Failed to parse field [EventTime] of type [date]

Hi everyone,
I’m new in Graylog community and Graylog experience.
I’m using Graylog to do a collector of Syslog sending from rsyslog server (Centos 7). It sends syslog from Linux servers (using rsyslog) and Windows Servers (using NXLog). The format of those messages is JSON.

I created an Input Syslog UDP to receive logs. It works and all logs appear in my dashboard, btw when I create a JSON Extractor on my input, my logs don’t come anymore and I get in “System/Overview → Indexer failures”

failed to parse field [EventTime] of type [date] in document with id 'e27f7092....'

This is my Json example: {"OS":"Windows","EventTime":"2021-12-14 14:09:58","Hostname":"Server1","Keywords":7600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4769,"SourceName":"Microsoft-Windows-Security-Auditing","Version":0,"Task":14337,"OpcodeValue":0,"RecordNumber":481349,"ProcessID":712,"ThreadID":9132,"Channel":"Security","Message":"A Kerberos service ticket was requested."}

When I created JSON extractor and I tried it, the Extractor preview was correct.

I’m using Graylog 4.2.3+553fadb on GraylogServer (Red Hat, Inc. 1.8.0_312 on Linux 3.10.0-1160.49.1.el7.x86_64)

How can I fix this problem?
Thanks in advance.

Hello && Welcome

I might be able to help but I may need to know some more information.
Why/What do you need a JSON extractor for? Could you explain in greater detail?

Perhaps I can suggest an alternative to what your trying to accomplish.
Judging from your JSON example looks like your trying to create a few fields. If this is correct then you can configure a GELF UDP input and this would do the trick. Since your using Nxlog I believe you stated for your Windows devices this software is very capable of doing that for you.

Example:

<Extension _gelf>
    Module      xm_gelf
</Extension>

<Output out>
    Module      om_udp
    Host        127.0.0.1
    Port        12201
    OutputType  GELF_UDP
</Output>

As for your Linux device I think rsyslog can do this also but I’m not sure about the configuration needed. Maybe create two different inputs. One for Windows Devices using GELF UDP and another input for Linux devices using Syslog UDP.

Hope that helps

Hi, firstly thanks for your support.

Why/What do you need a JSON extractor for? I need JSON extractor to “split” my propriety in different field and so I can analyzer better my logs (I’m new… so if I’m wrong please correct me).
In Windows I create my JSON using follow code:

<Output syslog-srv>
  Module        om_udp
  Host          Rsyslog IP 
  port          514
  <Exec>
    $Message = to_json();
	$Message =~ s/^{/{"OS":"Windows",/;
    to_syslog_bsd();
  </Exec>
</Output>

While in Linux I create my JSON with a template and I’m sending syslog message using my customize template:

template(name="tmp" type="string" string="{\"Hostname\":\"%HOSTNAME:::json%\",\"Message\":\"%msg:::json%\",\"OS\":\"Linux\",\"facility\":\"%syslogfacility-text%\",\"priority\":\"%syslogpriority-text%\",\"EventTime\":\"%timereported:::date-rfc3339%\"}")

Abt your idea, “create two different inputs”, in my case it isn’t applicable, because my Linux and Windows servers sending their logs to a unique collector RsyslogServer and after it forwards all logs to my Graylog server. I’m using this solution because I have different Rsyslog collector…

Anyway I think that my problem is into Graylog server. Who is in charge of managing the extractors? Why it can’t parse my EventTime? My date format is incorrect? How can I fix? Are there a date format configuration into Graylog?

Thanks for support.

Hello,

It could possibly be the way your configured the Graylog server.

I see your using Rsyslog server as basically a proxy. FYI , Rsyslog server also can be configure to send messages/logs to a different port/format.

I’m going to take a guess its the way your send your logs to Graylog. Or it could be the way your configured your Graylog server.

That would be you unless your paying for Enterprise version. If this correct, and you have Enterprise version you can get help here

Perhaps this link below may enlighten you.

Can you explain in greater detail what date format is incorrect or perhaps a screenshot?

Make sure the Graylog server has the correct Date/Time (NTP) also on your remote devices are correct.

Yes, There are several areas where you can change this.

  1. In your server.conf file located in this section shown below.
root_timezone = UTC <-- you may need to change this.
### The time zone setting of the root user.  Default is UTC.
  1. On the Web UI under each user you can set the Timezone.
  2. Check your Graylog server for date/time also.

To sum it up, when you format those logs in JSON then send it those messages to Graylog and it doesn’t work you could either adjust your Rsyslog server to send the proper format to the corresponding INPUT/s, or don’t format it and use the extractors on the input.

Extractors Explained

Have you checked your log files (Graylog, Elasticsearch) for anything pertaining to this issue?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.