I have 2 issues with GELF HTTP

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I’m wanting to use GELF HTTP to submit JSON messages to Graylog. I am running 6.1. I have added the GELF HTTP input and configured it with TLS and Authorization Header Name with Authorization Header Value.

If I use CURL to send a message, with the wrong Authorization Header Value, the HTTP response is 401 as expected but it still logs that message in Graylog.

Example curl command returns 202 ACCEPTED, but if I add a extra letter to the Authorization it’ll say 401 Unauthorized but still commit the message

curl -X POST https://hostname:12201/gelf \
-H "Content-Type: application/json" \
-H "Authorization: MySecretToken12345" \
-d '{
  "version": "1.1",
  "host": "myhost",
  "message": "did a thing a",
  "timestamp": '"$(date +%s)"',
  "level": 1
}' -v

Also if I tick Enable Bulk Receiving no messages get logged.

Example CURL, neither of these work but both return 202 ACCEPTED

curl -X POST https://localhost:12201/gelf \
-H "Content-Type: application/json" \
-H "Authorization: MySecretToken12345" \
-d '{
  "version": "1.1",
  "host": "myhost",
  "message": "did a thing c",
  "timestamp": '"$(date +%s)"',
  "level": 1
}\n{
  "version": "1.1",
  "host": "myhost",
  "message": "did a thing d",
  "timestamp": '"$(date +%s)"',
  "level": 1
}' -v


curl -X POST https://localhost:12201/gelf \
-H "Content-Type: application/json" \
-H "Authorization: MySecretToken12345" \
-d '{
  "version": "1.1",
  "host": "myhost",
  "message": "did a thing e",
  "timestamp": '"$(date +%s)"',
  "level": 1
}' -v

2. Describe your environment:

  • OS Information: Debian 12

  • Package Version: Docker setup so running
    graylog/graylog:6.1 (Graylog 6.1.5+e3ae3ce on graylog-server (Eclipse Adoptium 17.0.13 on Linux 6.1.0-28-amd64))
    graylog-datanode:6.1 (6.1.5+e3ae3ce)
    mongo:5.0

  • Service logs, configurations, and environment variables:
    Only just installed as a default installation, only added the GELF INPUT, no extractors or custom streams etc. Wanted to get INPUT working before I continue to customise.

3. What steps have you already taken to try and solve the problem?
Tried different values, with no success. Also double checked the TLS certificate I set is working as expected, encase that was the issue.
Stopped and Started the INPUT.

4. How can the community help?
I would like to know why auth is not working, so where I’m going wrong and why when bulk is enabled, I can’t send single messages as well.

If GELF not supporting bulk messages with CURL, that’s not a problem. I’m only using it for testing currently, then looking to use GitHub - kkamkou/node-gelf-pro: Graylog2 client library for Node.js

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]