Hi Jochen, 1) I have issues with connecting to REST API. While graylog server and web-interface works fine. Elastic search also works fine. Below are the scripts, Can you please look into it and let me know where am I going wrong?
2) I have a message : *message* *Toggle dropdown * *####<Mar 31, 2016 6:57:12 PM EDT> <Info> <Health> <uat01vxxx> <wls_server> <weblogic.GCMonitor> <<anonymous>> <> <b66bf206c1dd6fda:-60c49d3b:153a00027ce:-8000-0000000000000064> <1459465032681> <BEA-310002> <60% of the total memory in the server is free> * message Toggle dropdown ####<Mar 31, 2016 5:55:43 PM EDT> <Info> <JDBC> <uat01xxx> <soa_server_01> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <b66bf206c1dd6fda:-60c49d3b:153a00027ce:-8000-00000000001015d0> <1459461343059> <BEA-001128> <Connection for pool "OraSDPMDataSource" has been closed.> I am trying to streamline this message, can you tell me how can I streamline these above messages Thank you Sikender -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e6bbdaf9-0588-411b-a2c0-4be8c46a65d6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
// Graylog Collector example configuration. // URL to REST API of Graylog server this collector registers at server-url = "http://127.0.0.1:12900"; // Enable registration with the Graylog server. (enabled by default) enable-registration = false // The id used to identify this collector. Can be either a string which is used as id, // or the location of a file if prefixed with "file:". If the file does not exist, // an id will be generated and written to that file. If it exists, it is expected // to contain a single string without spaces which will be used for the id. // Defaults to "file:config/collector-id" if not specified. collector-id = "file:config/collector-id" inputs { // // A simple file input that follows /var/log/syslog. local-syslog { type = "file" path = "/var/lib/serve/logs" charset = "utf-8" content-splitter = "newline" } // // // A globbing file input. Follows all *.access.log files that exist and will be created in /var/log/apache2. // // You have to split the path into path-glob-root and path-glob-pattern. A usual "/var/log/**/*.{log,txt}" // // becomes path-glob-root="/var/log" and path-glob-pattern="**/*.{log,txt}". // apache-access { // type = "file" // path-glob-root = "/var/log/apache2" // path-glob-pattern = "*.access.log" } // // // An input to read from the given Windows event log. Only works on Windows. // // Available source-names: Application, System, Security // win-application { // type = "windows-eventlog" // source-name = "Application" // poll-interval = 1s // } //} outputs { // // GELF output to send messages to a Graylog server. Usually only type, host and port are needed. // // The other options are for TLS support and to fine-tune the GELF client library. gelf-tcp { type = "gelf" host = "graylog-server-ip-address" port = 12201 client-tls = false client-tls-cert-chain-file = "/path/to/cert-chain.pem" client-tls-verify-cert = true client-queue-size = 512 client-connect-timeout = 5000 client-reconnect-delay = 1000 client-tcp-no-delay = true client-send-buffer-size = 32768 } // // // Prints all messages to STDOUT. Useful for debugging. Do not enable in production usage! console { type = "stdout" } }
# graylog2-server REST URIs (one or more, comma separated) For example: "http://127.0.0.1:12900/,http://127.0.0.1:12910/"; graylog2-server.uris="http://127.0.0.1:12900"; # Learn how to configure custom logging in the documentation: # http://docs.graylog.org/en/latest/pages/installation.html#manual-setup-graylog-web-interface-on-linux # Secret key # ~~~~~ # The secret key is used to secure cryptographics functions. Set this to a long and randomly generated string. # If you deploy your application to several instances be sure to use the same key! # Generate for example with: pwgen -N 1 -s 96 application.secret="2rhIkHCEj4BLfb0sWHF4w6mPxnwqReUfP2BM81v6k7NqRqLHLaf9EuUyknRxVBKMwmtIsGZd95JPSR1fkwydTuuD8890Axsm" # Web interface timezone # Graylog stores all timestamps in UTC. To properly display times, set the default timezone of the interface. # If you leave this out, Graylog will pick your system default as the timezone. Usually you will want to configure it explicitly. # timezone="Europe/Berlin" # Message field limit # Your web interface can cause high load in your browser when you have a lot of different message fields. The default # limit of message fields is 100. Set it to 0 if you always want to get all fields. They are for example used in the # search result sidebar or for autocompletion of field names. field_list_limit=100 # Use this to run Graylog with a path prefix #application.context=/graylog2 # You usually do not want to change this. application.global=lib.Global # Global timeout for communication with Graylog server nodes; default: 5s #timeout.DEFAULT=5s # Enable gzip filter for compressing responses. # See https://www.playframework.com/documentation/2.3.x/GzipEncoding for details. # Default: false #graylog2.gzip-filter=false # Accept any server certificate without checking for validity; required if using self-signed certificates. # Default: true # graylog2.client.accept-any-certificate=true
# If you are running more than one instances of graylog2-server you have to select one of these # instances as master. The