which Graylog is using to
connect to the Elasticsearch cluster,
# see
https://www.elastic.co/guide/en/elasticsearch/reference/2.3/modules-discovery-zen.html
for details.
# Default: 127.0.0.1
#elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300,
127.0.0.2:9500

# we don't want the Graylog server to store any data, or be master node
#elasticsearch_node_master = false
#elasticsearch_node_data = false

# use a different port if you run multiple Elasticsearch nodes on one
machine
#elasticsearch_transport_tcp_port = 9350

# we don't need to run the embedded HTTP server here
#elasticsearch_http_enabled = false

# Enable Elasticsearch multicast discovery. This requires the installation
of an Elasticsearch plugin,
# see
https://www.elastic.co/guide/en/elasticsearch/plugins/2.3/discovery-multicast.html
for details.
# Default: false
#elasticsearch_discovery_zen_ping_multicast_enabled = false

# Change the following setting if you are running into problems with
timeouts during Elasticsearch cluster discovery.
# The setting is specified in milliseconds, the default is 5000ms (5
seconds).
#elasticsearch_cluster_discovery_timeout = 5000

# the following settings allow to change the bind addresses for the
Elasticsearch client in Graylog
# these settings are empty by default, letting Elasticsearch choose
automatically,
# override them here or in the 'elasticsearch_config_file' if you need to
bind to a special address
# refer to
http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-network.html
# for special values here
#elasticsearch_network_host =
#elasticsearch_network_bind_host =
#elasticsearch_network_publish_host =

# The total amount of time discovery will look for other Elasticsearch
nodes in the cluster
# before giving up and declaring the current node master.
#elasticsearch_discovery_initial_state_timeout = 3s

# Analyzer (tokenizer) to use for message and full_message field. The
"standard" filter usually is a good idea.
# All supported analyzers are: standard, simple, whitespace, stop, keyword,
pattern, language, snowball, custom
# Elasticsearch documentation:
http://www.elasticsearch.org/guide/reference/index-modules/analysis/
# Note that this setting only takes effect on newly created indices.
elasticsearch_analyzer = standard

# Global request timeout for Elasticsearch requests (e. g. during search,
index creation, or index time-range
# calculations) based on a best-effort to restrict the runtime of
Elasticsearch operations.
# Default: 1m
#elasticsearch_request_timeout = 1m

# Time interval for index range information cleanups. This setting defines
how often stale index range information
# is being purged from the database.
# Default: 1h
#index_ranges_cleanup_interval = 1h

# Batch size for the Elasticsearch output. This is the maximum (!) number
of messages the Elasticsearch output
# module will get at once and write to Elasticsearch in a batch call. If
the configured batch size has not been
# reached within output_flush_interval seconds, everything that is
available will be flushed at once. Remember
# that every outputbuffer processor manages its own batch and performs its
own batch write calls.
# ("outputbuffer_processors" variable)
output_batch_size = 500

# Flush interval (in seconds) for the Elasticsearch output. This is the
maximum amount of time between two
# batches of messages written to Elasticsearch. It is only effective at all
if your minimum number of messages
# for this time period is less than output_batch_size *
outputbuffer_processors.
output_flush_interval = 1

# As stream outputs are loaded only on demand, an output which is failing
to initialize will be tried over and
# over again. To prevent this, the following configuration options define
after how many faults an output will
# not be tried again for an also configurable amount of seconds.
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30

# The number of parallel running processors.
# Raise this number if your buffers are filling up.
processbuffer_processors = 5
outputbuffer_processors = 3

#outputbuffer_processor_keep_alive_time = 5000
#outputbuffer_processor_threads_core_pool_size = 3
#outputbuffer_processor_threads_max_pool_size = 30

# UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
#udp_recvbuffer_sizes = 1048576

# Wait strategy describing how buffer processors wait on a cursor sequence.
(default: sleeping)
# Possible types:
# - yielding
# Compromise between performance and CPU usage.
# - sleeping
# Compromise between performance and CPU usage. Latency spikes can
occur after quiet periods.
# - blocking
# High throughput, low latency, higher CPU usage.
# - busy_spinning
# Avoids syscalls which could introduce latency jitter. Best when
threads can be bound to specific CPU cores.
processor_wait_strategy = blocking

