GELF UDP syslog format

moire · August 24, 2017, 8:35pm

I am forwarding from couple of servers (rsyslog forwarding) through FluentD (gelf input plugin) daemon to Graylog2 using the standard setup and noticed that the messages coming through are with the below content:

message
1 2017-08-24T23:25:01.737373+03:00 host-0 CRON 29720 - - pam_env(cron:session): Unable to open env file: /etc/default/locale: No such file or directory

It seems gelf protocol adds additional info. Can I strip that somehow? Is it a valid gelf addition or I have something configured wrongly? Thanks in advance.

jochen · August 24, 2017, 9:45pm

This looks like a normal RFC 5424 syslog message stripped of the priority (PRI) field.

GELF or Graylog isn’t adding anything, it’s one of the programs you’ve configured to forward these messages to Graylog.

Any reason you’re not using a Syslog UDP or TCP input for this?

moire · August 26, 2017, 7:30pm

Thanks jochen

We evaluate fluentd because it has very useful filters. Will try different approaches. Thanks again.

system · September 9, 2017, 7:30pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GELF message ERROR in server.log Graylog Tech Challenges	6	2596	July 27, 2021
Graylog 2.4.3 - Problem with GELF Output Graylog Central (peer support) pipeline-rules	2	905	October 20, 2018
Documentation points to wrong URL Graylog Central (peer support)	2	563	May 10, 2018
Graylog does not show log received via UDP correctly Graylog Central (peer support) gelf	4	38	August 19, 2024
Nginx GELF sending leading timestamp Graylog Central (peer support) pipeline-rules	3	1612	February 3, 2021

GELF UDP syslog format

Related topics