Replaced invalid timestamp value in message

1. Describe your incident:

After graylog upgrade to v4.2.6 we get these msgs:

gl2_processing_error
Replaced invalid timestamp value in message <2f44c541-98c8-11ec-88cc-1458d05629d8> with current time - Value <2022-02-28T18:56:50+00:00> caused exception: Invalid format: "2022-02-28T18:56:50+00:00" is malformed at "T18:56:50+00:00".

2. Describe your environment:

log ingest setup: (rsyslog and graylog and elastic are on the same host)

device_sends_logs > rsyslog > graylog_input > extractor > stream > elastic_index_X

• OS Information:

centos7 
kernel 3.10.0-1160.11.1.el7.x86_64

• Package Version:

graylog-server-4.2.6-1.noarch and elasticsearch-7.17.0-1.x86_64

• Service logs, configurations, and environment variables:

For rsyslog we use this json template:

template(name="syslog_json" type="list" option.json="on") {
    constant(value="{")
    constant(value="\"timestamp\":\"")			property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"source\":\"")			property(name="hostname")
    constant(value="\",\"ip_address\":\"")		property(name="fromhost-ip")
    constant(value="\",\"application_name\":\"")	property(name="programname")
    constant(value="\",\"message\":\"")			property(name="msg" format="json")
    constant(value="\",\"tag\":\"")			property(name="syslogtag")
    constant(value="\",\"level\":\"")			property(name="syslogseverity")
    constant(value="\",\"facility\":\"")		property(name="syslogfacility-text")
    constant(value="\"}")
}
# HP
if $syslogfacility-text == 'local3' then @[::1]:5143;syslog_json

3. What steps have you already taken to try and solve the problem?

Looked around here:

As a test I removed all the extractors and my msgs came in as so and with no gl2_processing_error

{"timestamp":"2022-02-28T18:56:49+00:00","source":"<redacted>.ip6.arpa","ip_address":"<redacted>","application_name":"<redacted>","message":" 00435 ports:  port B1 is Blocked by AAA","tag":"<redacted>","level":"6","facility":"local3"}

Once I add the extractors back, I get the gl2_processing_error msg.

My extractors:

{
  "extractors": [
    {
      "title": "json_extractor",
      "extractor_type": "json",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "",
      "extractor_config": {
        "flatten": true,
        "list_separator": ", ",
        "kv_separator": "=",
        "key_prefix": "",
        "key_separator": "_",
        "replace_key_whitespace": true,
        "key_whitespace_replacement": "_"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "hostname_from_fqdn; bug with FW: 16_02_0021",
      "extractor_type": "regex_replace",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "source",
      "target_field": "source",
      "extractor_config": {
        "regex": "(.*)\\.ip[4,6].arpa",
        "replacement": "$1",
        "replace_all": true
      },
      "condition_type": "regex",
      "condition_value": "(.*)\\.ip[4,6].arpa"
    },
    {
      "title": "application_name_extractor_1",
      "extractor_type": "regex",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "application_name",
      "extractor_config": {
        "regex_value": "^([\\w\\-]+):\\s\\s"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "application_name_extractor_2",
      "extractor_type": "regex",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "application_name",
      "extractor_config": {
        "regex_value": "^\\d+\\s([\\w\\-]+):\\s\\s"
      },
      "condition_type": "none",
      "condition_value": ""
    }
  ],
  "version": "4.2.6"
}

On this comment processing error after migrating to 4.2.0-3 · Issue #11495 · Graylog2/graylog2-server · GitHub it says to add some temp_timestamp extractor > json_extractor > then apply the converter…

I attempted this as so:

{
  "extractors": [
    {
      "title": "timestamp_extractor",
      "extractor_type": "regex_replace",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "temp_timestamp",
      "extractor_config": {
        "regex": "^\\{\\\"timestamp\\\":\\\"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2})\\\",.*",
        "replacement": "$1",
        "replace_all": false
      },
      "condition_type": "regex",
      "condition_value": "^\\{\\\"timestamp\\\":\\\"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2})\\\",.*"
    },
    {
      "title": "json_extractor",
...
      "title": "hostname_from_fqdn; bug with FW: 16_02_0021",
...
      "title": "application_name_extractor_1",
...
      "title": "application_name_extractor_2",
...
    {
      "title": "timestamp_replace",
      "extractor_type": "regex_replace",
      "converters": [
        {
          "type": "date",
          "config": {
            "time_zone": "Etc/UTC",
            "locale": "und",
            "date_format": "yyyy-MM-dd HH:mm:ss,SSS"
          }
        }
      ],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "temp_timestamp",
      "target_field": "timestamp",
      "extractor_config": {
        "regex": "(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2})",
        "replacement": "$1",
        "replace_all": true
      },
      "condition_type": "regex",
      "condition_value": "(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2})"
    }
  ],
  "version": "4.2.6"
}

