I have an application that creates a outbound Websocket connection to send JSON formatted data.
I’d like to capture that information inside of Graylog for processing, to relieve some client scripts I have that are processing and then uploading via text logs on the host (via filebeat).
Is there an input that can be used to have applications connect (via websocket) and post JSON formatted messages to be captured and logged?
I tried via the RAW/Plaintext, and I just get the HTTP request/response.
Just a note. I noticed that your post hasn’t received a response. It’s an important question that deserves the community’s attention. So, let’s see if we can get more eyes on this. Have your looked at this previous post? It may be similar to your question (let me know):
I’m currently trying to re-write the websocket code to use http instead of https, because I think I’m getting only the scrambled https data, and of course, Graylog is just writing that as a log message, as described as “PlainText/Raw” should be.
I am a “script kid” and thus good with light programming, but heavy in sql and unix shell administrative scripts. So this coding requirement is all pretty well above my head. Especially Java.
I’m open to anything really to get this work, just thought the adaptation would be easy. As you read the comments, the other guy posted code that goes to Splunk. Of course, Splunk has a easy way to import the data even on HTTPS. (sorry)
I’d really appreciate any help or feedback. I’ll keep tinkering on my end and update this topic if I figure something out. But if someone else has something that might work, that could be adapted that would be great. I’ve pretty well outlined what I’m trying to log.
Once its in Graylog, I’m very comfortable with the extractors and pipelines needed to do what is needed to get the data useful.
Can you give us some more detail about your configuration? Re-writing the websocket code seems like a lot of effort for something we might be able to accomplish another way, which on its own wouldn’t bother me as much, but you’re also reducing channel security to accomplish the task which is very unfortunate.
Where is the JSON payload originating? Is it possible that Graylog could retrieve it via the JSON API endpoint listener?
What kind of Plaintext/RAW input are you using? If the problem is with decrypting the payload in Graylog then maybe it just needs some additional configuration. Have you tried setting up a TCP Plaintext/RAW input with support for client certificates?
What I’m trying to do is capture the json status/log entries for statistics calcs into Graylog.
The software, Trunk-Recorder has a “statusServer” setting where it will establish a outbound websocket connection. Graylog is unable to accept this connection, as far as I can tell.
I was able to get the code modified and use a Plaintext/RAW input, but its still less than ideal. Here’s a sample of what I logged when I connected the corrected http code from my post to the plaintext/raw.
IDEALLY: it would be great if you could have a websocket server as an input.