master will perform some periodical tasks that non-masters won't perform. is_master = true # The auto-generated node ID will be stored in this file and read after restarts. It is a good idea # to use an absolute file path here if you are starting graylog2-server from init scripts or similar. node_id_file = /etc/graylog/server/node-id # You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. # Generate one by using for example: pwgen -N 1 -s 96 password_secret = 5Za9lQauWxKN5YEy6WLJxng6uQ0kYAKnsAjZhFGUAZsdOlbuDkX6iiInOqnnV15DQ3RzQejeWCLpjG0UcNri2WlZqJ1W1sWk # The default root user is named 'admin' #root_username = admin # You MUST specify a hash password for the root user (which you only need to initially set up the # system and in case you lose connectivity to your authentication backend) # This password cannot be changed using the API or via the web interface. If you need to change it, # modify it in this file. # Create one by using for example: echo -n yourpassword | shasum -a 256 # and put the resulting hash value into the following line root_password_sha2 = d98592e623622909115886fda2797ce86d2455bad979eb1e1ebaa35f202b11fc # The email address of the root user. # Default is empty #root_email = "" # The time zone setting of the root user. # The configured time zone must be parseable by http://www.joda.org/joda-time/apidocs/org/joda/time/DateTimeZone.html#forID-java.lang.String- # Default is UTC #root_timezone = UTC # Set plugin directory here (relative or absolute) plugin_dir = /u01/app/graylog-server/plugin # REST API listen URI. Must be reachable by other graylog2-server nodes if you run a cluster. rest_listen_uri = http://127.0.0.1:12900/ # REST API transport address. Defaults to the value of rest_listen_uri. Exception: If rest_listen_uri # is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 system address is used. # If set, his will be promoted in the cluster discovery APIs, so other nodes may try to connect on # this address and it is used to generate URLs addressing entities in the REST API. (see rest_listen_uri) # You will need to define this, if your Graylog server is running behind a HTTP proxy that is rewriting # the scheme, host name or URI. #rest_transport_uri = http://192.168.1.1:12900/ # Enable CORS headers for REST API. This is necessary for JS-clients accessing the server directly. # If these are disabled, modern browsers will not be able to retrieve resources from the server. # This is disabled by default. Uncomment the next line to enable it. #rest_enable_cors = true # Enable GZIP support for REST API. This compresses API responses and therefore helps to reduce # overall round trip times. This is disabled by default. Uncomment the next line to enable it. #rest_enable_gzip = true # Enable HTTPS support for the REST API. This secures the communication with the REST API with # TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the # next line to enable it. #rest_enable_tls = true # The X.509 certificate file to use for securing the REST API. #rest_tls_cert_file = /path/to/graylog2.crt # The private key to use for securing the REST API. #rest_tls_key_file = /path/to/graylog2.key # The password to unlock the private key used for securing the REST API. #rest_tls_key_password = secret # The maximum size of a single HTTP chunk in bytes. #rest_max_chunk_size = 8192 # The maximum size of the HTTP request headers in bytes. #rest_max_header_size = 8192 # The maximal length of the initial HTTP/1.1 line in bytes. #rest_max_initial_line_length = 4096 # The size of the execution handler thread pool used exclusively for serving the REST API. #rest_thread_pool_size = 16 # The size of the worker thread pool used exclusively for serving the REST API. #rest_worker_threads_max_pool_size = 16 # Embedded Elasticsearch configuration file # pay attention to the working directory of the server, maybe use an absolute path here #elasticsearch_config_file = /etc/graylog/server/elasticsearch.yml # Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine # when to rotate the currently active write index. # It supports multiple rotation strategies: # - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure # - "size" per index, use elasticsearch_max_size_per_index below to configure # valid values are "count", "size" and "time", default is "count" rotation_strategy = count # (Approximate) maximum number of documents in an Elasticsearch index before a new index # is being created, also see no_retention and elasticsearch_max_number_of_indices. # Configure this if you used 'rotation_strategy = count' above. elasticsearch_max_docs_per_index = 20000000 # (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see # no_retention and elasticsearch_max_number_of_indices. Default is 1GB. # Configure this if you used 'rotation_strategy = size' above. #elasticsearch_max_size_per_index = 1073741824 # (Approximate) maximum time before a new Elasticsearch index is being created, also see # no_retention and elasticsearch_max_number_of_indices. Default is 1 day. # Configure this if you used 'rotation_strategy = time' above. # Please note that this rotation period does not look at the time specified in the received messages, but is # using the real clock value to decide when to rotate the index! # Specify the time using a duration and a suffix