But got this error msg

gl2_processing_error
Could not apply converter [DATE] of extractor <timestamp_replace (5a618c30-98ce-11ec-88cc-1458d05629d8)> - Invalid format: "2022-02-28T19:53:59+00:00" is malformed at "T19:53:59+00:00"., Replaced invalid timestamp value in message <2bb9d023-98d0-11ec-88cc-1458d05629d8> with current time - Value <2022-02-28T19:53:59+00:00> caused exception: Invalid format: "2022-02-28T19:53:59+00:00" is malformed at "T19:53:59+00:00"

my fields looks like so when they are stored in elastic:

temp_timestamp
2022-02-28 19:53:59.000 +00:00
timestamp
2022-02-28 19:53:59.587 +00:00

4. How can the community help?

I would have thought that the 1/5 patch would have fixed this Perform message timestamp conversion after processing (#11884) (#11915) · Graylog2/graylog2-server@80a07bd · GitHub

What am I doing wrong?
Was the patch supposed to address this?
Any input is much appreciated!

Thank you,
Dave

Hello @davama

Can I ask what type of input and extractor are you using? I’m assuming your using either Raw plaintext or JSON INPUT with a JSON extractor?

Thank you for the reply @gsmith

Sorry i forgot to mention that.

We are using syslog udp input with json extractor.

By chance have you tested RawPlaintext Input? if so, did you get the same results?

@gsmith
thank you for the input!

using Raw/Plaintext UDP input

without extractors i get below:

message
{"timestamp":"2022-03-02T00:25:00+00:00","source":"<redacted>","ip_address":"<redacted>","application_name":"00435","message":" ports:  port C21 is Blocked by AAA","tag":"00435","level":"6","facility":"local3"}
source
::1
timestamp
2022-03-02 00:25:01.435 +00:00

with my original extractors (been using for a few years now):

application_name
ports
facility
local3
gl2_processing_error
Replaced invalid timestamp value in message <331489b1-99bf-11ec-88cc-1458d05629d8> with current time - Value <2022-03-02T00:25:04+00:00> caused exception: Invalid format: "2022-03-02T00:25:04+00:00" is malformed at "T00:25:04+00:00".
ip_address
<redacted>
level
6
message
ports:  port D2 is now on-line
source
<redacted>
tag
00076
timestamp
2022-03-02 00:25:01.648 +00:00

I did not try to do the extra extractors mentioned before.
I can if you think i should.

Thank you again for the help!

Hello @davama

I believe since you sending this type of Date/time format.

You need to convert the timestamp field to a proper timestamp using Pipeline or Extractor with a DATE converter.

EXAMPLE:

image1182×747 42.2 KB

Elasticsearch mapping expects a certain format or its will complain. Make sure your at lest getting the message. If so, then the answer to your question would be yes to extractor/pipeline, I did notice the JSON extractor does not have a DATE converter, perhaps use a regex. To be honest, a pipeline works great in situation like this. Which there are a lot of example here for pipeline , specially for converting Timestamps /w issues.

Just an FYI, I could test this in my lab to find out the issue on if you want? Only thing is I’m not sure about Rsyslog configuration you have made, meaning I haven’t worked with rsyslog in a while. If you could make a mockup I could implement this in my lab for testing. Just need some spec’s.

EDIT: Some added info

• GELF via UDP

• Understanding about RFC 3339 for Datetime and Timezone Formatting in Software Engineering | by Iman Tumorang | Easyread

@gsmith
thank you for the input. it was very helpful

I have never used pipelines before. Looks like they need to be linked to a stream, which I assume get processed before they are shipped to elastic. Is that right?

Would not mind trying it but we have several streams and I think it will be easier to go the input/extractor route.

Will be testing this tomorrow.

Thank you

@gsmith

gave the extractor a shot but still no change… I’m sure I’m doing it wrong.

