Graylog & PaloAlto - Limit of total fields has been exceeded?

chrihub · August 5, 2020, 2:57pm

Im fairly new to Graylog and I’m very happy to work with this tool. But so maybe my question is quite easy to solve.

I’m trying to import PAN-OS 9.1 Logs into my Graylog 3.3 Installation. Therefore, I installed the Integrations Plugin and started working with the “Palo Alto Networks Input”.
When configuring my Firewall to send Logs to Graylog, I start receiving the following errormessages:

WARN [Messages] Failed to index message: index= id= error=<{“type”:“illegal_argument_exception”,“reason” :“Limit of total fields [1000] in index [graylog_499] has been exceeded”}>

Those messages do definitely not contain more than arround 120 Fields. In PaloAlto I configured the Logs to be sent alternately as IETF or BSD. There was no change.

Did anybody here faced the a similar Issue so far?

Kind Regards
Christian

Ponet · August 5, 2020, 4:53pm

See the below:

chrihub · August 6, 2020, 12:57pm

Thanks for your feedback. Your feedback helped me to understand the error message. Mistakenly I interpreted the Errormessage in that way that one incoming Logmessage contains more than 1000 Fields what is not the case. I’m going to split up the indexes as you suggested.

system · August 20, 2020, 12:57pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Limit of total fields Graylog Central (peer support) sidecar , nxlog , nodatanx	3	673	November 20, 2020
Too many fields Graylog Central (peer support)	12	606	August 28, 2023
Increase the maximum size of log messages Graylog Central (peer support)	25	11622	March 9, 2018
Journal utilization is too high - elasticsearch running Graylog Central (peer support)	7	2958	October 23, 2018
Journal utilization is too high again Graylog Central (peer support)	7	5966	June 15, 2018

Graylog & PaloAlto - Limit of total fields has been exceeded?

Related Topics