indicating which unit you want: # 1w = 1 week # 1d = 1 day # 12h = 12 hours # Permitted suffixes are: d for day, h for hour, m for minute, s for second. #elasticsearch_max_time_per_index = 1d # Disable checking the version of Elasticsearch for being compatible with this Graylog release. # WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss! #elasticsearch_disable_version_check = true # Disable message retention on this node, i. e. disable Elasticsearch index rotation. #no_retention = false # How many indices do you want to keep? elasticsearch_max_number_of_indices = 20 # Decide what happens with the oldest indices when the maximum number of indices is reached. # The following strategies are availble: # - delete # Deletes the index completely (Default) # - close # Closes the index and hides it from the system. Can be re-opened later. retention_strategy = delete # How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices. elasticsearch_shards = 4 elasticsearch_replicas = 0 # Prefix for all Elasticsearch indices and index aliases managed by Graylog. elasticsearch_index_prefix = graylog2 # Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping. # # Default: graylog-internal #elasticsearch_template_name = graylog-internal # Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only # be enabled with care. See also: https://www.graylog.org/documentation/general/queries/ allow_leading_wildcard_searches = false # Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and # should only be enabled after making sure your Elasticsearch cluster has enough memory. allow_highlighting = true # settings to be passed to elasticsearch's client (overriding those in the provided elasticsearch_config_file) # all these # this must be the same as for your Elasticsearch cluster elasticsearch_cluster_name = graylog2 # you could also leave this out, but makes it easier to identify the graylog2 client instance #elasticsearch_node_name = graylog2-server # we don't want the graylog2 server to store any data, or be master node #elasticsearch_node_master = false #elasticsearch_node_data = false # use a different port if you run multiple Elasticsearch nodes on one machine #elasticsearch_transport_tcp_port = 9350 # we don't need to run the embedded HTTP server here #elasticsearch_http_enabled = false elasticsearch_discovery_zen_ping_multicast_enabled = false elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300 # Change the following setting if you are running into problems with timeouts during Elasticsearch cluster discovery. # The setting is specified in milliseconds, the default is 5000ms (5 seconds). #elasticsearch_cluster_discovery_timeout = 5000 # the following settings allow to change the bind addresses for the Elasticsearch client in graylog2 # these settings are empty by default, letting Elasticsearch choose automatically, # override them here or in the 'elasticsearch_config_file' if you need to bind to a special address # refer to http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-network.html # for special values here #elasticsearch_network_host = #elasticsearch_network_bind_host = #elasticsearch_network_publish_host = # The total amount of time discovery will look for other Elasticsearch nodes in the cluster # before giving up and declaring the current node master. #elasticsearch_discovery_initial_state_timeout = 3s # Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea. # All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom # Elasticsearch documentation: http://www.elasticsearch.org/guide/reference/index-modules/analysis/ # Note that this setting only takes effect on newly created indices. elasticsearch_analyzer = standard # Global request timeout for Elasticsearch requests (e. g. during search, index creation, or index time-range # calculations) based on a best-effort to restrict the runtime of Elasticsearch operations. # Default: 1m #elasticsearch_request_timeout = 1m # Time interval for index range information cleanups. This setting defines how often stale index range information # is being purged from the database. # Default: 1h #index_ranges_cleanup_interval = 1h # Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output # module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been # reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember # that every outputbuffer processor manages its own batch and performs its own batch write calls. # ("outputbuffer_processors" variable) output_batch_size = 500 # Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two # batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages # for this time period is less than output_batch_size * outputbuffer_processors. output_flush_interval = 1 # As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and # over again. To prevent this, the following configuration options define after how many faults an output will # not be tried again for an also configurable amount of seconds. output_fault_count_threshold = 5 output_fault_penalty_seconds = 30 # The number of parallel running processors. # Raise this number if your buffers are filling up. processbuffer_processors = 5 outputbuffer_processors = 3 #outputbuffer_processor_keep_alive_time = 5000 #outputbuffer_processor_threads_core_pool_size = 3 #outputbuffer_processor_threads_max_pool_size = 30 # UDP receive buffer size for all message inputs (e. g. SyslogUDPInput). #udp_recvbuffer_sizes = 1048576 # Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping) # Possible types: # - yielding # Compromise between performance and CPU usage. # - sleeping # Compromise between performance and CPU usage. Latency spikes can occur after quiet periods. # - blocking # High throughput, low latency, higher CPU usage. # - busy_spinning # Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores. processor_wait_strategy = blocking # Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore. # For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache. # Start server with --statistics flag to see buffer utilization. # Must be a power of 2. (512, 1024, 2048, ...) ring_size = 65536 inputbuffer_ring_size = 65536 inputbuffer_processors = 2 inputbuffer_wait_strategy = blocking # Enable the disk based message journal. message_journal_enabled = true # The directory which will be used to store the message journal. The directory must me exclusively used by Graylog and # must not contain any other files than the ones created by Graylog itself. message_journal_dir = /var/lib/graylog-server/journal # Journal hold messages before they could be written to Elasticsearch. # For a maximum of 12 hours or 5 GB whichever happens first. # During normal operation the journal will be smaller. #message_journal_max_age = 12h #message_journal_max_size = 5gb #message_journal_flush_age = 1m #message_journal_flush_interval = 1000000 #message_journal_segment_age = 1h #message_journal_segment_size = 100mb # Number of threads used exclusively for dispatching internal events. Default is 2. #async_eventbus_processors = 2 # EXPERIMENTAL: Dead Letters # Every failed indexing attempt is logged by default and made visible in the web-interface. You can enable # the experimental dead letters feature to write every message that was not successfully indexed into the # MongoDB "dead_letters" collection to make sure that you never lose a message. The actual writing of dead # letter should work fine already but it is not heavily tested yet and will get more features in future # releases. dead_letters_enabled = false # How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual # shutdown process. Set to 0 if you have no status checking load balancers in front. lb_recognition_period_seconds = 3 # Every message is matched against the configured streams and it can happen that a stream contains rules which # take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking. # This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other # streams, Graylog limits the execution time for each stream. # The default values are noted below, the timeout is in milliseconds. # If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times # that stream is disabled and a notification is shown in the web interface. #stream_processing_timeout = 2000 #stream_processing_max_faults = 3 # Length of the interval in seconds in which the alert conditions for all streams should be checked # and alarms are being sent. #alert_check_interval = 60 # Since 0.21 the graylog2 server supports pluggable output modules. This means a single message can be written to multiple # outputs. The next setting defines the timeout for a single output module, including the default output module where all # messages end up. # # Time in milliseconds to wait for all message outputs to finish writing a single message. #output_module_timeout = 10000 # Time in milliseconds after which a detected stale master node is being rechecked on startup. #stale_master_timeout = 2000 # Time in milliseconds which Graylog is waiting for all threads to stop on shutdown. #shutdown_timeout = 30000 # MongoDB connection string # See http://docs.mongodb.org/manual/reference/connection-string/ for details mongodb_uri = mongodb://localhost/graylog2 # Authenticate against the MongoDB server #mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog2 # Use a replica set instead of a single host #mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog2 # Increase this value according to the maximum connections your MongoDB server can handle from a single client # if you encounter MongoDB connection problems. mongodb_max_connections = 100 # Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5 # If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5, # then 500 threads can block. More than that and an exception will be thrown. # http://api.mongodb.org/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier mongodb_threads_allowed_to_block_multiplier = 5 # Drools Rule File (Use to rewrite incoming log messages) # See: https://www.graylog.org/documentation/general/rewriting/ #rules_file = /etc/graylog/server/rules.drl # Email transport #transport_email_enabled = false #transport_email_hostname = mail.example.com #transport_email_port = 587 #transport_email_use_auth = true #transport_email_use_tls = true #transport_email_use_ssl = true #transport_email_auth_username = [email protected] #transport_email_auth_password = secret #transport_email_subject_prefix = [graylog2] #transport_email_from_email = [email protected] # Specify and uncomment this if you want to include links to the stream in your stream alert