ここでは、何をしても、graylog-serverがポート12900にバインドされない状況があります。 github.com/graylog2/graylog-ansible-roleを使用して、graylog-server-1.1.6-1.noarch、elasticsearch-1.6.2-1.noarch、mongodb-org-server-2.6.10のrpmをインストールしました-1.x86_64、nginx-1.8.0-1.el7.ngx.x86_64(2つのCentOS 7 VM)。グレイログサーバーが起動し、/ var/log/graylog/server.logにエラーを記録しませんが、ポート12900へのバインドに失敗します。
[root@doru2 deploy]# ps -eaf | grep graylog-server
graylog 26140 26137 7 19:01 ? 00:02:50 Java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -jar -Dlog4j.configuration=file:///etc/graylog/server/log4j.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np
[root@doru2 deploy]# netstat -tunelp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 991 100234 25747/mongod
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 16996 820/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 22667 1563/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 22086 1504/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 24601 1994/master
tcp6 0 0 :::111 :::* LISTEN 0 16999 820/rpcbind
tcp6 0 0 10.1.10.134:9200 :::* LISTEN 990 53978 10878/Java
tcp6 0 0 10.1.10.134:9300 :::* LISTEN 990 52910 10878/Java
tcp6 0 0 :::22 :::* LISTEN 0 22088 1504/sshd
tcp6 0 0 ::1:25 :::* LISTEN 0 24602 1994/master
udp 0 0 0.0.0.0:111 0.0.0.0:* 0 16934 820/rpcbind
udp 0 0 0.0.0.0:123 0.0.0.0:* 0 17863 813/chronyd
udp 0 0 127.0.0.1:323 0.0.0.0:* 0 17865 813/chronyd
udp 0 0 0.0.0.0:18893 0.0.0.0:* 0 21509 1311/dhclient
udp 0 0 0.0.0.0:53726 0.0.0.0:* 70 18826 793/avahi-daemon: r
udp 0 0 0.0.0.0:973 0.0.0.0:* 0 16995 820/rpcbind
udp 0 0 0.0.0.0:5353 0.0.0.0:* 70 18825 793/avahi-daemon: r
[root@doru2 deploy]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports: 9200/tcp 9300/udp 12900/tcp 9300/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@doru2 deploy]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
Active: inactive (dead)
[root@doru2 deploy]# semanage port -l | grep 12900
http_port_t tcp 12900, 80, 81, 443, 488, 8008, 8009, 8443, 9000
SElinux監査ログには、関連する例外は示されていません。
[root@doru2 deploy]# grep -v -w graylog-web /var/log/audit/audit.log | grep -v -w crond_t
type=MAC_POLICY_LOAD msg=audit(1438973046.052:25205): policy loaded auid=1001 ses=2
type=SYSCALL msg=audit(1438973046.052:25205): Arch=c000003e syscall=1 success=yes exit=3770462 a0=4 a1=7f7f2403e010 a2=39885e a3=7ffeb5dd0760 items=0 ppid=69239 pid=69302 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_POLICY_LOAD msg=audit(1438973101.674:25222): policy loaded auid=1001 ses=2
type=SYSCALL msg=audit(1438973101.674:25222): Arch=c000003e syscall=1 success=yes exit=3770418 a0=4 a1=7f41b3048010 a2=398832 a3=7ffde8b85280 items=0 ppid=69492 pid=69562 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1438973169.169:25243): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1438973169.169:25244): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1438973169.174:25245): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="graylog-server" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1438973169.195:25246): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="graylog-server" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
グレイログサーバーログは、ユニキャストアドレスのみを使用するように構成されている場合でも、zenマルチキャストトランスポートハンドラーを登録し続けることを示しています。
2015-08-06T18:42:36.749-07:00 INFO [CmdLineTool] Loaded plugins: [Anonymous Usage Statistics 1.1.1 [org.graylog.plugins.usagestatistics.UsageStatsPlugin]]
2015-08-06T18:42:36.879-07:00 INFO [CmdLineTool] Running with JVM arguments: -Xms256m -Xmx1g -XX:NewRatio=1 -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j.configuration=file:///etc/graylog/server/log4j.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar
2015-08-06T18:42:40.871-07:00 INFO [InputBufferImpl] Message journal is enabled.
