Extract logs from a json array

Graylog Central (peer support)
1

Hello.

-Describe your incident:
I am trying to process the following message, in it there is an array of json with different logs:

POST /gelf HTTP/1.1
Authorization: Basic YTphYWFhYWE=
Content-Type: application/json; charset=utf-8
Content-Length: 479
Host: 192.168.0.233:12201
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/4.9.2

[
   {
      "app_version":"1.0.2",
      "level":12,
      "short_message":"DEBUG",
      "message":"Test log message 1 ",
   },
   {
      "app_version":"1.0.2",
      "level":12,
      "short_message":"DEBUG",
      "message":"Test log message 2 ",
   }
]

I have a GELF HTTP input and it doesn’t receive anything, if I send the same message but without the json array (without being inside “[ ]”) if it reaches the GELF HTTP input, it shows me the first element of the array.

  • Describe your environment:
    OS Information: Debian 8

Package Version:
mongodb-org-server v3.6.23
elasticsearch v2.4.6
Graylog v2.2.3

  • Service logs, configurations, and environment variables:
  • How can the community help?

How can I see all the elements of the json array?

2

Hello && Welcome

I had to fix your posts is was very hard to read, please us the markup when posting logs and configuration. For a better understanding please look here

Did you check your logs on both the remote device and Graylog?
By chance have you execute tcpdump on your Graylog server?

3

Hello, with this input:

image

If I send a json structure with array format [{...}, {...}, {...}]

curl -H "Connection: Keep-Alive" -sH 'Accept-encoding: gzip' -X POST -H 'Content-Type: application/json' -d '[{"app_version":"1.0.2","level":7,"short_message":"DEBUG","full_message":"Test message 1 \n"},{"app_version":"1.0.2","level":7,"short_message":"DEBUG","full_message":"Test message 2 \n"}]' 'http://192.168.0.233:5555/gelf'

And I look at “Show received messages” I see that there is nothing

image
image791×171 14.7 KB

If I send a raw json structure of array {...}, {...}, {..}

curl -H "Connection: Keep-Alive" -sH 'Accept-encoding: gzip' -X POST -H 'Content-Type: application/json' -d '{"app_version":"1.0.2","level":7,"short_message":"DEBUG","full_message":"Test message 1 \n"},{"app_version":"1.0.2","level":7,"short_message":"DEBUG","full_message":"Test message 3 \n"}' 'http://192.168.0.233:5555/gelf'

And I look at “Show received messages” I see the message

image
image1377×179 7.74 KB

If I look at “journal/messagejournal” I see that both were received by Graylog server.

image
image1922×128 6.22 KB

How could I config one input to receive json with structure [{..}, {…}] ?

4

Hello,
This might be from the type of input your using. I noticed your running a old version of graylog so I’m not sure if you have this input shown below.

image
image603×912 31.5 KB

Maybe try that see is that works.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.