# Size of internal ring buffers. Raise this if raising
outputbuffer_processors does not help anymore.
# For optimum performance your LogMessage objects in the ring buffer should
fit in your CPU L3 cache.
# Must be a power of 2. (512, 1024, 2048, ...)
ring_size = 65536

inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking

# Enable the disk based message journal.
message_journal_enabled = true

# The directory which will be used to store the message journal. The
directory must me exclusively used by Graylog and
# must not contain any other files than the ones created by Graylog itself.
message_journal_dir = /var/lib/graylog-server/journal

# Journal hold messages before they could be written to Elasticsearch.
# For a maximum of 12 hours or 5 GB whichever happens first.
# During normal operation the journal will be smaller.
#message_journal_max_age = 12h
#message_journal_max_size = 5gb

#message_journal_flush_age = 1m
#message_journal_flush_interval = 1000000
#message_journal_segment_age = 1h
#message_journal_segment_size = 100mb

# Number of threads used exclusively for dispatching internal events.
Default is 2.
#async_eventbus_processors = 2

# How many seconds to wait between marking node as DEAD for possible load
balancers and starting the actual
# shutdown process. Set to 0 if you have no status checking load balancers
in front.
lb_recognition_period_seconds = 3

# Every message is matched against the configured streams and it can happen
that a stream contains rules which
# take an unusual amount of time to run, for example if its using regular
expressions that perform excessive backtracking.
# This will impact the processing of the entire server. To keep such
misbehaving stream rules from impacting other
# streams, Graylog limits the execution time for each stream.
# The default values are noted below, the timeout is in milliseconds.
# If the stream matching for one stream took longer than the timeout value,
and this happened more than "max_faults" times
# that stream is disabled and a notification is shown in the web interface.
#stream_processing_timeout = 2000
#stream_processing_max_faults = 3

# Length of the interval in seconds in which the alert conditions for all
streams should be checked
# and alarms are being sent.
#alert_check_interval = 60

# Since 0.21 the Graylog server supports pluggable output modules. This
means a single message can be written to multiple
# outputs. The next setting defines the timeout for a single output module,
including the default output module where all
# messages end up.
#
# Time in milliseconds to wait for all message outputs to finish writing a
single message.
#output_module_timeout = 10000

# Time in milliseconds after which a detected stale master node is being
rechecked on startup.
#stale_master_timeout = 2000

# Time in milliseconds which Graylog is waiting for all threads to stop on
shutdown.
#shutdown_timeout = 30000

# MongoDB connection string
# See http://docs.mongodb.org/manual/reference/connection-string/ for
details
mongodb_uri = mongodb://localhost/graylog

# Authenticate against the MongoDB server
#mongodb_uri = mongodb://grayloguser:***@localhost:27017/graylog

# Use a replica set instead of a single host
#mongodb_uri =
mongodb://grayloguser:***@localhost:27017,localhost:27018,localhost:27019/graylog

# Increase this value according to the maximum connections your MongoDB
server can handle from a single client
# if you encounter MongoDB connection problems.
mongodb_max_connections = 1000

# Number of threads allowed to be blocked by MongoDB connections
multiplier. Default: 5
# If mongodb_max_connections is 100, and
mongodb_threads_allowed_to_block_multiplier is 5,
# then 500 threads can block. More than that and an exception will be
thrown.
#
http://api.mongodb.org/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
mongodb_threads_allowed_to_block_multiplier = 5

# Drools Rule File (Use to rewrite incoming log messages)
# See: https://www.graylog.org/documentation/general/rewriting/
#rules_file = /etc/graylog/server/rules.drl

# Email transport
#transport_email_enabled = false
#transport_email_hostname = mail.example.com
#transport_email_port = 587
#transport_email_use_auth = true
#transport_email_use_tls = true
#transport_email_use_ssl = true
#transport_email_auth_username = ***@example.com
#transport_email_auth_password = secret
#transport_email_subject_prefix = [graylog]
#transport_email_from_email = ***@example.com

# Specify and uncomment this if you want to include links to the stream in
your stream alert mails.
# This should define the fully qualified base url to your web interface
exactly the same way as it is accessed by your users.
#transport_email_web_interface_url = https://graylog.example.com