mails. # This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users. #transport_email_web_interface_url = https://graylog2.example.com # The default connect timeout for outgoing HTTP connections. # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). # Default: 5s #http_connect_timeout = 5s # The default read timeout for outgoing HTTP connections. # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). # Default: 10s #http_read_timeout = 10s # The default write timeout for outgoing HTTP connections. # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). # Default: 10s #http_write_timeout = 10s # HTTP proxy for outgoing HTTP connections #http_proxy_uri = # Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch # on heavily used systems with large indices, but it will decrease search performance. The default is to optimize # cycled indices. #disable_index_optimization = true # Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch # on heavily used systems with large indices, but it will decrease search performance. The default is 1. #index_optimization_max_num_segments = 1 # The threshold of the garbage collection runs. If GC runs take longer than this threshold, a system notification # will be generated to warn the administrator about possible problems with the system. Default is 1 second. #gc_warning_threshold = 1s # Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds. #ldap_connection_timeout = 2000 # Enable collection of Graylog-related metrics into MongoDB # WARNING: This will add *a lot* of data into your MongoDB database on a regular interval (1 second)! # DEPRECATED: This setting and the respective feature will be removed in a future version of Graylog. #enable_metrics_collection = false # Disable the use of SIGAR for collecting system stats #disable_sigar = false # Amount of time of inactivity after which collectors are flagged as inactive (Default: 1 minute) #collector_inactive_threshold = 1m # Amount of time after which inactive collectors are purged (Default: 14 days) #collector_expiration_threshold = 14d # The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second) #dashboard_widget_default_cache_time = 10s # Automatically load content packs in "content_packs_dir" on the first start of Graylog. #content_packs_loader_enabled = true # The directory which contains content packs which should be loaded on the first start of Graylog. content_packs_dir = /u01/app/graylog-server/contentpacks # A comma-separated list of content packs (files in "content_packs_dir") which should be applied on # the first start of Graylog. content_packs_auto_load = grok-patterns.json
##################### Elasticsearch Configuration Example ##################### # This file contains an overview of various configuration settings, # targeted at operations staff. Application developers should # consult the guide at <http://elasticsearch.org/guide>. # # The installation procedure is covered at # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/setup.html>. # # Elasticsearch comes with reasonable defaults for most settings, # so you can try it out without bothering with configuration. # # Most of the time, these defaults are just fine for running a production # cluster. If you're fine-tuning your cluster, or wondering about the # effect of certain configuration option, please _do ask_ on the # mailing list or IRC channel [http://elasticsearch.org/community]. # Any element in the configuration can be replaced with environment variables # by placing them in ${...} notation. For example: # #node.rack: ${RACK_ENV_VAR} # For information on supported formats and syntax for the config file, see # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html> ################################### Cluster ################################### # Cluster name identifies your cluster for auto-discovery. If you're running # multiple clusters on the same network, make sure you're using unique names. # #cluster.name: elasticsearch #################################### Node ##################################### # Node names are generated dynamically on startup, so you're relieved # from configuring them manually. You can tie this node to a specific name: # #node.name: "Graylog2" # Every node can be configured to allow or deny being eligible as the master, # and to allow or deny to store the data. # # Allow this node to be eligible as a master node (enabled by default): # #node.master: true # # Allow this node to store data (enabled by default): # #node.data: true # You can exploit these settings to design advanced cluster topologies. # # 1. You want this node to never become a master node, only to hold data. # This will be the "workhorse" of your cluster. # #node.master: false #node.data: true # # 2. You want this node to only serve as a master: to not store any data and # to have free resources. This will be the "coordinator" of your cluster. # #node.master: true #node.data: false # # 3. You want this node to be neither master nor data node, but # to act as a "search load balancer" (fetching data from nodes, # aggregating results, etc.) # #node.master: false #node.data: false # Use the Cluster Health API [http://localhost:9200/_cluster/health], the # Node Info API [http://localhost:9200/_nodes] or GUI tools # such as <http://www.elasticsearch.org/overview/marvel/>, # <http://github.com/karmi/elasticsearch-paramedic>, # <http://github.com/lukas-vlcek/bigdesk> and # <http://mobz.github.com/elasticsearch-head> to inspect the cluster state. # A node can have generic attributes associated with it, which can later be used # for customized shard allocation filtering, or allocation awareness. An attribute # is a simple key value pair, similar to node.key: value, here is an example: # #node.rack: rack314 # By default, multiple nodes are allowed to start from the same installation location # to disable it, set the following: #node.max_local_storage_nodes: 1 #################################### Index #################################### # You can set a number of options (such as shard/replica options, mapping # or analyzer definitions, translog settings, ...) for indices globally, # in this file. # # Note, that it makes more sense to configure index settings specifically for # a certain index, either when creating it or by using the index templates API. # # See <http://elasticsearch.org/guide/en/elasticsearch/reference/current/index-modules.html> and # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/indices-create-index.html> # for more information. # Set the number of shards (splits) of an index (5 by default): # #index.number_of_shards: 5 # Set the number of replicas (additional copies) of an index (1 by default): # #index.number_of_replicas: 1 # Note, that for development on a local machine, with small indices, it usually # makes sense to "disable" the distributed features: # #index.number_of_shards: 1 #index.number_of_replicas: 0 # These settings directly affect the performance of index and search operations # in your cluster. Assuming you have enough machines to hold shards and # replicas, the rule of thumb is: # # 1. Having more *shards* enhances the _indexing_ performance and allows to # _distribute_ a big index across machines. # 2. Having more *replicas* enhances the _search_ performance and improves the # cluster _availability_. # # The "number_of_shards" is a one-time setting for an index. # # The "number_of_replicas" can be increased or decreased anytime, # by using the Index Update Settings API. # # Elasticsearch takes care about load balancing, relocating, gathering the # results from nodes, etc. Experiment with different settings to fine-tune # your setup. # Use the Index Status API (<http://localhost:9200/A/_status>) to inspect # the index status. #################################### Paths #################################### # Path to directory containing configuration (this file and logging.yml): # #path.conf: /path/to/conf # Path to directory where to store index data allocated for this node. # #path.data: /path/to/data # # Can optionally include more than one location, causing data to be striped across # the locations (a la RAID 0) on a file level, favouring locations with most free # space on creation. For example: # #path.data: /path/to/data1,/path/to/data2 # Path to temporary files: # #path.work: /path/to/work # Path to log files: # #path.logs: /path/to/logs # Path to where plugins are installed: # #path.plugins: /path/to/plugins #################################### Plugin ################################### # If a plugin listed here is not installed for current node, the node will not start. # #plugin.mandatory: mapper-attachments,lang-groovy ################################### Memory #################################### # Elasticsearch performs poorly when JVM starts swapping: you should ensure that # it _never_ swaps. # # Set this property to true to lock the memory: # #bootstrap.mlockall: true # Make sure that the ES_MIN_MEM and ES_MAX_MEM environment variables are set # to the same value, and that the machine has enough memory to allocate # for Elasticsearch, leaving enough memory for the operating system itself. # # You should also make sure that the Elasticsearch process is allowed to lock # the memory, eg. by using `ulimit -l unlimited`. ############################## Network And HTTP ############################### # Elasticsearch, by default, binds itself to the 0.0.0.0 address, and listens # on port [9200-9300] for HTTP traffic and on port [9300-9400] for node-to-node # communication. (the range means that if the port is busy, it will automatically # try the next port). # Set the bind address specifically (IPv4 or IPv6): # #network.bind_host: 192.168.0.1 # Set the address other nodes will use to communicate with this node. If not # set, it is automatically derived. It must point to an actual IP address. # #network.publish_host: 192.168.0.1 # Set both 'bind_host' and 'publish_host': # #network.host: 192.168.0.1 # Set a custom port for the node to node communication (9300 by default): # #transport.tcp.port: 9300 # Enable compression for all communication between nodes (disabled by default): # #transport.tcp.compress: true # Set a custom port to listen for HTTP traffic: # #http.port: 9200 # Set a custom allowed content length: # #http.max_content_length: 100mb # Disable HTTP completely: # #http.enabled: false ################################### Gateway ################################### # The gateway allows for persisting the cluster state between full cluster # restarts. Every change to the state (such as adding an index) will be stored # in the gateway, and when the cluster starts up for the