Gelf TCP Input errors

Hello

I am using GELF TCP Input to upload events into Graylog via a TCP Input.

When due to errors (ex JSON syntax errors - a missing comma) certain events are not uploaded, how can I find in Graylog what went wrong ?
Is it some kind of error log, or error events ?

Ps. Gelf TCP Input Errors did appear as System Events in Graylog 2.5. No more in 3.3.

best regards
Altin

Hey @altink

I assume your using GL 3.3,if so I dont have that version in my lab to test this out. Using GELF TCP correct me if im wrong but it that enterprise version?

I think this would be GELF TCP OUTPUT? To be honest the first thing i would look at it timestampe/Time zone on the devices to ensure there correct. Depending on the Device recieve the logs perhaps TCPDUMP or wireshark. As for Graylog 3.3 im not sure if it will.

Yes - I am using Graylog 3.3. It is the .ova version, I guess it is the Open and not the Enterprise.

The idea is not to find the error of a specific issue, but to know in general:
If TCP Input fails - for whatever reason - how can I know what it is wrong?

regards
Altin

Hey,

Only a couple places I know where to look are:

Graylog log file, Elasticsearch/MongoDb Log file the rest would some other software.

I did find some older (3.3.x) documentation they may help

Sorry I can tbe more help.

@altink , have you looked at the Indexer and Processing errors section of the System\Overview page? If you’re dealing with a GELF input error, you may find something there.

https://go2docs.graylog.org/5-0/getting_in_log_data/indexer_failures.html

Other than that, the graylog server log is the best place to look for information.

1 Like

Hey @altink

Just thought of something.
GL 3.3 you can set you logging to debug, trace , etc… Navigate to System/Logging

Next to each one there is a drop down. Perhaps get some logs that will show whats going on, just an idea.

2 Likes

Good point @gsmith. Thanks for bringing that up.

Sorry - my Graylog is 3.3.2.

I do see this

what do I do next - set Graylog subsystem to Debug instead of Info ?

best regards
Altin

got this in /var/log/graylog-server/server.log

2023-03-03T23:50:27.684+01:00 ERROR [Messages] Failed to index [1] messages. Please check the index error log in your web interface for the reason. Error: One or more of the items in the Bulk request failed, check BulkResult.getItems() for more information.

where can I find the:
“index error log in your web interface for the reason” ?

regards
Altin

Hey @altink

Depending on the version of Graylog, They created a index called Graylog Message Failures which “contains messages that failed to be processed or indexed.” this is connected to a stream called "Processing and Indexing Failures ".

EDIT I belive for your version 3.3.x not sure if that version has that. but I did find this for ya

https://archivedocs.graylog.org/en/3.3/pages/indexer_failures.html

1 Like

Great about this @gsmith

I was just about to post it myself (Graylog 3.3.2)

Graylog Main Menu, System Overview, paragraph “Indexer failures”, click button “Show Errors”

but this will show only some kind of errors, like a field being > 32766 bytes.

But not everything - like a JSON syntax errors, ex: a missing comma

Regards
Altin

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.