Hi all.
I’m trying to send nginx logs to a GELF UDP input but nginx is sending the logs with the leading timestamp.
I see errors like this in the graylog server.log.
Could not parse JSON, first 400 characters: <190>Jan 20 08:10:10 nginx nginx: { “timestamp”: “2021-01-20T08:10:10+10:30”, “remote_addr”: “192.168.1.102”…
So you can see the JSON is set up correctly but I’m not sure how (or if it’s even possible) to tell nginx to stop sending the leading syslog style timestamp. Is using a pipeline to remove it the only option?
If anyone else has come across this issue before I’d appreciate hearing how you got around it.
Hello, Nginx send logs in syslog format, so you can’t use directly use Gelf Input.
Nginx send message as json using custom template using SYSLOG protocol, and you try to send it to GELF Input in Graylog. GELF is completely different protocol from Syslog.
Nginx send syslog message e.g: <190>Sep 29 15:28:05 graylog nginx: { "timestamp": "2020-09 …
But GELF formated message requires special syntax (also mandatory fields) in json format e.g.: { "version": "1.1", "host": "example.org", "short_message": "A short message", "level": 5, "_custom_field": "foo", "timestamp": 1385053862.3072}
Solution:
Change your port in nginx configuration and point PORT to Syslog Input defined in Graylog. If you want to next parse (extract) fields defined in json format, use pipeline rule or extractor to do so.
Ah yes. I had a feeling that was the case and I see my error now. I was looking at this content pack (Graylog Marketplace) which is specifically for nginx+docker although I’m not using docker. I didn’t realise that docker is providing the GELF logging functionality.
