Graylog 2.2 MapperParsingException on Exchange Logs

Graylog Central (peer support)
1

Up until 14 days ago I was not getting these errors, my guess is the last update broke this feature because it had been working before I last updated it.

I am working on correcting the indexing errors I have been getting on my Graylog2 installation and it appears that they are coming from my Exchange extractor which takes incoming data in the form of a .csv document and splits it up into the proper fields.

I am constantly getting this error in my logs.

MapperParsingException[failed to parse [message_info]]; nested: IllegalArgumentException[Invalid format: "04I:" is malformed at "I:"];

I am not 100% sure what I need to do to fix this, any ideas?

2

I would read the docs about this and solve the issue.

3

Jan,

You will have to excuse me for being a bit new to using modifying Graylog, but what can you give me some direction on this. This isn’t parsing like a time field like many other reports I read and tried to follow and it didn’t crop up until 2.2.

What changed?

4

Let’s restrict this discussion to one platform (preferably here).

https://www.reddit.com/r/sysadmin/comments/61z8hy/graylog2_mapperparsingexception_on_exchange_logs/

5

Jochen, I am consolidating here then, I apologize.

Jan, I created the following custom mapping. Can you verify I did this correctly?

{
  "template": "graylog_*",
  "mappings" : {
    "message" : {
      "properties" : {
        "message_info" : {
          "type" : "string",
          "index" : "analyzed"
        }
	}
}
}
}

After I created this I ran the following

curl -X PUT -d @'graylog-custom-mapping.json' 'http://server:9200/_template/graylog-custom-mapping?pretty'

6

What was the response to this HTTP request?

7 
{
  "acknowledged" : true
}

The output of http://server.company.com:9200/_template/graylog-custom-mapping?pretty

Is as follows.

{
  "graylog-custom-mapping" : {
    "order" : 0,
    "template" : "graylog_1",
    "settings" : { },
    "mappings" : {
      "message" : {
        "properties" : {
          "message_info" : {
            "index" : "analyzed",
            "type" : "string"
          }
        }
      }
    },
    "aliases" : { }
  }
}
8

Your template attribute is incorrect. It has to be graylog_* to match all indices starting with graylog_.

9

Here is the new mapping.

{
  "graylog-custom-mapping" : {
    "order" : 0,
    "template" : "graylog_*",
    "settings" : { },
    "mappings" : {
      "message" : {
        "properties" : {
          "message_info" : {
            "index" : "analyzed",
            "type" : "string"
          }
        }
      }
    },
    "aliases" : { }
  }
}

Still seeing the errors coming through after making this change.

MapperParsingException[failed to parse [message_info]]; nested: IllegalArgumentException[Invalid format: "10I:" is malformed at "I:"];
MapperParsingException[failed to parse [message_info]]; nested: IllegalArgumentException[Invalid format: "10I:" is malformed at "I:"];
MapperParsingException[failed to parse [message_info]]; nested: IllegalArgumentException[Invalid format: "04I:" is malformed at "I:"];
MapperParsingException[failed to parse [message_info]]; nested: IllegalArgumentException[Invalid format: "03I:" is malformed at "I:"];

a few seconds ago graylog_385 92c2ba51-13d0-11e7-8bd6-005056a8274b MapperParsingException[failed to parse [message_info]]; nested: IllegalArgumentException[Invalid format: "10I:" is malformed at "I:"];

10

Did you create a new index after adding the index template? These settings are only applied to new indices.

11

Hurp derp. I missed that step Jochen. Thank you for that.

I love your product and hope you know I recommend it every chance I get.