Cannot see log messages in the graylog received messages

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
i am sending log by curl but cannot see in the graylog

2. Describe your environment:
log sender: windows 10 19044.1415
graylog server : Graylog v4.2.3+553fadb

  • Package Version:

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
send log with the command below and click the button show received messages

curl -H “Content-Type: application/json” -X POST -d ‘{“host”:“mylocal box”,“message”:"cimbombom ",“priority”:“realy low”}’ http://10.10.20.61:12202/gelfhttp

image
image1876×815 92.9 KB

4. How can the community help?
i want to learn how to send log by curl and see it in Received messages

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

The default gelf port is 12201 and you only need /gelf so try:

curl -H "Content-Type: application/json" -X POST -d '{"host":"mylocal box","message":"cimbombom","priority":"realy low"}' http://10.10.20.61:12201/gelf

There are some command tips here including a sample curl to gelf.

On a side note - in your post the quotes are “fancy” some are " instead of " so they don’t copy/paste well for commands. Use the forum tool </> to format commands nicely as above. :slight_smile:

EDIT: While poking around on a similar question I came across this quote from @jochen:

" Also be reminded that the regular expression has to match *the complete field content* if the field hasn’t been tokenized/analyzed."

So you could either create a custom mapping to have the entire field analyzed or you can split up the field to its constituent parts in an extractor or pipeline so that you can query relevant information.

As such it seems that “zoom” doesn’t appear in the $message.message field, otherwise it would be found (Message is an analyzed field)