1. Describe your incident:
Recently updated to the Graylog version 7.0.0 all inputs were working perfectly but seems the schema within Cloudtrail and Graylog maybe have been updated or altered. Recieving log errors from AWS Cloudtrail. The error will populate for a 1-2 mins then disappear and re-populate. Assuming the parsing is happing on some logs and not others. All permissions and cloudtrail was functioning properly prior.
2. Describe your environment:
-
OS Information: Linux
-
Package Version: 7.0.0
-
Service logs, configurations, and environment variables
An input has failed
(triggered a few seconds ago)
Input [AWS CloudTrail/AWS CloudTrail /6751XXXXXXXXXXX] is failing on node 256XXXa8-XXXX-466d-XXXX-821fabXXXXX for this reason: »Could not read CloudTrail log file for . Skipping.: (Cannot deserialize value of type `java.lang.String` from Object value (token `JsonToken.START_OBJECT`) at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 5676660] (through reference chain: org.graylog.aws.inputs.cloudtrail.json.CloudTrailRecordList[“Records”]->java.util.ArrayList[3217]->org.graylog.aws.inputs.cloudtrail.json.CloudTrailRecord[“responseElements”]->org.graylog.aws.inputs.cloudtrail.json.CloudTrailResponseElements[“description”]))«. This means that you are unable to receive any messages from this input. This is mostly an indication of a misconfiguration or an error.
3. What steps have you already taken to try and solve the problem?
Thought it was a permissions issue, then searched logs and didn’t find much.
Checked Graylog plugin updates: This issue is often caused by the CloudTrail log structure changing due to new AWS features, and the Graylog plugin not being updated to handle the new structure.
4. How can the community help?
Any assistance resolving error would be appreciated, have anyone else come across this error previously?
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]