2015-08-06T18:42:41.234-07:00 INFO [LogManager] Loading log 'messagejournal-0'
2015-08-06T18:42:41.304-07:00 INFO [KafkaJournal] Initialized Kafka based journal at /var/lib/graylog-server/journal
2015-08-06T18:42:41.316-07:00 INFO [InputBufferImpl] Initialized InputBufferImpl with ring size <65536> and wait strategy <BlockingWaitStrategy>, running 2 parallel message handlers.
2015-08-06T18:42:41.486-07:00 INFO [NodeId] Node ID: 22261716-e535-47eb-a02b-395b2f2983ee
2015-08-06T18:42:41.713-07:00 INFO [node] [doru2] version[1.6.2], pid[17622], build[6220391/2015-07-29T09:24:47Z]
2015-08-06T18:42:41.713-07:00 INFO [node] [doru2] initializing ...
2015-08-06T18:42:41.782-07:00 INFO [plugins] [doru2] loaded [graylog2-monitor], sites []
2015-08-06T18:42:43.988-07:00 WARN [transport] [doru2] Registered two transport handlers for action internal:discovery/zen/multicast, handlers: org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@171228a4, org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@292a32d1
2015-08-06T18:42:44.727-07:00 WARN [transport] [doru2] Registered two transport handlers for action internal:discovery/zen/multicast, handlers: org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@22e2821f, org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@171228a4
2015-08-06T18:42:44.729-07:00 WARN [transport] [doru2] Registered two transport handlers for action internal:discovery/zen/multicast, handlers: org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@7ff210cf, org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@22e2821f
2015-08-06T18:42:44.731-07:00 WARN [transport] [doru2] Registered two transport handlers for action internal:discovery/zen/multicast, handlers: org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@6d2dc7a8, org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@7ff210cf
2015-08-06T18:42:44.743-07:00 WARN [transport] [doru2] Registered two transport handlers for action internal:discovery/zen/multicast, handlers: org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@4099f1f0, org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@6d2dc7a8
2015-08-06T18:42:44.744-07:00 WARN [transport] [doru2] Registered two transport handlers for action internal:discovery/zen/multicast, handlers: org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@3adae4b2, org.elasticsearch.discovery.zen.ping.multicast.MulticastZenPing$MulticastPingResponseRequestHandler@4099f1f0
20分の期間に2300件の警告が記録されました。 /etc/graylog/server/server.confの本質は次のとおりです。
[root@doru2 deploy]# grep -v ^\# /etc/graylog/server/server.conf | sort -u
allow_highlighting = false
allow_leading_wildcard_searches = false
dead_letters_enabled = false
elasticsearch_analyzer = standard
elasticsearch_cluster_discovery_timeout = 5000
elasticsearch_cluster_name = graylog-cluster
elasticsearch_config_file = /etc/graylog/server/elasticsearch.yml
elasticsearch_discovery_zen_ping_multicast_enabled = False
elasticsearch_discovery_zen_ping_unicast_hosts = ['10.1.10.133:9300', '10.1.10.134:9300']
elasticsearch_http_enabled = false
elasticsearch_index_prefix = graylog2
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
elasticsearch_network_bind_Host =
elasticsearch_network_Host =
elasticsearch_network_publish_Host =
elasticsearch_node_data = false
elasticsearch_node_master = false
elasticsearch_node_name = doru2
elasticsearch_replicas = 0
elasticsearch_shards = 4
elasticsearch_transport_tcp_port = 9300
is_master = false
lb_recognition_period_seconds = 3
message_journal_dir = /var/lib/graylog-server/journal
message_journal_enabled = true
message_journal_max_age = 12h
message_journal_max_size = 5gb
mongodb_max_connections = 100
mongodb_password =
mongodb_replica_set = localhost:27017
mongodb_threads_allowed_to_block_multiplier = 5
mongodb_uri = mongodb://127.0.0.1:27017/graylog
mongodb_useauth = false
mongodb_user =
node_id_file = /etc/graylog/server/node-id
output_batch_size = 25
outputbuffer_processors = 3
output_flush_interval = 1
password_secret = 2jueVqZpwLLjaWxV
plugin_dir = /usr/share/graylog-server/plugin
processbuffer_processors = 5
processor_wait_strategy = blocking
rest_enable_cors = true
rest_enable_gzip = true
rest_listen_uri = http://127.0.0.1:12900/
rest_transport_uri = http://127.0.0.1:12900/
retention_strategy = delete
root_email =
root_password_sha2 = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
root_timezone = UTC
root_username = admin
rotation_strategy = count
stream_processing_max_faults = 3
stream_processing_timeout = 2000
telemetry_enabled = false
transport_email_auth_password =
transport_email_auth_username =
transport_email_enabled = false
transport_email_from_email =
transport_email_hostname =
transport_email_port = 587
transport_email_subject_prefix = [graylog]
transport_email_use_auth = true
transport_email_use_ssl = true
transport_email_use_tls = true
transport_email_web_interface_url =
私が見る唯一のエラーは/ var/log/messagesにあります
Aug 7 12:32:59 localhost systemd: Started Graylog server.