# The default connect timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when
converted to milliseconds).
# Default: 5s
#http_connect_timeout = 5s

# The default read timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when
converted to milliseconds).
# Default: 10s
#http_read_timeout = 10s

# The default write timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when
converted to milliseconds).
# Default: 10s
#http_write_timeout = 10s

# HTTP proxy for outgoing HTTP connections
#http_proxy_uri =

# Disable the optimization of Elasticsearch indices after index cycling.
This may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search
performance. The default is to optimize
# cycled indices.
#disable_index_optimization = true

# Optimize the index down to <= index_optimization_max_num_segments. A
higher number may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search
performance. The default is 1.
#index_optimization_max_num_segments = 1

# The threshold of the garbage collection runs. If GC runs take longer than
this threshold, a system notification
# will be generated to warn the administrator about possible problems with
the system. Default is 1 second.
#gc_warning_threshold = 1s

# Connection timeout for a configured LDAP server (e. g. ActiveDirectory)
in milliseconds.
#ldap_connection_timeout = 2000

# Enable collection of Graylog-related metrics into MongoDB
# WARNING: This will add *a lot* of data into your MongoDB database on a
regular interval (1 second)!
# DEPRECATED: This setting and the respective feature will be removed in a
future version of Graylog.
#enable_metrics_collection = false

# Disable the use of SIGAR for collecting system stats
#disable_sigar = false

# The default cache time for dashboard widgets. (Default: 10 seconds,
minimum: 1 second)
#dashboard_widget_default_cache_time = 10s

# Automatically load content packs in "content_packs_dir" on the first
start of Graylog.
#content_packs_loader_enabled = true

# The directory which contains content packs which should be loaded on the
first start of Graylog.
content_packs_dir = /usr/share/graylog-server/contentpacks

# A comma-separated list of content packs (files in "content_packs_dir")
which should be applied on
# the first start of Graylog.
# Default: empty
content_packs_auto_load = grok-patterns.json
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/08f11470-8c30-4aad-adbb-ea3fac4fa931%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ryan Steckler
2016-04-28 00:38:40 UTC
Permalink
It may have nothing to do with your reverse proxy. There have been a
couple of posts today saying that the 2.0 GA doesn't work with SSL, reverse
proxy, multiple interfaces, etc. I'm starting to think that the 2.0 GA
release simply doesn't work. You may want to try to setup a vanilla
installation to see if you can get that working, even without the reverse
proxy.
Post by g***@gmail.com
Hi I have issues with graylog 2.0 GA release, cant get reverse proxy
working, i tried on ubuntu 14,04 rhel 6 and 7, always same error
mongo 3.2
elastisearch 2.3.2
graylog 2.0 GA
nginx 1.9.5
When im trying to access remote machine (same network), im getting this
error in browser
If I access localhost directly on graylog machine it is working

