REST API present in syslog comes in distorted format

PRADEEP13039356 · January 30, 2020, 5:07pm

Hi all,

I am using Graylog 2.4.3.

My flow is as follows:

Logs(mobile,computer etc)—>Filebeat------------->Graylog–>Log Analysis server

When the logs reaches from the filebeat to the graylog it comes in a right format to /var/log/syslog folder in graylog server.

But the graylog output is coming in distorted format in multiline and sent to Log analysis server.

Content-Type: application/json;charset=UTF-8;ver=0.9
Response-Code: 200
Content-Type: application/json;charset=UTF-8;ver=0.9
ID: 11122610
Headers: {Content-Length=[0], Date=[Tue, 12 Dec 2018 08:49:15 GMT]}
ID: 11122611
ID: 11122603
Content-Type: application/json
Headers: {Date=[Tue, 12 Dec 2018 08:49:18 GMT], Content-Type=[application/json;charset=UTF-8;ver=0.9]}

Looking at the above output it looks like there is some problems while the graylog output format which fails to parse certain REST APIs. You can see there are 3 message IDs(11122610,11122611,11122603) comes in different lines. It only happens for certain REST APIs.

Is it something to do with maximum message length or message type of output as mentioned in below:

Referring to the GitHub link :

If I need to send any message length >16384 bytes in Maximum message length field can I pass as 0 or anything else? Similarly can i send message type as “full”
Can anyone provide some clues what could be the wrong which results ?

Any help is really appreciated.

Regards
Pradeep

jan · January 31, 2020, 11:30am

When the logs reaches from the filebeat to the graylog it comes in a right format to /var/log/syslog folder in graylog server.

But if logs are in /var/log/syslog you are not using Graylog at all.

PRADEEP13039356 · February 1, 2020, 5:04am

I mean whatever logs I receive from the filebeat to graylog and it is passed from graylog to the log analyzer. When the log reaches the log analyzer the logs are in multiple lines which is difficult to parse. I am suspecting that there is some problem either the format that we are sending from graylog server to the log analyzer server. As from the filebeat(/var/log/*) to the graylog it comes properly in a single line.

Currently message format it is using as per the below Output plugin is “plain”. May be I need to use “structured” or “full” and the maximum message length is exceeding the default length that is set.

Can anyone suggest what could be the issue?

jan · February 2, 2020, 1:08pm

he @PRADEEP13039356

did you checked if the events are proper formatted in Graylog? Means a multiline event is a single event in Graylog?

If that is the case - the output plugin might have a problem with that. More important syslog messages can’t be multiline, what could be the root.

system · February 16, 2020, 1:08pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
problem with api New to Graylog Community? READ-ME FIRST Guides	4	174	January 3, 2024
Receiving syslog notifications but the actual message text is not displayed Graylog Central (peer support)	2	325	January 30, 2020
Sending logs from filebeat to kafka and kafka to graylog Graylog Central (peer support)	8	2783	October 30, 2019
Error when using syslog-ng graylog2() with Graylog Central Graylog Central (peer support)	6	363	November 8, 2022
Unable to see the syslog in graylog 5.1 version Graylog Central (peer support)	8	204	November 7, 2023

REST API present in syslog comes in distorted format

Related Topics