Om_tcp detected a connection error; Connection reset by peer


(Brian Jackey) #1

Hello folks, I’m new to Graylog, and I’m trying to get a stable setup going. I currently have a few Linux and Windows systems sending logs via the NXlog client to an NXlog server, which then takes the input and directs it to Graylog. Unfortunately, NXlog keeps reporting " ERROR om_tcp detected a connection error;Connection reset by peer" in the nxlog.log file, while graylog reports the following:

2017-02-16T13:31:20.102-05:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=1c63f551-f476-11e6-8446-000c29c26a0a, journalOffset=805288, codec=gelf, payloadSize=301, timestamp=2017-02-16T18:31:20.101Z, remoteAddress=/<server IP>}
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'q': was expecting ('true', 'false' or 'null')
 at [Source: q�>^B$v^Q^G�^LF^\�^D(Q�C�[��;RҦI�]^Q����^L�?�^A�<U+05F6>K^V        Oyr���{���FW�R)G��-D��T�)^W^S�a�.\c�z@u�[$H0^̘��^\x���B�^Q}�ueU4��^S��P����c?y��y��6^_e��^Nǯ�D�^E{�P�r�Z^ΟC[�ɞC�7^Fe�-��^W�OS�%��#�^B�~���l}P�^^�ko^^^F�^O5?0�J��`^]�a,�FO�?X^Wv��^KS�t��^Z^X��6^W^Y^S�^E��ۍӍ�$��������m����N^Gݦ_����h�^?��ʎ�!;���`%M^]�^L���Tp�n^C^�@�ʪ�^DP; line: 1, column: 2]
        at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1586) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:521) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._reportInvalidToken(ReaderBasedJsonParser.java:2754) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1820) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:708) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3847) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3792) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2332) ~[graylog.jar:?]
        at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:120) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
(END)

Here’s the config for the GELF Input in Graylog:

bind_address: <server IP>
decompress_size_limit: 8388608
max_message_size: <empty>
override_source: <empty>
port: 12201
recv_buffer_size: <empty>
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password: ********
use_null_delimiter: true

And here’s the nxlog config:

########################################
# Global directives                    #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules                              #
########################################
<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension gelf>
    Module       xm_gelf
</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Input intcp>
    Module      im_tcp
    Host        <host IP>
    Port        514
    Exec        parse_syslog_bsd();
    Exec        if ($SyslogSeverity == 'DEBUG') drop();
</Input>

<Input WinEvent>
    Module      im_tcp
    Host        <host IP>
    Port        5141
#    InputType  Binary
#    Exec         parse_json();
</Input>

<Output remotelog_out>
Module om_file
File "/var/log/nxlog/" + $Hostname + $Filetype + ".log"
</Output>

<Output graylog_out>
    Module om_tcp
    Host  <host ip>
    Port 12201
    OutputType GELF
</Output>

########################################
# Routes                               #
########################################
<Route tcproute>
    Path        intcp => remotelog_out,graylog_out
</Route>

<Route Winroute>
    Path        Winevent => remotelog_out,graylog_out
</Route>

Please let me know if you notice anything misconfigured, or can point me in the right direction to fix this.
Thanks!


#2

you have to use

OutputType GELF_TCP

in nxlog.


(Brian Jackey) #3

Thanks for the quick response!
It’s a little frustrating that I can’t find “GELF_TCP” referenced in any of nxlog’s documentations, but this certainly worked.