Server currently unavailable
We are experiencing problems connecting to the Graylog server running
on http://127.0.0.1:12900//. Please verify that the server is healthy
and working correctly.
You will be automatically redirected to the previous page once we can
connect to the server.
Do you need a hand? We can help you.
Less details
Error message
Bad request
Original Request
GET http://127.0.0.1:12900/system/cluster/node
Status code
undefined
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by
Access-Control-Allow-Origin, the page is being unloaded, etc.
*My Nginx configuration:*
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
"$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
location / {
proxy_pass http://localhost:9000/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffers 4 32k;
client_max_body_size 8m;
client_body_buffer_size 128k;
}
}
}
*graylog configuration file, i changed just field marked with red*
# If you are running more than one instances of Graylog server you have to
select one of these
# instances as master. The master will perform some periodical tasks that
non-masters won't perform.
is_master = true
# The auto-generated node ID will be stored in this file and read after
restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog server
from init scripts or similar.
node_id_file = /etc/graylog/server/node-id
# You MUST set a secret to secure/pepper the stored user passwords here.
Use at least 64 characters.
# Generate one by using for example: pwgen -N 1 -s 96
*password_secret = xxxxxxxxxx*
# The default root user is named 'admin'
#root_username = admin
# You MUST specify a hash password for the root user (which you only need
to initially set up the
# system and in case you lose connectivity to your authentication backend)
# This password cannot be changed using the API or via the web interface.
If you need to change it,
# modify it in this file.
# Create one by using for example: echo -n yourpassword | shasum -a 256
# and put the resulting hash value into the following line
*root_password_sha2 = xxxxxxxxxx*
# The email address of the root user.
# Default is empty
#root_email = ""
# The time zone setting of the root user. See
http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
# Default is UTC
#root_timezone = UTC
# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin
# REST API listen URI. Must be reachable by other Graylog server nodes if
you run a cluster.
# When using Graylog Collectors, this URI will be used to receive
heartbeat messages and must be accessible for all collectors.
rest_listen_uri = http://127.0.0.1:12900/
# REST API transport address. Defaults to the value of rest_listen_uri.
Exception: If rest_listen_uri
# is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4
system address is used.
# If set, this will be promoted in the cluster discovery APIs, so other
nodes may try to connect on
# this address and it is used to generate URLs addressing entities in the
REST API. (see rest_listen_uri)
# You will need to define this, if your Graylog server is running behind a
HTTP proxy that is rewriting
# the scheme, host name or URI.
#rest_transport_uri = http://192.168.1.1:12900/
# Enable CORS headers for REST API. This is necessary for JS-clients
accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve
resources from the server.
# This is enabled by default. Uncomment the next line to disable it.
#rest_enable_cors = false
# Enable GZIP support for REST API. This compresses API responses and
therefore helps to reduce
# overall round trip times. This is disabled by default. Uncomment the
next line to enable it.
#rest_enable_gzip = true
# Enable HTTPS support for the REST API. This secures the communication
with the REST API with
# TLS to prevent request forgery and eavesdropping. This is disabled by
default. Uncomment the
# next line to enable it.
#rest_enable_tls = true
# The X.509 certificate chain file in PEM format to use for securing the
REST API.
#rest_tls_cert_file = /path/to/graylog.crt
# The PKCS#8 private key file in PEM format to use for securing the REST
API.
#rest_tls_key_file = /path/to/graylog.key
# The password to unlock the private key used for securing the REST API.
#rest_tls_key_password = secret
# The maximum size of the HTTP request headers in bytes.
#rest_max_header_size = 8192
# The maximal length of the initial HTTP/1.1 line in bytes.
#rest_max_initial_line_length = 4096
# The size of the thread pool used exclusively for serving the REST API.
#rest_thread_pool_size = 16
# Enable the embedded Graylog web interface.
# Default: true
#web_enable = false
# Web interface listen URI
#web_listen_uri = http://127.0.0.1:9000/
# Web interface endpoint URI. This setting can be overriden on a
per-request basis with the X-Graylog-Server-URL header.
# Default: $rest_transport_uri
#web_endpoint_uri =
# Enable CORS headers for the web interface. This is necessary for
JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve
resources from the server.
#web_enable_cors = false
# Enable/disable GZIP support for the web interface. This compresses HTTP
responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next
