In this video, we will have a look at the basics and the fundamentals of Java heap sizes and memory allocation in both Graylog and ElasticSearch. We’re going to provide you a quick understanding of each parameter and where it affects.
A FIRST OVERVIEW OF THE JVM HEAPS
Let’s go to the Graylog console and look for the System menu in the navbar up top. Click on “Nodes” and then on a node. In the video example, you can see that we got the JVM under the moving red bar. After we open it, we will see the first heap that is tied to Graylog.
There are two different heaps in each node – the Graylog one and the ElasticSearch one. In this example, we got a one gigabyte heap (which is the default size). The ElasticSearch heap is also one gigabyte out of the box, but you can’t see it through the console.
CHANGING THE ELASTICSEARCH HEAP
You can’t open the ElasticSearch heap in the console, so you need to open it to a different terminal. Do a curl statement such as the one shown in the video. You’re curling a local ElasticSearch node with a h=heap*&v command to check the size of the heap (in this case: one gigabyte).
In order to adjust this heap, we need to find the default location of the Java JVM heap sizes. Usually they’re in the /etc/elasticsearch/jvm.options file and in CentOS under /etc/sysconfig/elasticsearch .
So if you open the box and edit the jvm.options file, you’ll find that the default maximum heap size is set at one gigabyte. Now, let’s replace these two values with 4 gigs.
If we run a systemctl and then restart the ElasticSearch, after a few seconds we will find that it is now at 3.9, which is the 4 gigs marker. You can’t see this change in the Graylog GUI, but it’s in the ElasticSearch configuration.
CHANGING THE GRAYLOG HEAP
Now we want to modify the Graylog JVM heap (which is one gig by default as well), and in order to do so, we need to modify its configuration. The file can be found in many different locations, although it’s usually inside your server.com file or in the defaults file. In a normal Ubuntu installation the Graylog server file can be found in the /etc/default directory, so let’s go ahead and let’s edit it. Command is:
/etc/default# vi graylog-server
As you can see, there are a few parameters here. You can change the heap size, so let’s replace the default one gigabyte with 3 or 4 gigs here.
Alternatively, you can do that by doing a basic tarball installation in the Graylog control package. In order to modify the normal tarball installation, find the graylogctl file inside the graylog/bin/ directory and edit it with a vi command. Under the DEFAULT_JAVA_OPTS you can find the JVM heap sizes you can modify. Just restart Graylog, and the Java heap size will be upgraded from 1 gig to the new value you set.
CHECKING THE DOCUMENTATION
Now that you restarted both ElasticSearch and Graylog, you effectively increased the Java heap stack in each one of them. While we wait for the system to restart, let’s have a look at our documentation section. You will find some more detailed info, including the different file paths where you can find all you need.
As you can see, there’s a warning not to cross the maximum 32 gigs limit to avoid having issues. Our best advice is to always keep your Java size under 31 gigs just to make sure there’s no issues with Java and the way ElasticSearch operates with it.
CONCLUSION
If you go back to the Graylog UI, you can see now that you upgraded the heap size to 3 gigabytes. If you want to double check all you did before, you can run the same curl command again and see now that ElasticSearch is now running at 4 gigs.
That’s all for this video. If you want more information on the differences between the two heaps or how to modify and configure them, feel free to drop us a line in our community forum.
