10% of logs split - netcat and JSON

Hi!

I am trying to write a small script, that has to:

  • Query an external API (done)
  • Parse the output and send JSON to Graylog

Both is working, but only partially. Some logs are shown perfectly in Graylog, but some logs are split, where one message appears as two in Graylog (first part, second part).

My script is sending via Netcat to a raw UDP input:
echo "$jsonstring" | nc -w2 -u graylogserver 11530 &

Do you have any idea, why this happens and do you have any idea on how to solve this?

The issue is not related to the workload. The same message does sometimes pass as one part and is sometimes split.

Thank you for your help!

Hello @KPS
Sorry about your issue. When you create a new topic there is a reason for the template that appears in the text box.

Unfortunately I’m not sure what is happening.

With the lack of information were unable to give you an answer. It would help to show what you have and what you want. For a better understanding check out this post.

Thank you

Hi!

I was able to solve it, at the moment. I am sending every line by:

echo "$string" | nc -w 0 -u graylog PORT

KPS

Nice,
To be honest, I would like to know how to set this all up for future reference. What device are you sending logs to Graylog? and why do you need to use Netcat?

Hi!
I want to fetch events from Sentinel One API (EDR-events) and push them to Graylog.
So I wrote a script, that queries the API, extracts JSON and sends this via netcat to a raw-input.

I am just using netcat, because I did not have a better idea :slight_smile:

1 Like

We have SentinelOne as well - that would be cool to play with! If you could post it to the Templates and Rules Exchange with a small write up it might be interesting to others. - If that is too much time… maybe you could send me some stuff to play with? :smiley:

1 Like