Long story short - GELF TCP input generates internal errors out of multiline messages sent via nxlog:
java.lang.IllegalArgumentException: GELF message <7255f746-f76a-11e7-ab4c-00505696fbe8> (received from IP:PORT) has empty mandatory “short_message” field.
According to this post i have to get rid of blank lines which i did by using:
Exec if $raw_event =~ s/^\s//mg;
As an example (modsecurity auditlog):
Unfortunately it didnt help and internal log keeps filling with these:
Unable to decode raw message …
Error processing message …
Any advice would be appreciated.
Graylog 2.4.0+2115a42 (Oracle Corporation 1.8.0_121 on Linux 3.16.0-4-amd64)
Logs travel via TCP to GELF TCP
Many thanks in advance!