Internal logs filling after update to 2.3.1

JulioQc · September 27, 2017, 7:48pm

Basically I have my logs filled by this issue: Has empty mandatory "short_message" field for OVA 2.3.1

What’s the solution? It’s cute to know the GELF is strict and so on but what is the solution so I stop seeing 50msg/s about this all the time… also it seems to just drop the messages and fill the process buffer so this is a problem.

jochen · September 27, 2017, 8:46pm

Just as my comment in the referenced topic says:

Messages like these were silently dropped before Graylog 2.3.0 and now at least trigger a log entry.

In short, you have to fix (or update) the GELF client sending these invalid messages.

JulioQc · September 27, 2017, 8:53pm

Yes, I understand you initial comment but didn’t understand the implications, which you just clarified
Unfortunately I believe I have to go thru ALL my clients to fix this… sigh

As an example of a typical nxlog.conf output settings:

<Output 578f97f40ae2f10b1139b093>
Module om_udp
Host 192.168.20.210
Port 5441
OutputType  GELF
Exec $short_message = $raw_event; # Avoids truncation of the short_message field.
Exec $gl2_source_collector = '2e87ac7d-eeba-45a6-9ac4-5e56e8b9cd5b';
Exec $Hostname = hostname_fqdn();
</Output>

What should I do with the ‘$short_message’ line? remove it altogether?

jochen · September 28, 2017, 9:07am

It looks like $raw_event (and then ultimately $short_message) is blank.

Make sure that the short_message (or the message) field always contains some non-blank string.

You can see the validation logic for GELF messages in Graylog 2.3.1 here:

github.com

Graylog2/graylog2-server/blob/2.3.1/graylog2-server/src/main/java/org/graylog2/inputs/codecs/GelfCodec.java#L230-L269


private void validateGELFMessage(JsonNode jsonNode, UUID id, ResolvableInetSocketAddress remoteAddress) {
    final String prefix = "GELF message <" + id + "> " + (remoteAddress == null ? "" : "(received from <" + remoteAddress + ">) ");


    final JsonNode hostNode = jsonNode.path("host");
    if (hostNode.isMissingNode()) {
        log.warn(prefix + "is missing mandatory \"host\" field.");
    } else {
        if (!hostNode.isTextual()) {
            throw new IllegalArgumentException(prefix + "has invalid \"host\": " + hostNode.asText());
        }
        if (StringUtils.isBlank(hostNode.asText())) {
            throw new IllegalArgumentException(prefix + "has empty mandatory \"host\" field.");
        }
    }


    final JsonNode shortMessageNode = jsonNode.path("short_message");
    final JsonNode messageNode = jsonNode.path("message");
    if (!shortMessageNode.isMissingNode()) {
        if (!shortMessageNode.isTextual()) {
            throw new IllegalArgumentException(prefix + "has invalid \"short_message\": " + shortMessageNode.asText());

This file has been truncated. show original

JulioQc · September 28, 2017, 12:56pm

Thanks for the detailed information. However I don’t understand the design choice of throwing an exception rather than simply letting the field be an empty string.

Nonetheless, I now have to go thru my 200+ clients, for each output, and see which has an empty ‘$short_message’ and replace/remove it. At least if the exception included the Output ID it would help me narrow down which clients/output I have to investigate.

With this issue, the new ES 5.5 custom mappings to adjust and the etcd update issue, our team decided to skip version 2.3 altogether and stick to 2.2.3 which works just fine.

system · October 12, 2017, 12:56pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Yet another "has empty mandatory "short_message" field" issue Graylog Central (peer support)	2	1763	March 28, 2018
How to trouble shoot GELF message XXXX has empty mandatory "short_message" field Graylog Central (peer support)	3	2257	September 14, 2018
GELF UDP message error after upgrade from 2.2 to 2.3 OVA Graylog Central (peer support)	5	1700	August 30, 2017
GELF Message validation - error has empty mandatory "short_message" field Graylog Central (peer support) nxlog , gelf	2	330	December 5, 2023
Has empty mandatory "short_message" field for OVA 2.3.1 Graylog Central (peer support)	2	1613	September 12, 2017

Internal logs filling after update to 2.3.1

Related topics