Graylog doesn't work with CEF input

m1ster1985 · April 13, 2018, 5:14am

Hi all,
I’ve come across with a problem where graylog doesn’t show messages coming in CEF format.
I am using Arcsight connector to gather log from a Domain controller. The Connector, in turn, sends logs to Graylog server in CEF format (UDP). On Graylog server I’ve used CEF plugin in order to create CEF UDP input. The problem is I see the traffic that comes to the CEF input but it can’t be parsed by graylog and therefore messages are not displayed.
Guys, maybe someone has faced such issue. Could you help me to resolve it.
Graylog version is Graylog v2.4.3+2c41897
CEF last updated plugin
The following messages i see in graylog’s logs

2018-04-13T10:51:52.109+06:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=61e485d2-3ed6-11e8-8250-a0086f465651, journalOffset=26083484494, codec=CEF, payloadSize=934, timestamp=2018-04-13T04:51:52.109Z, remoteAddress=/10.1XXXXXX:48662} on input <5ad03657b1af719aa2846c84>.
2018-04-13T10:51:52.109+06:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=61e485d2-3ed6-11e8-8250-a0086f465651, journalOffset=26083484494, codec=CEF, payloadSize=934, timestamp=2018-04-13T04:51:52.109Z, remoteAddress=/10.1XXXXX:48662}
org.graylog.plugins.cef.parser.ParserException: This message was not recognized as CEF and could not be parsed.
at org.graylog.plugins.cef.parser.SyslogCEFParser.parse(SyslogCEFParser.java:51) ~[?:?]
at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:59) ~[?:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]

jochen · April 13, 2018, 7:29am

First, please format your post for readability:
https://help.github.com/articles/creating-and-highlighting-code-blocks/

Second, which client is generating these messages? Please provide the complete product name and the version you’re using.

And last but not least, please capture some of the messages sent by this client on the wire via Wireshark or tcpdump and create a bug report at https://github.com/Graylog2/graylog2-server/issues.

system · April 27, 2018, 7:34am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with displaying messages from "CEF UDP" input Graylog Central (peer support)	10	593	December 1, 2022
FortiGate: I can get CEF logs over UDP and Syslog over TLS, but not CEF over TLS. Why? Graylog Central (peer support)	16	3213	May 2, 2023
UDP inputs not working Graylog Central (peer support)	3	7642	January 3, 2019
Graylog not showing messages that match the extractor Graylog Central (peer support)	3	594	December 22, 2019
OSSEC with Graylog Graylog Add-ons	4	3024	November 25, 2017

Graylog doesn't work with CEF input

Related topics