Aug 7 12:37:20 localhost graylog-server: Exception in thread "main" Java.lang.OutOfMemoryError: Java heap space
Aug 7 12:37:20 localhost graylog-server: at Java.util.Arrays.copyOf(Arrays.Java:2367)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.Java:130)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.Java:114)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.AbstractStringBuilder.append(AbstractStringBuilder.Java:415)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.StringBuilder.append(StringBuilder.Java:132)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.StringBuilder.append(StringBuilder.Java:179)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.StringBuilder.append(StringBuilder.Java:72)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter$FormatSpecifier.print(Formatter.Java:2865)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter$FormatSpecifier.printString(Formatter.Java:2838)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter$FormatSpecifier.print(Formatter.Java:2718)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter.format(Formatter.Java:2488)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter.format(Formatter.Java:2423)
Aug 7 12:37:20 localhost graylog-server: at org.elasticsearch.common.inject.internal.Errors.format(Errors.Java:474)
Aug 7 12:37:20 localhost graylog-server: at org.elasticsearch.common.inject.CreationException.getMessage(CreationException.Java:55)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.Throwable.getLocalizedMessage(Throwable.Java:391)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.Throwable.toString(Throwable.Java:480)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter$FormatSpecifier.printString(Formatter.Java:2838)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter$FormatSpecifier.print(Formatter.Java:2718)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter.format(Formatter.Java:2488)
Aug 7 12:37:20 localhost graylog-server: at Java.util.Formatter.format(Formatter.Java:2423)
Aug 7 12:37:20 localhost graylog-server: at Java.lang.String.format(String.Java:2792)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.Errors.format(Errors.Java:556)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.Errors.addMessage(Errors.Java:539)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.Errors.errorInUserCode(Errors.Java:421)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.Errors.errorInProvider(Errors.Java:376)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.BoundProviderFactory.provision(BoundProviderFactory.Java:74)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.Java:61)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.Java:62)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.Java:46)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.Java:1103)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.Java:40)
Aug 7 12:37:20 localhost graylog-server: at com.google.inject.internal.SingletonScope$1.get(SingletonScope.Java:145)
私が使用しているVMには4GBのRAMがあり、JVMは1Gを使用するように構成されています。メモリ不足エラーは次の結果であるかどうか疑問に思います。大量のマルチキャストトランスポートハンドラーを開始します。何かアイデアはありますか?
これを/etc/graylog/server/server.confのelasticsearch_discovery_zen_ping_unicast_hosts値までさかのぼります。これはJavaプロパティファイルであるため、値は次のようにフォーマットする必要があります。
elasticsearch_discovery_zen_ping_unicast_hosts = 10.1.10.134:9300
elasticsearch_discovery_zen_ping_unicast_hosts = 10.1.10.134:9300,10.1.10.133:9300
このようなYAML形式は避けてください。 1.1.6のように、Graylogコードは、不適切にフォーマットされた値にフラグを立てません。
elasticsearch_discovery_zen_ping_unicast_hosts = "10.1.10.134:9300"
elasticsearch_discovery_zen_ping_unicast_hosts = [ "10.1.10.134:9300" ]