line to disable it.
#web_enable_gzip = false
# Enable HTTPS support for the web interface. This secures the
communication of the web browser with the web interface
# using TLS to prevent request forgery and eavesdropping.
# This is disabled by default. Uncomment the next line to enable it and
see the other related configuration settings.
#web_enable_tls = true
# The X.509 certificate chain file in PEM format to use for securing the
web interface.
#web_tls_cert_file = /path/to/graylog-web.crt
# The PKCS#8 private key file in PEM format to use for securing the web
interface.
#web_tls_key_file = /path/to/graylog-web.key
# The password to unlock the private key used for securing the web
interface.
#web_tls_key_password = secret
# The maximum size of the HTTP request headers in bytes.
#web_max_header_size = 8192
# The maximal length of the initial HTTP/1.1 line in bytes.
#web_max_initial_line_length = 4096
# The size of the thread pool used exclusively for serving the web
interface.
#web_thread_pool_size = 16
# Configuration file for the embedded Elasticsearch instance in Graylog.
# Pay attention to the working directory of the server, maybe use an
absolute path here.
# Default: empty
#elasticsearch_config_file = /etc/graylog/server/elasticsearch.yml
# Disable checking the version of Elasticsearch for being compatible with
this Graylog release.
# WARNING: Using Graylog with unsupported and untested versions of
Elasticsearch may lead to data loss!
#elasticsearch_disable_version_check = true
# Disable message retention on this node, i. e. disable Elasticsearch
index rotation.
#no_retention = false
# How many Elasticsearch shards and replicas should be used per index?
Note that this only applies to newly created indices.
*elasticsearch_shards = 1*
elasticsearch_replicas = 0
# Prefix for all Elasticsearch indices and index aliases managed by Graylog.
elasticsearch_index_prefix = graylog
# Name of the Elasticsearch index template used by Graylog to apply the
mandatory index mapping.
# # Default: graylog-internal
#elasticsearch_template_name = graylog-internal
# Do you want to allow searches with leading wildcards? This can be
extremely resource hungry and should only
https://www.graylog.org/documentation/general/queries/
allow_leading_wildcard_searches = false
# Do you want to allow searches to be highlighted? Depending on the size
of your messages this can be memory hungry and
# should only be enabled after making sure your Elasticsearch cluster has
enough memory.
allow_highlighting = false
# settings to be passed to elasticsearch's client (overriding those in the
provided elasticsearch_config_file)
# all these
# this must be the same as for your Elasticsearch cluster
#elasticsearch_cluster_name = graylog
# The prefix being used to generate the Elasticsearch node name which
makes it easier to identify the specific Graylog
# server running the embedded Elasticsearch instance. The node name will
be constructed by concatenating this prefix
# and the Graylog node ID (see node_id_file), for example
"graylog-17052010-1234-5678-abcd-1337cafebabe".
# Default: graylog-
#elasticsearch_node_name_prefix = graylog-
# A comma-separated list of Elasticsearch nodes which Graylog is using to
connect to the Elasticsearch cluster,
# see
https://www.elastic.co/guide/en/elasticsearch/reference/2.3/modules-discovery-zen.html
for details.
# Default: 127.0.0.1
#elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300,
127.0.0.2:9500
# we don't want the Graylog server to store any data, or be master node
#elasticsearch_node_master = false
#elasticsearch_node_data = false
# use a different port if you run multiple Elasticsearch nodes on one
machine
#elasticsearch_transport_tcp_port = 9350
# we don't need to run the embedded HTTP server here
#elasticsearch_http_enabled = false
# Enable Elasticsearch multicast discovery. This requires the installation
of an Elasticsearch plugin,
# see
https://www.elastic.co/guide/en/elasticsearch/plugins/2.3/discovery-multicast.html
for details.
# Default: false
#elasticsearch_discovery_zen_ping_multicast_enabled = false
# Change the following setting if you are running into problems with
timeouts during Elasticsearch cluster discovery.
# The setting is specified in milliseconds, the default is 5000ms (5
seconds).
#elasticsearch_cluster_discovery_timeout = 5000
# the following settings allow to change the bind addresses for the
Elasticsearch client in Graylog
# these settings are empty by default, letting Elasticsearch choose
automatically,
# override them here or in the 'elasticsearch_config_file' if you need to
bind to a special address
# refer to
http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-network.html
# for special values here
#elasticsearch_network_host =
#elasticsearch_network_bind_host =
#elasticsearch_network_publish_host =
# The total amount of time discovery will look for other Elasticsearch
nodes in the cluster
# before giving up and declaring the current node master.
#elasticsearch_discovery_initial_state_timeout = 3s
