Upgrading to Graylog 2.1.x¶
Previous versions of Graylog were automatically generating a private key/certificate pair for HTTPS if either the private key or the certificate (or both) for
web_tls_cert_file couldn’t be read. While this feature is very comfortable for inexperienced users, it has lots of serious drawbacks like very weak key sizes (only 1024 bits), being untrusted by all TLS libraries used by web browsers and other client software (because they are self-signed and not included in the system’s CA/trust store), and problems with inter-node communications with other Graylog nodes.
Due to those shortcomings, the feature has been removed completely. Users need to use proper certificates or generate their own self-signed certificates and configure them with the appropriate settings, see Using HTTPS for reference.
Web Interface Listener¶
Graylog 2.0.x has been using separate listeners for the REST API and the web interface by default. The Graylog REST API on
http://127.0.0.1:12900, the Graylog web interface on
Beginning with Graylog 2.1.0 it is possible to run both the REST API and the web interface on the same host/port-combination and this is now the default. This means that the REST API is now running on
http://127.0.0.1:9000/api/ by default and the web interface is now running on
Furthermore, all requests going to
http://127.0.0.1:9000/api/ requesting a content-type of
application/xhtml+xml are redirected to the web interface, therefore making it even easier to set up Graylog and use it behind proxies, expose it externally etc.
Please take note that you can still run the REST API and the web interface on two separate listeners. If you are running a Graylog 2.0.x configuration specifying
web_listen_uri explicitly and you want to keep that, you do not have to change anything.
Please also take note, that when you have configured
web_listen_uri to run on the same host/port-combination, the following configuration directives will have no effect:
web_tls_key_password(These will depend on the TLS configuration of the REST listener).
web_max_header_size(Those will depend on the corresponding settings of the REST listener).
Internal Metrics to MongoDB¶
Previous versions of Graylog included a (long deprecated) metrics reporter for writing internal metrics into MongoDB in a fixed interval of 1 second.
This feature has been removed completely and can be optionally pulled in by using the Graylog Metrics Reporter Plugins.
Configuration file changes¶
The network settings in the Graylog configuration file (
web_listen_uri) are now using the default ports for the HTTP (80) and HTTPS (443) if no custom port was given. Previously those settings were using the custom ports 12900 (Graylog REST API) and 9000 (Graylog web interface) if no explicit port was given.
|Configuration setting||Old effective URI||New effective URI|
The network changes are reflected in the Sidecar configuration as well and should be adopted. However it’s still possible to use the old API port by setting it explictly. In case a mass deployment is too hard to change, just run the following to switch back to the old REST API port (OVA based installation):
sudo graylog-ctl set-listen-address --service rest --address http://0.0.0.0:12900 sudo graylog-ctl reconfigure
Graylog REST API¶
Removed index rotation/retention settings from “/system/configuration”¶
The index rotation and retention settings have been moved to MongoDB in Graylog 2.0.0 but the representation of the old configuration options was still present in the
In order to stay in sync with the actual configuration file, the following values have been removed:
The retention and rotation configuration settings can be retrieved using the following resources:
Changed Elasticsearch Cluster Status Behavior¶
In previous versions Graylog stopped indexing into the current write index if the Elasticsearch cluster status turned RED. Since Graylog 2.1.0 only checks the status of the current write index when it tries to index messages.
If the current write index is GREEN or YELLOW, Graylog will continue to index messages even though the overall cluster status is RED. This avoids Graylog downtimes when doing Elasticsearch maintenance or when older indices have problems.
Changes in message field values trimming¶
Previous versions of Graylog were trimming message field values inconsistently, depending on the codec used. We have changed that behaviour in Graylog 2.1.0, so all message field values are trimmed by default. This means that leading or trailing whitespace of every field is removed during ingestion.
Important: This change will break your existing stream rules, extractors, and Drool rules if you are expecting leading or trailing white spaces in them. Please adapt them so they do not require those white spaces.