Cannot edit extractors anymore

[berndleinfelder]

I’m running graylog-2.4.3 and some time recently have started to notice that editing extractors is failing. eg if I choose an existing extractor and click “Edit”, the “loading…” thingy appears, but it never actually loads. Listing the extractors works and so does adding a new one - but I cannot edit existing ones

I get the same issue under Firefox and Chrome, on all inputs and with different users. All users have admin role.

Expected Behavior

Clicking on "Edit" lets me edit the existing extractor.

Current Behavior

"Loading" forever.

Possible Solution

No idea.

Steps to Reproduce (for bugs)

1. Click on Inputs - Manage extractors - Edit
2. Loading forever

Context

Your Environment

• Graylog Version: 2.4.3
• Elasticsearch Version: 5.6.7
• MongoDB Version: 3.6.2
• Operating System: Centos 7
• Browser version: Chrome / Firefox / Edge current

[berndleinfelder]

Same was reported by Jason Haar in the forum, but obviously no bug was reported. https://community.graylog.org/t/can-no-longer-edit-extractors/2954

[joschi]

@berndleinfelder What's in the logs of your Graylog node? ➡️ http://docs.graylog.org/en/2.4/pages/configuration/file_location.html Are there any warnings or errors in the JavaScript console of the developer tools of your browser? Are you able to delete extractors using the Graylog REST API?

[berndleinfelder]

Deleting an extractor from the WebUI works without issues. Javacsript console without errors. In network console I have an timeout on the following URL:

https://graylog.intern.ti8m.ch/api/search/universal/relative?query=gl2_source_input%3A581344a7a0474e1cf763f7f4%20OR%20gl2_source_radio_input%3A581344a7a0474e1cf763f7f4&limit=1

In JS console I have a corresponding code 500 and a stacktrace from ThreatIntelPlugin:

bluebird.js:1545 Unhandled rejection Error: cannot GET https://graylog.intern.ti8m.ch/api/search/universal/relative?query=gl2_source_input%3A581344a7a0474e1cf763f7f4%OR%20gl2_source_radio_input%3A581344a7a0474e1cf763f7f4&limit=1 (500)
    at new e (https://graylog.intern.ti8m.ch/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/plugin.org.graylog.plugins.threatintel.ThreatIntelPlugin.f39eb5f4d05eb44f4da5.js:1:2346)
    at https://graylog.intern.ti8m.ch/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/plugin.org.graylog.plugins.threatintel.ThreatIntelPlugin.f39eb5f4d05eb44f4da5.js:1:3747
    at i (https://graylog.intern.ti8m.ch/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/plugin.org.graylog.plugins.threatintel.ThreatIntelPlugin.f39eb5f4d05eb44f4da5.js:37:73003)

Maybe the timeout is related to the following message in server.log (timestamp does not match exactly):

2018-02-26T08:48:14.283+01:00 ERROR [IndexerClusterCheckerThread] Uncaught exception in periodical
org.graylog2.indexer.ElasticsearchException: Unable to read Elasticsearch node information
        at org.graylog2.indexer.cluster.jest.JestUtils.execute(JestUtils.java:51) ~[graylog.jar:?]
        at org.graylog2.indexer.cluster.jest.JestUtils.execute(JestUtils.java:62) ~[graylog.jar:?]
        at org.graylog2.indexer.cluster.Cluster.catNodes(Cluster.java:121) ~[graylog.jar:?]
        at org.graylog2.indexer.cluster.Cluster.getFileDescriptorStats(Cluster.java:126) ~[graylog.jar:?]
        at org.graylog2.periodical.IndexerClusterCheckerThread.doRun(IndexerClusterCheckerThread.java:58) ~[graylog.jar:?]
        at org.graylog2.plugin.periodical.Periodical.run(Periodical.java:77) [graylog.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_161]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_161]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_161]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_161]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
Caused by: java.net.SocketTimeoutException: Read timed out
        at java.net.SocketInputStream.socketRead0(Native Method) ~[?:1.8.0_161]

[berndleinfelder]

I disabled (removed) the the ThreatIntel Plugin and now the JS console shows the following:

Unhandled rejection Error: cannot GET https://graylog.intern.ti8m.ch/api/search/universal/relative?query=gl2_source_input%3A581344a7a0474e1cf763f7f4%OR%20gl2_source_radio_input%3A581344a7a0474e1cf763f7f4&limit=1 (500) at new t (https://graylog.intern.ti8m.ch/assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.4d62a989321ebfb895e4.js:1:3610) at https://graylog.intern.ti8m.ch/assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.4d62a989321ebfb895e4.js:1:5011

[berndleinfelder]

Tried to remove the PipelineProcessorPlugin, but then graylog could'nt start anymore.

[joschi]

@berndleinfelder Please attach the complete logs of your Graylog node(s).

[berndleinfelder]

attached this mornings server.log

Thank you for your support!

server.log.gz

[joschi]

@berndleinfelder There are quite a few things broken in your Graylog cluster according to these logs.

• Lots of invalid GELF messages from various clients:

  2018-02-26T08:42:17.484+01:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=91a919c2-1ac8-11e8-90b5-005056a17083, journalOffset=16777020536, codec=gelf, payloadSize=378, timestamp=2018-02-26T07:42:17.436Z, remoteAddress=/10.200.14.11:47020}

• Lots of timeouts to Elasticsearch

  2018-02-26T08:45:58.626+01:00 ERROR [IndexerClusterCheckerThread] Uncaught exception in periodical
  org.graylog2.indexer.ElasticsearchException: Unable to read Elasticsearch node information
      [...]
      at org.graylog2.indexer.cluster.Cluster.catNodes(Cluster.java:121) ~[graylog.jar:?]
      at org.graylog2.indexer.cluster.Cluster.getFileDescriptorStats(Cluster.java:126) ~[graylog.jar:?]
      at org.graylog2.periodical.IndexerClusterCheckerThread.doRun(IndexerClusterCheckerThread.java:58) ~[graylog.jar:?]
      [...]
  Caused by: java.net.SocketTimeoutException: Read timed out

• Lots of timeouts to Graylog nodes; maybe caused by long GC pauses?

  2018-02-26T08:56:13.432+01:00 WARN  [ProxiedResource] Unable to call http://127.0.0.1:9000/api/system on node <b1b57b6f-d0dd-466c-bfec-40157c9cf88e>
  java.net.SocketTimeoutException: timeout

• Various Elasticsearch mapping errors (see http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings)

  2018-02-26T09:30:18.254+01:00 WARN  [Messages] Failed to index message: index=<graylog_517> id=<46965590-1acf-11e8-b677-005056a17083> error=<{"type":"mapper_parsing_exception","reason":"failed to parse [MessageParam1]","caused_by":{"type":"number_format_exception","reason":"For input string: \"WildFly/IronJacamar 1.3.5.Final-redhat-1\""}}>
  2018-02-26T09:30:18.255+01:00 WARN  [Messages] Failed to index message: index=<graylog_517> id=<46a4fb90-1acf-11e8-b677-005056a17083> error=<{"type":"mapper_parsing_exception","reason":"failed to parse [MessageParam3]","caused_by":{"type":"number_format_exception","reason":"For input string: \"true\""}}>

I'd recommend solving each of these problems, then check if the problem with your extractors still exists.

We are using GitHub issues for tracking bugs in Graylog itself, but this doesn't look like one. Please post this issue to our discussion forum or join the #graylog channel on freenode IRC.

Thank you!

[dmayan-ss]

Hi,

Just solved the same problem deleting the index_ranges collection and recalculating them. It was an index that doesn't exist anymore and Graylog tried to access.