# Analyzer (tokenizer) to use for message and full_message field. The
"standard" filter usually is a good idea.
# All supported analyzers are: standard, simple, whitespace, stop,
keyword, pattern, language, snowball, custom
http://www.elasticsearch.org/guide/reference/index-modules/analysis/
# Note that this setting only takes effect on newly created indices.
elasticsearch_analyzer = standard
# Global request timeout for Elasticsearch requests (e. g. during search,
index creation, or index time-range
# calculations) based on a best-effort to restrict the runtime of
Elasticsearch operations.
# Default: 1m
#elasticsearch_request_timeout = 1m
# Time interval for index range information cleanups. This setting defines
how often stale index range information
# is being purged from the database.
# Default: 1h
#index_ranges_cleanup_interval = 1h
# Batch size for the Elasticsearch output. This is the maximum (!) number
of messages the Elasticsearch output
# module will get at once and write to Elasticsearch in a batch call. If
the configured batch size has not been
# reached within output_flush_interval seconds, everything that is
available will be flushed at once. Remember
# that every outputbuffer processor manages its own batch and performs its
own batch write calls.
# ("outputbuffer_processors" variable)
output_batch_size = 500
# Flush interval (in seconds) for the Elasticsearch output. This is the
maximum amount of time between two
# batches of messages written to Elasticsearch. It is only effective at
all if your minimum number of messages
# for this time period is less than output_batch_size *
outputbuffer_processors.
output_flush_interval = 1
# As stream outputs are loaded only on demand, an output which is failing
to initialize will be tried over and
# over again. To prevent this, the following configuration options define
after how many faults an output will
# not be tried again for an also configurable amount of seconds.
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
# The number of parallel running processors.
# Raise this number if your buffers are filling up.
processbuffer_processors = 5
outputbuffer_processors = 3
#outputbuffer_processor_keep_alive_time = 5000
#outputbuffer_processor_threads_core_pool_size = 3
#outputbuffer_processor_threads_max_pool_size = 30
# UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
#udp_recvbuffer_sizes = 1048576
# Wait strategy describing how buffer processors wait on a cursor
sequence. (default: sleeping)
# - yielding
# Compromise between performance and CPU usage.
# - sleeping
# Compromise between performance and CPU usage. Latency spikes can
occur after quiet periods.
# - blocking
# High throughput, low latency, higher CPU usage.
# - busy_spinning
# Avoids syscalls which could introduce latency jitter. Best when
threads can be bound to specific CPU cores.
processor_wait_strategy = blocking
# Size of internal ring buffers. Raise this if raising
outputbuffer_processors does not help anymore.
# For optimum performance your LogMessage objects in the ring buffer
should fit in your CPU L3 cache.
# Must be a power of 2. (512, 1024, 2048, ...)
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
# Enable the disk based message journal.
message_journal_enabled = true
# The directory which will be used to store the message journal. The
directory must me exclusively used by Graylog and
# must not contain any other files than the ones created by Graylog itself.
message_journal_dir = /var/lib/graylog-server/journal
# Journal hold messages before they could be written to Elasticsearch.
# For a maximum of 12 hours or 5 GB whichever happens first.
# During normal operation the journal will be smaller.
#message_journal_max_age = 12h
#message_journal_max_size = 5gb
#message_journal_flush_age = 1m
#message_journal_flush_interval = 1000000
#message_journal_segment_age = 1h
#message_journal_segment_size = 100mb
# Number of threads used exclusively for dispatching internal events.
Default is 2.
#async_eventbus_processors = 2
# How many seconds to wait between marking node as DEAD for possible load
balancers and starting the actual
# shutdown process. Set to 0 if you have no status checking load balancers
in front.
lb_recognition_period_seconds = 3
# Every message is matched against the configured streams and it can
happen that a stream contains rules which
# take an unusual amount of time to run, for example if its using regular
expressions that perform excessive backtracking.
# This will impact the processing of the entire server. To keep such
misbehaving stream rules from impacting other
# streams, Graylog limits the execution time for each stream.
# The default values are noted below, the timeout is in milliseconds.
# If the stream matching for one stream took longer than the timeout
value, and this happened more than "max_faults" times
# that stream is disabled and a notification is shown in the web interface.
#stream_processing_timeout = 2000
#stream_processing_max_faults = 3
# Length of the interval in seconds in which the alert conditions for all
streams should be checked
# and alarms are being sent.
#alert_check_interval = 60
