I have an application that generates log files containing line delimited GELF logs. I am trying to use NXLOG to send these logs to graylog. While the logs do reach graylog, the custom fields (underscore fields) are missing, and it seems like NXLOG thinks that the entire GELF log is the short_message. How can I get NXLOG to just do it properly?
This is an excerpt from my nxlog.conf file:
Path in => graylog
We can assume that the Graylog INPUT you are using is a GELF TCP input? I see it says so in the config snippet but you didn’t explicitly mention it and there are several GELF input types. Also, it would be nice if you could post the entire NXLOG config and a sample message (using the
</> forum tool to make it pretty and obfuscating anything private) that way @gsmith (who knows nxlog better than I) will be happier helping parse out what is going on.
To help you further \we would need to see the complete Nxlog configuration file.
I found out what the issue was.
From looking at the source code of the GELF module of NXLOG src/modules/extension/gelf/gelf.c · master · nxlog-public / nxlog-ce · GitLab
I found out that it expects the "level’ field to be named SyslogSeverityValue It also has other odd field naming requirements.
I just changed my GELF logs to use the weird names required by NXLOG and it worked.
The GELF module of NXLOG is thus a bit misleading. It doesn’t accept GELF logs. It only OUTPUTS GELF logs to graylog. So if you have GELF logs, you fist need to turn them into “NXLOG GELF” logs.