Make sure you give at least 8gb more to graylog and also it is very cpu intensive. I see your process dump is looking like vmware vcenter for windows? These graylog extractors were written for the appliance version. Also, what version of vmware are you running?

grep Xms /etc/sysconfig/graylog-server
GRAYLOG_SERVER_JAVA_OPTS="-Xms8g -Xmx8g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"

in your graylog config, you increase

output_batch_size = 6500
processor_wait_strategy = blocking

processbuffer_processors = 12
outputbuffer_processors = 12

inputbuffer_processors = 6
inputbuffer_wait_strategy = blocking

ring_size = 262144

Enable the disk based message journal.

message_journal_enabled = false

from glog.

Correction, make sure message journal is false not enabled, you will see faster results in memory

from glog.

Also, the process buffer doesn't seem to show the standard linux output that you would see on the appliance version, so if you made these tuning steps, you'll most likely run into the same issues.

from glog.

This will work if you send your syslog from hypervisors only, not the vcenter if you are running vcenter on windows.

from glog.

hi dcecchino,

thanks for your help.
I will configure your parameters and give feedback.

VSphere is the appliance with the Version "vSphere Client version 7.0.3.00100"

from glog.

hi dcecchino,

i configured everything like you said.
I gave the whole Server 36 GB, 16GB for Graylog and 16GB for Elastic
On first look everything was fine with the Extractors but after 10min the buffer was again full.
I increased the CPU from 4 CPU to 8 CPU. Then the Buffer reached full size after 20min ~~
The CPU was consuming about 29GHz!! :(

I deleted the extractors.... if you have no idea what i can do or you say the extractors are so cpu intensive then i cant your Content Pack.

We tried to set your ESXI Log-Tuning, but in vSphere v7 the Log-Files are treated differently to older Versions.

Thank

s!

from glog.

from glog.

If the buffers are getting full that quickly it may be one or two extractors that need to be removed that are causing the buffers to fill up. I need the whole screen shot of the buffer full to determine in your system which extractor(s) is causing the problem.

from glog.

No recent updates

from glog.

Hello, we have exact the same problem.
vmware center appliance (newest version) - if we import the extractors the CPU rise to 100%
The maschine have 48GB RAM and 8 Cores .. the graylog-server tuning are allready done.

from glog.

from glog.

I use the vcenter 7 extractors and have a different input "Syslog TCP" on port 1515
if i have a look in the process buffers i have long logs and the process-buffer is full

from glog.

from glog.

ok, now with seperated the inputs, we have one "VMWare ESX Syslog TCP - port 1516" and one "VMWare VCenter Syslog TCP - port 1515" in the ESX input we put the esx extractors and in the vcenter input we put the vcenter extractors.

ESX Extrators work well but the vcenter doesn't - after a few minutes the input of graylog goes to 0 and the output too.
In Process-Buffer we have 5 idle Processors and 7 with tasks from vcenter logs.

{ "ProcessBufferProcessor #0": "idle", "ProcessBufferProcessor #1": "source: vc | message: 2023-02-15T11:55:44.847Z info vpxd[08226] [Originator@6876 sub=App] \\n--> <pullCounters>\\n--> /AlarmStats/NotificationsPending/Count/total 0 "ProcessBufferProcessor #2": "idle", "ProcessBufferProcessor #3": "idle", "ProcessBufferProcessor #4": "source: vc | message: sername='VSPHERE.LOCAL\\Administrator'/PropertyCollector/ComputeGUReqTime/numSamples 1446\\n--> /SessionStats/SessionPool/Id='5211fc91 "ProcessBufferProcessor #5": "idle", "ProcessBufferProcessor #6": "source: vc | message: nter/RATE_5MIN/Agent Communication (invocations/min)/OverheadCache calls 0.000000\\n--> /RateCounter/RATE_HOUR/Agent Communication (in "ProcessBufferProcessor #7": "source: vc | message: log'/Count/total 528\\n--> /InventoryStats/PropertyStats/RecordAssign/Class='vim.ProxyService'/PropertyPath='endpointList'/Count/total 6\ "ProcessBufferProcessor #8": "idle", "ProcessBufferProcessor #9": "source: vc | message: tats/JournalSize/total 0\\n--> /MoRegistryStats/Class='21HostConfigSubSysProxyIN3Vim4Host15GraphicsManagerEE'/PropJournalStats/JournalEntryVer "ProcessBufferProcessor #10": "source: vc | message: n 1\\n--> /ActivationStats/Task/Actv='vim.SessionManager.GetDefaultLocale'/TotalTime/numSamples 1\\n--> /ActivationStats/Task/Actv='vim.Ses "ProcessBufferProcessor #11": "source: vc | message: SessionPool/Session/Id='52aaaa69-f4a4-891f-82d1-fb874bdcbe1c'/Username='VSPHERE.LOCAL\\Administrator'/ClientIP='
The single entry are much longer, only for an overview.
My Workaround is, i delete the input and recreate the input without extractors.

from glog.

from glog.

In input -> "Show received messages" on the VMWare VCenter Syslog TCP - i see only logs from vcenter. and without the extractors the logs are in the graylog messages.

Throughput / Metrics
1 minute average rate: 541 msg/s
Network IO: 139.1KiB 0B (total: 284.0MiB 0B )
Empty messages discarded: 0

only with adding the extractros the system will go to 0 Inputs and 0 outputs

from glog.

from glog.

ok i will try - but graylog work well until i import the vcenter extractors into the vcenter input.
than after a few minutes graylog have 0 In and 0 Out.
You can have a look on our Graylog if you want.

from glog.

from glog.