Empty mandatory "short_message" field

Graylog Central (peer support)
, ,
1

Apologies if this is considered a duplicate post, but I see lots of these with no clear resolution. We have Windows Event Logs being sent to Graylog via an nxlog configuration on the sidecar and we still are seeing this error in server.log. We have tried the following with no improvement. Is there a long term fix to this? I do know it is coming from one of the 3 logs (System, Application, Security). I am not able to find a corresponding log entry on the server with an empty message field.

if ($short_message == “”) drop ();

2

as you did not share your configuration - the only answer is: you have something missing in the configuration if that happens.

3

Graylog 3.0.2+1686930, codename Space Moose
JVM: Oracle Corporation 1.8.0_191 on Linux 4.15.0-46-generic
ES Version: I am looking for this now…

nxlog configuration:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension logrotate>
    Module  xm_fileop
    <Schedule>
        When    @daily
        Exec    file_cycle('%ROOT%\data\nxlog.log', 7);
     </Schedule>
</Extension>


<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

<Input eventlog>
        Module im_msvistalog
        PollInterval 1
        SavePos True
        ReadFromLast True
        
        #Channel System
        #<QueryXML>
        #  <QueryList>
        #   <Query Id='1'>
        #    <Select Path='Security'>*[System/Level=4]</Select>
        #    </Query>
        #  </QueryList>
        #</QueryXML>
</Input>


#<Input file>
#	Module im_file
#	File 'C:\Windows\MyLogDir\\*.log'
#	PollInterval 1
#	SavePos	True
#	ReadFromLast True
#	Recursive False
#	RenameCheck False
#	Exec $FileName = file_name(); # Send file name with each message
#/Input>


<Output gelf>
	Module om_tcp
	Host 10.225.100.61
	Port 12201
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	  $short_message = " ";
# MVR Change: #
#	  $short_message = '$raw_event';
#     if ($short_message == "") drop();
#Replace newlines, tabs and carriage returns with blanks:
    $Short_message = replace($Short_message, "\t", " ");
    $Short_message = replace($Short_message, "\n", " ");
    $Short_message = replace($Short_message, "\r", " ");
    $Short_message = replace($Short_message, "", " ");

# Replace newlines, tabs and carriage returns with blanks:
    $Message = replace($Message, "\t", " "); 
    $Message = replace($Message, "\n", " "); 
    $Message = replace($Message, "\r", " ");
	</Exec>
</Output>


<Route route-1>
  Path eventlog => gelf
</Route>
#<Route route-2>
 # Path file => gelf
#</Route>
4

ElasticSearch Version 6.8.1

5

you might want to use the power of markdown to make your configuration readable?

1 Like
6

As part of testing, we used the below nxlog config. The thought was to prevent an empty short_message field being sent to Graylog. However, we still receive the same error message on the Graylog server.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension logrotate>
    Module  xm_fileop
    <Schedule>
        When    @daily
        Exec    file_cycle('%ROOT%\data\nxlog.log', 7);
     </Schedule>
</Extension>


<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

<Input eventlog>
        Module im_msvistalog
        PollInterval 1
        SavePos True
        ReadFromLast True
        
        #Channel System
        #<QueryXML>
        #  <QueryList>
        #   <Query Id='1'>
        #    <Select Path='Security'>*[System/Level=4]</Select>
        #    </Query>
        #  </QueryList>
        #</QueryXML>
</Input>


#<Input file>
#	Module im_file
#	File 'C:\Windows\MyLogDir\\*.log'
#	PollInterval 1
#	SavePos	True
#	ReadFromLast True
#	Recursive False
#	RenameCheck False
#	Exec $FileName = file_name(); # Send file name with each message
#/Input>


<Output gelf>
	Module om_tcp
	Host 10.225.100.61
	Port 12201
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	  $Short_message = "Look at the Message field.";
# MVR Change: #
#	  $short_message = '$raw_event';
#     if ($short_message == "") drop();
#Replace newlines, tabs and carriage returns with blanks:
#    $Short_message = replace($Short_message, "\t", " ");
#    $Short_message = replace($Short_message, "\n", " ");
#    $Short_message = replace($Short_message, "\r", " ");
#    $Short_message = replace($Short_message, "", " ");

# Replace newlines, tabs and carriage returns with blanks:
#    $Message = replace($Message, "\t", " "); 
#    $Message = replace($Message, "\n", " "); 
#    $Message = replace($Message, "\r", " ");
	</Exec>
</Output>


<Route route-1>
  Path eventlog => gelf
</Route>
#<Route route-2>
 # Path file => gelf
#</Route>
7

I wonder if the field names in nxlog are case sensitive or not?

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.