GELF UDP message error after upgrade from 2.2 to 2.3 OVA

Graylog Central (peer support)
1

Hi all,

I get the following error after upgrading to 2.3 OVA with GELF UDP inputs. I think the issue is with windows logs. I’m not sure how to fix (has empty mandatory “short_message” field) error. I’m using nxlog to send the logs to graylog. It was working fine before the upgrade.

Thank you

2017-08-02_18:29:13.05206 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=8ed78700-77a8-11e7-8a43-005056a7396f, journalOffset=24785754395, codec=gelf, payloadSize=154, timestamp=2017-08-02T17:32:29.279Z, remoteAddress=/172.10.199.12:44245} on input <57152eefe765a0319615b39f>.%ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=8ed7ae05-77a8-11e7-8a43-005056a7396f, journalOffset=24785754402, codec=gelf, payloadSize=154, timestamp=2017-08-02T17:32:29.280Z, remoteAddress=/172.10.199.12:45571} on input <57152eefe765a0319615b39f>.%ERROR [DecodingProcessor] Error processing message RawMessage{id=8ed7ae02-77a8-11e7-8a43-005056a7396f, journalOffset=24785754399, codec=gelf, payloadSize=154, timestamp=2017-08-02T17:32:29.280Z, remoteAddress=/10.10.60.12:48745}% java.lang.IllegalArgumentException: GELF message <8ed7ae02-77a8-11e7-8a43-005056a7396f> (received from <10.10.60.12:48745>) has empty mandatory "short_message" field.
2017-08-02_18:29:13.05302       at org.graylog2.inputs.codecs.GelfCodec.validateGELFMessage(GelfCodec.java:252) ~[graylog.jar:?]
2017-08-02_18:29:13.05355       at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:134) ~[graylog.jar:?]
2017-08-02_18:29:13.05442       at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) ~[graylog.jar:?]
2017-08-02_18:29:13.05490       at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
2017-08-02_18:29:13.05609       at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
2017-08-02_18:29:13.05660       at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
2017-08-02_18:29:13.05745       at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
2017-08-02_18:29:13.05856       at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
2

Try adding the following directive to the GELF output in NXLOG:

Exec $short_message = $raw_event;

Example:

<Output graylog>
    Module om_udp
    Host 127.0.0.1
    Port 12201
    OutputType  GELF
    Exec $short_message = $raw_event;
    Exec $Hostname = hostname_fqdn();
</Output>
3

Hi Jochen,

thank you for the quick reply. Adding that directive was causing the nexlog not to send any logs from that file. I ended reverting back to the older version, as i was having other issues also.

Thank you for your help.

4

Hi Guys,
I’m having the same problem, and the suggested fix didn’t work unfortunately.
I have my OutPut configured like this:

<Output dedup>
   Module      om_tcp
   Host        127.0.0.1
   Port        12214
   OutputType  GELF_TCP
   Exec $short_message = $raw_event;
   Exec if $HostName !~ /ESP1DDPVPR.*/ drop();
5

I fixed it by setting the $short_message variable to a shorter value, like $HostName or to the exact hostname.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.