I've found that 2.0.2 is rather "fat". When I upgraded from 1.x to 2.0.2 I had to add an additional Graylog instance and configure syslog-ng as a load balancer to process my load. Please check the resources that you're giving Graylog:
1) Are you giving Graylog at least 2gb of memory? Check your nodes list to see how much memory Graylog has been allocated. 2) Graylog can have long garbage collection delays with the default Java 8 garbage collector. So if you want responsiveness it is best if you use the G1GC garbage collector. In your GRAYLOG_SERVER_JAVA_OPTS in /etc/sysconfig/graylog-server add "-XX:+UseG1GC" to the options (as well as -Xmx20000m to give 2gb of memory to Graylog). 2) How many CPU cores are you giving Graylog? Is /etc/graylog/server.conf modified to allow Graylog to start up enough threads to take advantage of all your cores? 3) What is your CPU load in 'top'? If it's pegged out at 100%, then yeah, you know what the problem is. 4) What about your Elasticsearch instance(s)? Have they enough memory? 5) Also, you may need to tune your index strategy to match how many Elasticsearch instances you're running. For example, if you have four Elasticsearch instances, in your server.conf you may want to define your index strategy in server.conf with elasticsearch_shards = 2 / elasticsearch_replicas = 1 so that you're using all four instances for your indexes. That will make anything that does an index search literally run four times faster. Basically, if you've used a specific commercial (sp) log indexing solution (lunk) then figure you'll need at least eight times as many CPU resources to process the same number of events via Graylog, and, of course, you'll need a well endowed Elasticsearch cluster to get decent performance. In my case, I have four ElasticSearch instances and two Graylog instances to process the same amount of data that was processed with a single instance of the commercial solution, luckily that's all running on my internal cloud with underutilized paid-for machines or Graylog would actually be more expensive than the commercial solution. My guess is that you're just not throwing enough resources at Graylog, but you can verify that by ssh'ing into the graylog server and running 'iostat -c 1' (it's in the 'sysstat' package in case that's not part of your standard package load). If %idle shows 10% or less on a consistent basis, you probably need more CPU. On Thursday, June 16, 2016 at 7:17:27 AM UTC-7, Marko Lerota wrote: > > Hi guys. I installed few 2.0.2 versions and the web interface is really > slow. > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/4abafb66-bdd0-4be9-888e-faa1cae498e6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
