How to send structured logs to GELF?

WoJ · March 19, 2018, 8:04pm

Hello

I have JSON-formatted payload I would like to send to GELF. Is this a built-in feature?.

I tried to add a _payload field with JSON data but even when I hinted graylog that this is JSON, it failed parsing a table (list).

WoJ · March 19, 2018, 8:28pm

I just found the solution: http://docs.graylog.org/en/2.3/pages/extractors.html#using-the-json-extractor

jochen · March 19, 2018, 8:29pm

GELF itself is already a structured log format, so the ideal way would be to use GELF itself for sending your structured logs instead of putting JSON into a single text field and extract that with a JSON extractor in Graylog.

WoJ · March 20, 2018, 10:00am

I am not sure I understand: the documentation states that

_[additional field] string (UTF-8) or number

So as far as I understand, the only way to add structured information is to stringify the JSON payload, send it as an additional field and have it decoded by graylog on the server.

jochen · March 20, 2018, 10:02am

http://docs.graylog.org/en/2.4/pages/gelf.html#example-payload

{
  "version": "1.1",
  "host": "example.org",
  "short_message": "A short message that helps you identify what is going on",
  "full_message": "Backtrace here\n\nmore stuff",
  "timestamp": 1385053862.3072,
  "level": 1,
  "_user_id": 9001,
  "_some_info": "foo",
  "_some_env_var": "bar"
}

Looks pretty structure to me.

WoJ · March 20, 2018, 10:06am

Yes it is nicely structured

But then how to send this extra payload?

{
  "name": "john",
  "children": ["mary", "joe"],
  "pets": {
    "dogs": [1, 2, 3],
    "elephants": true
  }
}

jochen · March 20, 2018, 10:57am

{
  "version": "1.1",
  "host": "example.org",
  "short_message": "A short message that helps you identify what is going on",
  "full_message": "Backtrace here\n\nmore stuff",
  "timestamp": 1385053862.3072,
  "level": 1,
  "_name": "john",
  "_children_1": "mary",
  "_children_2": "joe",
  "_pets_dogs_1": 1,
  "_pets_dogs_3": 2,
  "_pets_dogs_2": 3,
  "_pets_elephants": "true"
}

WoJ · March 20, 2018, 12:07pm

I see, thanks.

I found the same kind of expansion when i sent my data to graylog and had it deserialize them. Underscores were added in the same way you did it.

Retrospectively, the root of my question was rather about the capacities to keep a structured, multilevel data format. I am used to Elasticsearch and was expecting to find in graylog its way of handling structures (= having the capacity to address elements such as pets.elephants.
I now understand that the data must be flattened in any case.

jochen · March 20, 2018, 1:22pm

Unfortunately Graylog doesn’t support nested documents yet.

system · April 3, 2018, 1:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to Log Python List Objects Using Graylog Development	4	625	May 13, 2019
Json configuration for GELF using test VM Graylog Central (peer support)	3	669	April 15, 2019
Graylog Integretion with External System Graylog Central (peer support)	6	158	September 13, 2023
Documentation points to wrong URL Graylog Central (peer support)	2	531	May 10, 2018
Delay while getting log via gelf http Graylog Central (peer support) gelf	3	70	March 15, 2024

How to send structured logs to GELF?

Related Topics