My adjusted extractors with the Date format:

{
  "extractors": [
    {
      "title": "json_extractor",
      "extractor_type": "json",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "",
      "extractor_config": {
        "flatten": true,
        "list_separator": ", ",
        "kv_separator": "=",
        "key_prefix": "",
        "key_separator": "_",
        "replace_key_whitespace": true,
        "key_whitespace_replacement": "_"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "application_name_extractor_1",
      "extractor_type": "regex",
      "converters": [],
      "order": 2,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "application_name",
      "extractor_config": {
        "regex_value": "^([\\w\\-]+):\\s\\s"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "hostname_from_fqdn; bug with FW: 16_02_0021",
      "extractor_type": "regex_replace",
      "converters": [],
      "order": 1,
      "cursor_strategy": "copy",
      "source_field": "source",
      "target_field": "source",
      "extractor_config": {
        "regex": "(.*)\\.ip[4,6].arpa",
        "replacement": "$1",
        "replace_all": true
      },
      "condition_type": "regex",
      "condition_value": "(.*)\\.ip[4,6].arpa"
    },
    {
      "title": "application_name_extractor_2",
      "extractor_type": "regex",
      "converters": [],
      "order": 3,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "application_name",
      "extractor_config": {
        "regex_value": "^\\d+\\s([\\w\\-]+):\\s\\s"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "timestamp_extrator_converter",
      "extractor_type": "regex_replace",
      "converters": [
        {
          "type": "date",
          "config": {
            "date_format": "yyyy-MM-dd HH:mm:ss:SSS",
            "time_zone": "Etc/UTC",
            "locale": "und"
          }
        }
      ],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "timestamp",
      "target_field": "timestamp",
      "extractor_config": {
        "regex": "^(\\d{4}-\\d{2}-\\d{2})T(\\d{2}:\\d{2}:\\d{2}.\\d{3})Z$",
        "replacement": "$1 $2",
        "replace_all": true
      },
      "condition_type": "none",
      "condition_value": ""
    }
  ],
  "version": "4.2.6"
}

The msg arrives as so:

gl2_processing_error
Replaced invalid timestamp value in message <198b8bf3-9bbe-11ec-88cc-1458d05629d8> with current time - Value <2022-03-04T13:22:12+00:00> caused exception: Invalid format: "2022-03-04T13:22:12+00:00" is malformed at "T13:22:12+00:00".
timestamp
2022-03-04 13:22:11.632 +00:00

I also tried this. Change my timestamp field to timestamp_temp in rsyslog

then changed my rsyslog json template

    constant(value="\"timestamp_temp\":\"")		property(name="timereported" dateFormat="rfc3339")

And without the timestamp extractor the date fields get populated as so:

timestamp
2022-03-04 15:57:12.685 +00:00
timestamp_temp
2022-03-04 15:57:13.000 +00:00

which is nice because I don’t get the gl2_processing_error any more but now I have an extra field…

I do find it odd that _temp is in the future when I would have thought is in the past… and also that I don’t see the yyyy-MM-ddThh:MM:ss:SSSZ format for it…

i guess I shouldn’t create the temp field…

what am I doing wrong with the date extractor?

Thank you

Hello,

Ah I see, So here is the scoop on that. Elasticsearch index template has a field called “timestamp”, the problem is trying to manipulate the “timestamp” field, as you can see you will get a gl2_processing error. So if you need to correct the timestamp field there will be two fields for the timestamp ( as shown above).
Only other work around I have seen in the forum is

• Create a new Index mapping template,
• Use a different extractor that is capable of using a DATE converter
• Send raw message to Graylog and convert the fields needed
• Leave the two timestamp fields.

Since the field timestamp_temp origin is from rsyslog.
This could be from a couple different issues.

• Daylight-saving time
• Synchronize computer time
• Elasticsearch uses UTC for timestamp
• User settings for time zone
• GL Server Date/time configuration, etc…

I would make sure all device have correct date/time even the user logged into the Web UI.

My apologies I haven’t used JSON log formatting, but I am familiar with the errors/troubleshooting. As I stated earlier JSON extractor cannot add DATE converters to JSON extractors. So I assume is this what you tried to do? I’m not sure what time zone is correct (UTC, GMT =+1, -6)?

What I was suggesting was something simpler, send the logs to Graylog then use pipeline. If I’m correct, it seams that Elasticsearch created a timestamp field already.

Note: this is for Central America (the region stretching between Mexico and Colombia),

rule "replace timestamp"
when
    true
then
    let result = regex("([0-9-T.:]+)", to_string($message.message));
    let new_date = parse_date(to_string(result["0"]), "yyyy-MM-dd'T'HH:mm:ss.SSS","CDT");
    set_field("timestamp", timestamp_temp);
end

Replaced invalid timestamp value in message

You maybe able to find your answer here.

• Search results for 'replace_timestamp' - Graylog Community

Thank you @gsmith
Ill give this a retry and report back.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.