# Since 0.21 the Graylog server supports pluggable output modules. This
means a single message can be written to multiple
# outputs. The next setting defines the timeout for a single output
module, including the default output module where all
# messages end up.
#
# Time in milliseconds to wait for all message outputs to finish writing a
single message.
#output_module_timeout = 10000
# Time in milliseconds after which a detected stale master node is being
rechecked on startup.
#stale_master_timeout = 2000
# Time in milliseconds which Graylog is waiting for all threads to stop on
shutdown.
#shutdown_timeout = 30000
# MongoDB connection string
# See http://docs.mongodb.org/manual/reference/connection-string/ for
details
mongodb_uri = mongodb://localhost/graylog
# Authenticate against the MongoDB server
# Use a replica set instead of a single host
#mongodb_uri =
# Increase this value according to the maximum connections your MongoDB
server can handle from a single client
# if you encounter MongoDB connection problems.
mongodb_max_connections = 1000
# Number of threads allowed to be blocked by MongoDB connections
multiplier. Default: 5
# If mongodb_max_connections is 100, and
mongodb_threads_allowed_to_block_multiplier is 5,
# then 500 threads can block. More than that and an exception will be
thrown.
#
http://api.mongodb.org/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
mongodb_threads_allowed_to_block_multiplier = 5
# Drools Rule File (Use to rewrite incoming log messages)
# See: https://www.graylog.org/documentation/general/rewriting/
#rules_file = /etc/graylog/server/rules.drl
# Email transport
#transport_email_enabled = false
#transport_email_hostname = mail.example.com
#transport_email_port = 587
#transport_email_use_auth = true
#transport_email_use_tls = true
#transport_email_use_ssl = true
#transport_email_auth_password = secret
#transport_email_subject_prefix = [graylog]
# Specify and uncomment this if you want to include links to the stream in
your stream alert mails.
# This should define the fully qualified base url to your web interface
exactly the same way as it is accessed by your users.
#transport_email_web_interface_url = https://graylog.example.com
# The default connect timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when
converted to milliseconds).
# Default: 5s
#http_connect_timeout = 5s
# The default read timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when
converted to milliseconds).
# Default: 10s
#http_read_timeout = 10s
# The default write timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when
converted to milliseconds).
# Default: 10s
#http_write_timeout = 10s
# HTTP proxy for outgoing HTTP connections
#http_proxy_uri =
# Disable the optimization of Elasticsearch indices after index cycling.
This may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search
performance. The default is to optimize
# cycled indices.
#disable_index_optimization = true
# Optimize the index down to <= index_optimization_max_num_segments. A
higher number may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search
performance. The default is 1.
#index_optimization_max_num_segments = 1
# The threshold of the garbage collection runs. If GC runs take longer
than this threshold, a system notification
# will be generated to warn the administrator about possible problems with
the system. Default is 1 second.
#gc_warning_threshold = 1s
# Connection timeout for a configured LDAP server (e. g. ActiveDirectory)
in milliseconds.
#ldap_connection_timeout = 2000
# Enable collection of Graylog-related metrics into MongoDB
# WARNING: This will add *a lot* of data into your MongoDB database on a
regular interval (1 second)!
# DEPRECATED: This setting and the respective feature will be removed in a
future version of Graylog.
#enable_metrics_collection = false
# Disable the use of SIGAR for collecting system stats
#disable_sigar = false
# The default cache time for dashboard widgets. (Default: 10 seconds,
minimum: 1 second)
#dashboard_widget_default_cache_time = 10s
# Automatically load content packs in "content_packs_dir" on the first
start of Graylog.
#content_packs_loader_enabled = true
# The directory which contains content packs which should be loaded on the
first start of Graylog.
content_packs_dir = /usr/share/graylog-server/contentpacks
# A comma-separated list of content packs (files in "content_packs_dir")
which should be applied on
# the first start of Graylog.
# Default: empty
content_packs_auto_load = grok-patterns.json
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c4d93657-0dec-4b0f-b71e-4ff51e218af1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
g***@gmail.com
2016-04-28 00:53:10 UTC
Permalink
it is working when i do vanila installation and if im connecting from local
machine to localhost, just when im trying to use reverse proxy, cant get
login form, just redirect to error message
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/8c1be934-d16c-429d-86d2-068cecc15acb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Micha -
2016-04-28 05:54:01 UTC
Permalink
Hi,

