Trying to configuring a GELF TCP input, and for every message received, the following ERROR message appears in server.log:
2020-02-01T09:56:08.671Z ERROR [AbstractTcpTransport] Error in Input [GELF TCP/5e3466e59046521f06170f45] (channel [id: 0x55bb5741, L:/127.0.0.1:12201 ! R:/127.0.0.1:36195]) (cause java.lang.IllegalStateException: GELF message is too short. Not even the type header would fit.)
Logging host sends syslog to the graylog host on UDP/514, where syslog-ng captures it then outputs to 127.0.0.1:12201 to the graylog server GELF TCP Input. I’m using syslog-ng v3.25.1’s built-in “graylog2” driver, using the following config:
source s_514udp {
network(
ip(0.0.0.0)
port(514)
transport(“udp”)
);
};destination d_graylog {
graylog2(
host(“127.0.0.1”)
transport(tcp)
);
};log {
source(s_514udp);
destination(d_graylog);
};
Below is the tcpdump for a given log, from when it arrives on the box via UDP/514 to when it arrives to the GELF TCP input:
Incoming syslog (UDP/514):
20:21:16.637811 IP 10.0.0.1.39608 > 10.0.0.5.514: SYSLOG daemon.info, length: 391
E…@.@.B.
…
…z.<30>2020:02:01-15:21:16 willstechblog ulogd[5320]: id=“2002” severity=“info” sys=“SecureNet” sub=“packetfilter” name=“Packet accepted” action=“accept” fwrule=“22” initf=“eth0” outitf=“eth1” srcmac=“04:d4:c4:38:26:90” dstmac=“00:0c:29:4b:67:fd” srcip=“192.168.1.50” dstip=“72.52.80.23” proto=“6” length=“153” tos=“0x00” prec=“0x00” ttl=“126” srcport=“51100” dstport=“443” tcpflags=“ACK PSH”
GELF TCP (localhost TCP/12201):
20:21:30.103858 IP 127.0.0.1.34710 > 127.0.0.1.12201: Flags [S], seq 1341813785, win 43690, options [mss 65495,sackOK,TS val 142863155 ecr 0,nop,wscale 7], length 0
E…<.*@.@…/.O.t…0…
…3…
As you can see, when the log reaches the GELF Input, it has a length of 0. What am I doing wrong?
Thanks in advance,
William