first time, # it will read its state from the gateway. # There are several types of gateway implementations. For more information, see # There are several types of gateway implementations. For more information, see # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/modules-gateway.html>. # The default gateway type is the "local" gateway (recommended): # #gateway.type: local # Settings below control how and when to start the initial recovery process on # a full cluster restart (to reuse as much local data as possible when using shared # gateway). # Allow recovery process after N nodes in a cluster are up: # #gateway.recover_after_nodes: 1 # Set the timeout to initiate the recovery process, once the N nodes # from previous setting are up (accepts time value): # #gateway.recover_after_time: 5m # Set how many nodes are expected in this cluster. Once these N nodes # are up (and recover_after_nodes is met), begin recovery process immediately # (without waiting for recover_after_time to expire): # #gateway.expected_nodes: 2 ############################# Recovery Throttling ############################# # These settings allow to control the process of shards allocation between # nodes during initial recovery, replica allocation, rebalancing, # or when adding and removing nodes. # Set the number of concurrent recoveries happening on a node: # # 1. During the initial recovery # #cluster.routing.allocation.node_initial_primaries_recoveries: 4 # # 2. During adding/removing nodes, rebalancing, etc # #cluster.routing.allocation.node_concurrent_recoveries: 2 # Set to throttle throughput when recovering (eg. 100mb, by default 20mb): # #indices.recovery.max_bytes_per_sec: 20mb # Set to limit the number of open concurrent streams when # recovering a shard from a peer: # #indices.recovery.concurrent_streams: 5 ################################## Discovery ################################## # Discovery infrastructure ensures nodes can be found within a cluster # and master node is elected. Multicast discovery is the default. # Set to ensure a node sees N other master eligible nodes to be considered # operational within the cluster. This should be set to a quorum/majority of # the master-eligible nodes in the cluster. # #discovery.zen.minimum_master_nodes: 1 # Set the time to wait for ping responses from other nodes when discovering. # Set this option to a higher value on a slow or congested network # to minimize discovery failures: # #discovery.zen.ping.timeout: 3s # For more information, see # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/modules-discovery-zen.html> # Unicast discovery allows to explicitly control which nodes will be used # to discover the cluster. It can be used when multicast is not present, # or to restrict the cluster communication-wise. # # 1. Disable multicast discovery (enabled by default): # discovery.zen.ping.multicast.enabled: false # # 2. Configure an initial list of master nodes in the cluster # to perform discovery when new nodes (master or data) are started: # #discovery.zen.ping.unicast.hosts: ["host1", "host2:port"] # EC2 discovery allows to use AWS EC2 API in order to perform discovery. # # You have to install the cloud-aws plugin for enabling the EC2 discovery. # # For more information, see # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/modules-discovery-ec2.html> # # See <http://elasticsearch.org/tutorials/elasticsearch-on-ec2/> # for a step-by-step tutorial. # GCE discovery allows to use Google Compute Engine API in order to perform discovery. # # You have to install the cloud-gce plugin for enabling the GCE discovery. # # For more information, see <https://github.com/elasticsearch/elasticsearch-cloud-gce>. # Azure discovery allows to use Azure API in order to perform discovery. # # You have to install the cloud-azure plugin for enabling the Azure discovery. # # For more information, see <https://github.com/elasticsearch/elasticsearch-cloud-azure>. ################################## Slow Log ################################## # Shard level query and fetch threshold logging. #index.search.slowlog.threshold.query.warn: 10s #index.search.slowlog.threshold.query.info: 5s #index.search.slowlog.threshold.query.debug: 2s #index.search.slowlog.threshold.query.trace: 500ms #index.search.slowlog.threshold.fetch.warn: 1s #index.search.slowlog.threshold.fetch.info: 800ms #index.search.slowlog.threshold.fetch.debug: 500ms #index.search.slowlog.threshold.fetch.trace: 200ms #index.indexing.slowlog.threshold.index.warn: 10s #index.indexing.slowlog.threshold.index.info: 5s #index.indexing.slowlog.threshold.index.debug: 2s #index.indexing.slowlog.threshold.index.trace: 500ms ################################## GC Logging ################################ #monitor.jvm.gc.young.warn: 1000ms #monitor.jvm.gc.young.info: 700ms #monitor.jvm.gc.young.debug: 400ms #monitor.jvm.gc.old.warn: 10s #monitor.jvm.gc.old.info: 5s #monitor.jvm.gc.old.debug: 2s ################################## Security ################################ # Uncomment if you want to enable JSONP as a valid return transport on the # http server. With this enabled, it may pose a security risk, so disabling # it unless you need it is recommended (it is disabled by default). # #http.jsonp.enable: true cluster.name: graylog2 script.disable_dynamic: true
