Display full log message with carriage returns

Graylog Central (peer support)
1

Hello all,

I send long log messages to a stream. These logs each contains many lines that we cannot split.
When I open (click) a specific log, I can see all its lines in the message field, correctly formatted with carriage returns.

But when I chose to display the message field as a column of the table, the carriage returns are deleted, thus everything is on one line. Which is complex to read in this case.

If I edit the table and I enable MESSAGE PREVIEW > Show message in new row. The formatting is correctly conserved with the carriage returns, but it’s only a preview, so only 4 lines are displayed in the new row.

Is it possible to either display the carriage returns in the message field of the table, or to display the complete log message in the preview row ?

Thanks in advance !

  • OS Information: Rocky Linux 8.6
  • Package Version: Graylog 4.3.2+313b6bc
2

Hello && Welcome @nicosalva

Is it possible to show the results?

It probably is, we may need to see some visuals on what going on. To be honest I’m kind of lost.

3

Hi @gsmith !
Thanks for the quick answer :slight_smile:

When using the message preview in a new row, only 4 lines are displayed.

image
image1259×167 17.6 KB

I’m not able to post more that 1 screenshot in the same post as I am a new forum member.
I’ll post them below.

4

But when I open the full log, all visible lines from the same message log are displayed.

image
image1367×546 49.1 KB

5

If I add the message column in the table, the carriage returns are lost.

image
image1855×196 38.5 KB

Sorry for the black bars, sensitve data are present in the those logs :smiley:

Thanks for the help

6

Hello,

Yeah this works way better for understand what’s going on.
The message preview is just that, it gives you a glimpse about the message.

No worries, it works.

Correct me if I’m wrong, You would like to see the full message in the Preview?

If this is correct, I was unable to configure message table widget to do so.

But a work around would be is create a new Aggregating widget with the following settings.

image
image1825×705 50.4 KB

7

Hi,

The goal would be to have the fully formatted log message somewhere. Be it in the preview row or in table column, whatever is doable.

I’ve tested your work-around with the widget, but it is not working in my case, the carriage returns are lost too. :frowning:

image
image1823×358 70.1 KB

8

Have you tried to disable this tic box?

image

9

@gsmith This checkbox is not available in my instance.

image
image465×634 18.7 KB

I’m using Graylog Open, maybe that’s why ?

10

Hello,

Not sure, All I did was adjust my message widget.

Navigate to Search → All messages. Then click the edit icon in the upper right side.

image

11

Yep that’s also where I’m trying to edit it on my side :frowning:

12

Oh boy, Just to make sure were are on the " Right Page".

I click the Search button the click the edit button
example:

image
image1883×418 28.6 KB

Can you re-create the message table again?

Left pane click on the following

image
image278×505 14.4 KB

\The widget should appear then try to edit it again, If that doesn’t work I’m not sure.
Maybe permission issue or some type of configuration issue is hard to tell.

13

Ok so I was searching the forum for anything that would match your issue, I did come across this post. Take a look at the screenshot posted there.

So in that post GL version was 3.2 and you stated this version is Graylog 4.3.2+313b6bc. I have a weird feeling that not all your plugins were upgrade to the correct version, or something on how the upgrade was executed.

14

Hi,

Yes I’m in the same menu as you are, quite strange indeed.
I’ve tried to delete the message widget and create it back, but the checkbox is still missing.

My graylog instance is new and has directly been installed with v4.3.2+313b6bc.
I don’t have any plugins. I’ve only installed the MaxMind GeoIP integration.

This is a real enigma :smiley:

15

Hello,

I did find that the All Message Table you have is related to an earlier version of graylog. As for plugins does these settings look familiar.

image
image846×538 33 KB

I agree, when I see this issue in the forum, when the settings do not match the version of Graylog its something with the installation or upgrade.

EDIT:
Just an fyi, when installing graylog without the enterprise plugin did you execute it like this?

sudo yum install graylog-server  graylog-integrations-plugins

If not, I would probably do that and restart Graylog service see if that helps.
I forgot to ask, what documentation did you use to install Graylog? Also what version of Elasticsearch and MongoDb are you using?

16

I would like to bring in another approach to this issue:
Parse your messages, that they become machine readable and add the fields of interest to the table. This has the advantage, that you easily can build dashboards and alerts. You can add as many fields to the table as you like, as long as the content fits in one row.

1 Like
17

Here are my system info and plugins.

image
image896×606 57.8 KB

I followed the CentOS installation procedure from the official docs using yum/dnf.
I’m not so sure I installed the graylog-integrations-plugins package, as this line is missing when comparing you screenshot and mine.

Installed packages :

mongodb-org.x86_64                   4.2.21-1.el8
elasticsearch-oss.x86_64             7.10.2-1

I will thus install the potentialy missing package, and will report back !
Thanks for your help.

18

I totally agree with you, that parsing the data and store the relevant information is critial for the logs to be useful. But the system sending logs is quite atypical, this is an Audiocodes SBC. And it’s not only standard syslog messages that are being sent, it’s the full SIP data payload, routing rules matchs, headers transformations, etc. We need the full details for deep analysis and troubleshooting.

19

@gsmith I’ve installed the integrations package, and upgraded the server to 4.3.3.

image
image1805×541 77.9 KB

But the Show summary checkbox is still missing… :frowning:
Anyway, I’ll be unavailable from now up to the 28th of July, it’s time for a trip :wink:
I expect this thread to be automatically closed after 14 days without any activity, but I’ll re-open a new thread to follow up !

thanks again

1 Like
20

I agree it might be a lot of work to write Grok patterns to parse all the different messages - but it’s woth it! I did so with a Cisco ASA, and now we have a chance to understand what is going on.