having used NXLOG CE with ease and results in the past i ran into a snag with using the GELF TCP INPUT
Initially the input worked fine and consumed +200 eventlog messages in less than 30 seconds
then i realised the older messages were not being sent over so i reconfigured NXLOG to use ReadFromLast FALSE as to read all messages
Now i do not see any message arriving anymore. Surprisingly the input ‘show received messages’ does not show any message, not even those reported availabled.
Did you checked the NXLOG logs?
/opt/nxlog/var/log/nxlog/nxlog.log
Thanks, this is nxlog sending from Microsoft windows. Partially fixed now, events arrive but do not show in the search. I see the errors reoccurring and assume these significantly slow down indexing.
i did check, no errors or warning; eventually i found something, setting both paramters delivered results
ReadFromLast FALSE
SavePos FALSE
as in
<Input ms_system_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="1">
<Select Path="Microsoft-Windows-System/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast FALSE
SavePos FALSE
</Input>
This also requires for the GELF input to enable NULL Delimiter and use full field names, though i am not entirely sure if this made it work or is cause for the emtpy “show received messages”
I noticed the message RawMessage id are seemingly related, i assume the ID is structured based on input and transport etc. Notable here is payloadSize is <1000 for all
ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=…; codec=CEF, payloadSize=???; timestamp=…} in input <…>.
ERROR [DecodingProcessor] Error processing message RawMessage{id=4…; codec=CEF, payloadSize=???; timestamp=…}
java.lang.NullPointerException: null
at org.graylog.plugins.cef.parser.MappedMessage.(MappedMessage.java:37) ~[graylog.jar:?]
at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:128) ~[graylog.jar:?]
at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:117) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:90) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:47) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:834) [?:?]
offending timesstamp looks like 2020-06-17T21:27:02.296Z