Graylog unable to receive message from logstash

wlt · July 16, 2018, 2:59am

Hi Graylog,

Currently i am setting up a logstash-gelf plugin to call a JDBC query and push the logs to Graylog.

Below is my logstash.conf.

input {
  jdbc {
    jdbc_driver_library => "/logstash-6.3.0/lib/sqljdbc42.jar"
    jdbc_driver_class => "com.microsoft.sqlserver.jdbc.SQLServerDriver"
    jdbc_connection_string => "jdbc:sqlserver://XXX:XXX;databaseName=XXX"
    jdbc_user => "XXX"
    jdbc_password => "XXX"
    schedule => "* * * * *"
    statement => "select xxx from XXX"
  }
}

output {
  gelf {
  host => "graylog_ip_address"
  port => 12201
  short_message => "Testing gelf output"
  }
  stdout { codec => rubydebug }
}

Below is my GELF HTTP configurations.

GELF HTTP : Running

bind_address: graylog_ip_address
decompress_size_limit: 8388608
enable_cors: true
idle_writer_timeout: 60
max_chunk_size: 65536
override_source: <empty>
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password: ********

Once i started the logstash, i received this message.

[2018-07-16T10:50:01,468][WARN ][logstash.outputs.gelf    ] Trouble sending GELF event {:gelf_event=>{"short_message"=>nil, "full_message"=>"%{message}", "host"=>"%{host}", "_project_loc"=>#<BigDecimal:2332822,'0.2241E4',4(28)>, "level"=>6}, :event=>#<LogStash::Event:0x603e8073>, :error=>#<ArgumentError: short_message is missing. Options version, short_message and host must be set.>}
[2018-07-16T10:50:01,469][WARN ][logstash.outputs.gelf    ] Trouble sending GELF event {:gelf_event=>{"short_message"=>nil, "full_message"=>"%{message}", "host"=>"%{host}", "_project_loc"=>#<BigDecimal:15a1bebe,'0.62322E5',5(28)>, "level"=>6}, :event=>#<LogStash::Event:0xce2e8c3>, :error=>#<ArgumentError: short_message is missing. Options version, short_message and host must be set.>}
[2018-07-16T10:50:01,471][WARN ][logstash.outputs.gelf    ] Trouble sending GELF event {:gelf_event=>{"short_message"=>nil, "full_message"=>"%{message}", "host"=>"%{host}", "_project_loc"=>#<BigDecimal:5ee37d2a,'0.176975E6',6(28)>, "level"=>6}, :event=>#<LogStash::Event:0x50122e7e>, :error=>#<ArgumentError: short_message is missing. Options version, short_message and host must be set.>}
[2018-07-16T10:50:01,472][WARN ][logstash.outputs.gelf    ] Trouble sending GELF event {:gelf_event=>{"short_message"=>nil, "full_message"=>"%{message}", "host"=>"%{host}", "_project_loc"=>#<BigDecimal:2c43723a,'0.243315E6',6(28)>, "level"=>6}, :event=>#<LogStash::Event:0x6c4750fd>, :error=>#<ArgumentError: short_message is missing. Options version, short_message and host must be set.>}
[2018-07-16T10:50:01,473][WARN ][logstash.outputs.gelf    ] Trouble sending GELF event {:gelf_event=>{"short_message"=>nil, "full_message"=>"%{message}", "host"=>"%{host}", "_project_loc"=>#<BigDecimal:31d7ba12,'0.428476E6',6(28)>, "level"=>6}, :event=>#<LogStash::Event:0x3b7c3791>, :error=>#<ArgumentError: short_message is missing. Options version, short_message and host must be set.>}
[2018-07-16T10:50:01,474][WARN ][logstash.outputs.gelf    ] Trouble sending GELF event {:gelf_event=>{"short_message"=>nil, "full_message"=>"%{message}", "host"=>"%{host}", "_project_loc"=>#<BigDecimal:71c0c1be,'0.554283E6',6(28)>, "level"=>6}, :event=>#<LogStash::Event:0x5ba99de6>, :error=>#<ArgumentError: short_message is missing. Options version, short_message and host must be set.>}

Graylog did not receive any message from the UI side. Is my configurations wrong?

Graylog version : 2.4.5
Logstash : 6.3.0
Logstash GELF output plugin : logstash-output-gelf (3.1.7)

jan · July 16, 2018, 6:32am

the logstash output gelf is not gelf http - https://www.elastic.co/guide/en/logstash/current/plugins-outputs-gelf.html

You should create a UDP Input on Graylog to receive the events.

jochen · July 16, 2018, 6:57am

Additionally to what @jan already wrote, you have to set the short_message field in Logstash.

wlt · July 16, 2018, 7:19am

Thank you Jan and jochen for replying. Yes, the correct input is GELF UDP.

Below is my logstash configurations that make it worked.

input {
  jdbc {
    jdbc_driver_library => "/logstash-6.3.0/lib/sqljdbc42.jar"
    jdbc_driver_class => "com.microsoft.sqlserver.jdbc.SQLServerDriver"
    jdbc_connection_string => "jdbc:sqlserver://XXX:XXX;databaseName=XXX"
    jdbc_user => "XXX"
    jdbc_password => "XXX"
    schedule => "* * * * *"
    statement => "select xxx from XXX"
  }
}

filter {
 mutate {
   add_field => { "message" => "Test server" }
   add_field => { "host" => "graylog_server" }
 }
}


output {
  gelf {
  host => "graylog_ip_address"
  port => 12201
  short_message => "Testing gelf output"
  }
  stdout { codec => rubydebug }
}

Below is my GELF UDP INPUT setting.

GELF UDP : running
bind_address: graylog_server
decompress_size_limit: 8388608
override_source: <empty>
port: 12201
recv_buffer_size: 262144

Thank you.

system · July 30, 2018, 7:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sending messages from Logstash to Graylog, both running on Docker Graylog Central (peer support)	6	4996	April 2, 2019
Using logstash to call jdbc Graylog Central (peer support)	2	849	July 24, 2018
Graylog output to logstash Graylog Central (peer support)	4	2140	August 24, 2020
Logstash Output to Graylog 3.0 (Can't search message) Graylog Central (peer support)	3	2525	May 24, 2019
How to configure graylogs from logstash output Graylog Central (peer support)	3	9125	March 12, 2019

Graylog unable to receive message from logstash

Related topics