## Graylog send message: Error processing message RawMessage and has empty mandatory “short_message” field.##

Good afternoon,
My Graylog has been presenting the message:

“2018-10-05T15:29:35.266-03:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=9c19cc06-c8cc-11e8-a292-005056872dfd, journalOffset=925857011, codec=gelf, payloadSize=149, timestamp=2018-10-05T18:29:35.262Z, remoteAddress=/172.31.15.98:46454} on input <5b911f738e6d340e5725bef1>.

2018-10-05T15:29:35.266-03:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=9c19cc06-c8cc-11e8-a292-005056872dfd, journalOffset=925857011, codec=gelf, payloadSize=149, timestamp=2018-10-05T18:29:35.262Z, remoteAddress=/172.31.15.98:46454}
java.lang.IllegalArgumentException: GELF message <9c19cc06-c8cc-11e8-a292-005056872dfd> (received from <172.31.15.98:46454>) has empty mandatory “short_message” field.
at org.graylog2.inputs.codecs.GelfCodec.validateGELFMessage(GelfCodec.java:252) ~[graylog.jar:?]
at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:134) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:150) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]”

I use the version “Graylog 2.4.6+ceaa7e4 on xxxxx (Oracle Corporation 1.8.0_181 on Linux 3.10.0-862.11.6.el7.x86_64)”

Follows configuration of nxlog.conf:

Module xm_gelf
Module xm_exec Module im_file File "/app/AAS/logs/AAS.log" Module om_udp Host 172.31.9.21 Port 20200 OutputType GELF_UDP Exec if ($short_message == "") drop(); Exec $raw_event = substr($raw_event, 0, 1000000); "

(Exec if ($short_message == “”) drop();
Exec $raw_event = substr($raw_event, 0, 1000000);

I tried some solutions presented in the forums, but without success:
I will be grateful with the help of you

what solution did you try? What was the result?

Are you bond to use nxlog? Can you switch the shipper?

Good afternoon,
I tried the following solutions:

Exec if ($ short_message == “”) drop ();

Exec $ raw_event = substr ($ raw_event, 0, 1000000);

These settings were made in nxlog.conf.
On the server side, I’m using the gelf_udp input, with no extra filtering.
I have only one graylog server, and since my environment is ratification, then I can still make any changes I need.
thank you.

if you want to ingest windows event log I would advise that you go with the winlogbeat from elastic. It is more stable you will not have such problems as the beat framework is more flexible in this.

Good afternoon,
In fact these logs come from a Linux (Centos 6_64bits).
In it I installed nxlog-ce-2.10.2102-1_rhel6.x86_64.
But I will use your tip on winlogbeat from elastic in my Windows environment, in it I had also urged the NXLOG.
If you have any other ideas, I’ll be grateful.
Hugs.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.