Extract logs from a json array

Jose · January 3, 2022, 8:49am

Hello.

-Describe your incident:
I am trying to process the following message, in it there is an array of json with different logs:

POST /gelf HTTP/1.1
Authorization: Basic YTphYWFhYWE=
Content-Type: application/json; charset=utf-8
Content-Length: 479
Host: 192.168.0.233:12201
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/4.9.2

[
   {
      "app_version":"1.0.2",
      "level":12,
      "short_message":"DEBUG",
      "message":"Test log message 1 ",
   },
   {
      "app_version":"1.0.2",
      "level":12,
      "short_message":"DEBUG",
      "message":"Test log message 2 ",
   }
]

I have a GELF HTTP input and it doesn’t receive anything, if I send the same message but without the json array (without being inside “[ ]”) if it reaches the GELF HTTP input, it shows me the first element of the array.

Describe your environment:
OS Information: Debian 8

Package Version:
mongodb-org-server v3.6.23
elasticsearch v2.4.6
Graylog v2.2.3

Service logs, configurations, and environment variables:

How can the community help?

How can I see all the elements of the json array?

gsmith · January 4, 2022, 12:49am

Hello && Welcome

I had to fix your posts is was very hard to read, please us the markup when posting logs and configuration. For a better understanding please look here

Did you check your logs on both the remote device and Graylog?
By chance have you execute tcpdump on your Graylog server?

Jose · January 7, 2022, 11:35am

Hello, with this input:

If I send a json structure with array format [{...}, {...}, {...}]

curl -H "Connection: Keep-Alive" -sH 'Accept-encoding: gzip' -X POST -H 'Content-Type: application/json' -d '[{"app_version":"1.0.2","level":7,"short_message":"DEBUG","full_message":"Test message 1 \n"},{"app_version":"1.0.2","level":7,"short_message":"DEBUG","full_message":"Test message 2 \n"}]' 'http://192.168.0.233:5555/gelf'

And I look at “Show received messages” I see that there is nothing

If I send a raw json structure of array {...}, {...}, {..}

curl -H "Connection: Keep-Alive" -sH 'Accept-encoding: gzip' -X POST -H 'Content-Type: application/json' -d '{"app_version":"1.0.2","level":7,"short_message":"DEBUG","full_message":"Test message 1 \n"},{"app_version":"1.0.2","level":7,"short_message":"DEBUG","full_message":"Test message 3 \n"}' 'http://192.168.0.233:5555/gelf'

And I look at “Show received messages” I see the message

If I look at “journal/messagejournal” I see that both were received by Graylog server.

How could I config one input to receive json with structure [{..}, {…}] ?

gsmith · January 7, 2022, 10:40pm

Hello,
This might be from the type of input your using. I noticed your running a old version of graylog so I’m not sure if you have this input shown below.

Maybe try that see is that works.

system · January 21, 2022, 10:40pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.