Sending GELF via HTTP - error "is missing mandatory . . . field"

hkelley · 2019-01-13 22:39:16 UTC

I’ve discovered that the messages “stuck” in the journal are the ones where I set a timestamp attribute, e.g.:

{"timestamp": 1545401448067, "host": "xyz.com", "version": "1.1", "_cs_data": "XX", "short_message": "csdatareplicator"}

The same (minus the timestamp) is indexed:

{"host": "xyz.com", "version": "1.1", "_cs_data": "XX", "short_message": "csdatareplicator"}

The Example Payload in the GELF 2.5 docs shows a timestamp field in the document.

konrad · 2019-01-14 10:14:49 UTC

Thank you very much!

I can reproduce that, I am a new developer and I am not sure if what is the expected behavior. But it is a bug anyway:

Either it’s supposed to work with timestamp
or it is not and the manual is wrong at the point

Could you please open an issue for that and I will see that the issue gets fixed?

hkelley · 2019-01-14 12:35:03 UTC

Thank you. Issue 5501 has been created.

konrad · 2019-01-14 12:36:24 UTC

Thanks a lot!

Konrad

konrad · 2019-01-14 16:00:30 UTC

As @dennis pointed out in the github issue the format of the timestamp was wrong.
A timestamp with milliseconds should be in float notation like: "timestamp":1545401488.441 or without
milliseconds like: "timestamp":1545401488. This solves the issue.

hkelley · 2019-01-15 01:00:08 UTC

Thank you. Apologies for missing that. As it turns out, I had two issues:

wrong precision on my timestamp (as you pointed out)
a field in the “inner” JSON document - also called timestamp - that seemed to be conflicting with the GELF timestamp.

Once I fixed (removed) the duplicate timestamp element, all of my logs started to flow.

Totally_Not_A_Robot · 2019-01-17 19:21:39 UTC

I’m very happy that you got it all sorted out!

Sorry for dropping out of the conversation all of a sudden; I’m at a SANS training all week, which is taking ALL of my time