For us Graylog v2.0 (since Beta) is working like a charm behind a Apache
ReverseProxy with SSL Offloading

Our config looks like this, maybe this helps someone:
<VirtualHost *:443>
ServerName graylogserver.example.com


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/graylog.crt
SSLCertificateKeyFile /etc/ssl/certs/graylog.key

KeepAliveTimeout 900

RewriteEngine On

## Graylog Dashboard
RewriteCond %{REQUEST_URI} !^/api
RewriteRule ^/(.*) http://localhost:9000/$1 [P,L]

## Graylog Api - also needed for the dashboard
RequestHeader set X-Graylog-Server-URL
"https://graylogserver.example.com/api"
RewriteCond %{REQUEST_URI} ^/api
RewriteRule ^/(api\/)(.*) http://127.0.0.1:12900/$2 [P,L]

<Location />
Order allow,deny
Allow from all
</Location>

</VirtualHost>

Regards
Micha
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c5a2838a-8ed8-4524-b4bb-4bb2019d7d2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Micha -
2016-04-28 05:57:13 UTC
Permalink
Hi,

For us Graylog v2.0 (since Beta) is working like a charm behind a Apache
ReverseProxy with SSL Offloading - no graylog server config modification
needed for the rest api

Our config looks like this, maybe this helps someone:
<VirtualHost *:443>
ServerName graylogserver.example.com


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/graylog.crt
SSLCertificateKeyFile /etc/ssl/certs/graylog.key

KeepAliveTimeout 900

RewriteEngine On

## Graylog Dashboard
RewriteCond %{REQUEST_URI} !^/api
RewriteRule ^/(.*) http://localhost:9000/$1 [P,L]

## Graylog Api - also needed for the dashboard
RequestHeader set X-Graylog-Server-URL "
https://graylogserver.example.com/api"
RewriteCond %{REQUEST_URI} ^/api
RewriteRule ^/(api\/)(.*) http://127.0.0.1:12900/$2 [P,L]

<Location />
Order allow,deny
Allow from all
</Location>

</VirtualHost>

Regards
Micha
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/add8eec5-65a9-4637-9a46-9b58589e3ee4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jochen Schalanda
2016-04-28 07:34:04 UTC
Permalink
Hi,

starting with Graylog 2.0.0, the web interface has been merged into the
server component and is a single-page application directly communicating
with the Graylog REST API. Thus, your client (i. e. web browser) must be
able to communicate with the Graylog REST API, which isn't possible with
the listener being bound to the loopback interface on
http://127.0.0.1:12900/ in your case.

Please refer to http://docs.graylog.org/en/2.0/pages/configuring_webif.html
for information how to setup the web interface in Graylog 2.0.0 and for
working example configurations for nginx and Apache httpd as reverse
proxies.

Cheers,
Jochen
Post by g***@gmail.com
Hi I have issues with graylog 2.0 GA release, cant get reverse proxy
working, i tried on ubuntu 14,04 rhel 6 and 7, always same error
mongo 3.2
elastisearch 2.3.2
graylog 2.0 GA
nginx 1.9.5
When im trying to access remote machine (same network), im getting this
error in browser
If I access localhost directly on graylog machine it is working
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/7712e68e-a4d6-4901-9145-9eb730c5769b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
g***@gmail.com
2016-04-28 08:13:11 UTC
Permalink
Thanks for helping out, i got it working now, im not using ssl, this nginx
configuration works for me

server {
listen 80;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Graylog-Server-URL
http://my_graylog_server_ip_address/api;
proxy_pass http://localhost:9000/;
}
location /api/
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:12900/;
}
}
Post by Jochen Schalanda
Hi,
starting with Graylog 2.0.0, the web interface has been merged into the
server component and is a single-page application directly communicating
with the Graylog REST API. Thus, your client (i. e. web browser) must be
able to communicate with the Graylog REST API, which isn't possible with
the listener being bound to the loopback interface on
http://127.0.0.1:12900/ in your case.
Please refer to
http://docs.graylog.org/en/2.0/pages/configuring_webif.html for
information how to setup the web interface in Graylog 2.0.0 and for working
example configurations for nginx and Apache httpd as reverse proxies.
Cheers,
Jochen
Post by g***@gmail.com
Hi I have issues with graylog 2.0 GA release, cant get reverse proxy
working, i tried on ubuntu 14,04 rhel 6 and 7, always same error
mongo 3.2
elastisearch 2.3.2
graylog 2.0 GA
nginx 1.9.5
When im trying to access remote machine (same network), im getting this
error in browser
If I access localhost directly on graylog machine it is working
--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1a81181d-237c-436c-b352-180c6b5575d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...