Syslog Timestamp could not be parsed

Graylog Central (peer support)
1

1. Describe your incident:
I installed graylog and configured an input stream for syslog. There are constantly messages coming in (the in/out in the upper right shows incoming logs), but they are not shown up in the dashboard.
I found out that the timestamp of the messages could not be parsed. A example message and the corresponding error log is shown below. I searched a little bit around and found out that a Extractor could help.
Unfortunately, my configured extractor for the timestamp does not work, the error still occurs.
What I am doing wrong?

image
image1321×891 42.1 KB

2. Describe your environment:

  • OS Information: Debian 12

  • Package Version:

ii  graylog-6.1-repository           1-1                            all          Package to install Graylog 6.1 GPG key and repository
ii  graylog-datanode                 6.1.4-2                        amd64        Graylog data node
ii  graylog-server                   6.1.4-2                        amd64        Graylog server
ii  mongodb-database-tools           100.10.0                       amd64        mongodb-database-tools package provides tools for working with the MongoDB server: 
ii  mongodb-mongosh                  2.3.6                          amd64        MongoDB Shell CLI REPL Package
ii  mongodb-org                      7.0.15                         amd64        MongoDB open source document-oriented database system (metapackage)
ii  mongodb-org-database             7.0.15                         amd64        MongoDB open source document-oriented database system (metapackage)
ii  mongodb-org-database-tools-extra 7.0.15                         amd64        Extra MongoDB database tools
ii  mongodb-org-mongos               7.0.15                         amd64        MongoDB sharded cluster query router
ii  mongodb-org-server               7.0.15                         amd64        MongoDB database server
ii  mongodb-org-shell                7.0.15                         amd64        MongoDB shell client
ii  mongodb-org-tools                7.0.15                         amd64        MongoDB tools
  • Service logs, configurations, and environment variables:

Message:

B<7>1 2024-12-16T22:00:35.539770+1:00 zensored - - - 000+01:04:39.652 T 11318: zensored
syslog{"source":{"allow_override_date":true,"charset_name":"UTF-8","expand_structured_data":false,"force_rdns":false,"store_full_message":true,"timezone":"Europe/Berlin"}}2B

Log:

2024-12-16T22:06:07.215+01:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=915df0e0-bbf1-11ef-bdbb-bc2411e87d7a, messageQueueId=238090, codec=syslog, payloadSize=102, timestamp=2024-12-16T22:00:35.540Z, seqenceNr=4343, remoteAddress=/192.168.2.254:49348} on input <675f3dc643368c1923874837>.

2024-12-16T22:06:07.233+01:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=915df0e0-bbf1-11ef-bdbb-bc2411e87d7a, messageQueueId=238090, codec=syslog, payloadSize=102, timestamp=2024-12-16T22:00:35.540Z, seqenceNr=4343, remoteAddress=/192.168.2.254:49348}

java.lang.IllegalArgumentException: Invalid format: "2024-12-16T22:00:35.539770+1:00" is malformed at "+1:00"
at org.joda.time.format.DateTimeFormatter.parseDateTime(DateTimeFormatter.java:953) ~[graylog.jar:?]
at org.joda.time.DateTime.parse(DateTime.java:162) ~[graylog.jar:?]
at org.joda.time.DateTime.parse(DateTime.java:150) ~[graylog.jar:?]
at org.graylog2.syslog4j.server.impl.event.SyslogServerEvent.parse8601Date(SyslogServerEvent.java:156) ~[graylog.jar:?]
at org.graylog2.syslog4j.server.impl.event.SyslogServerEvent.parseDate(SyslogServerEvent.java:125) ~[graylog.jar:?]
at org.graylog2.syslog4j.server.impl.event.structured.StructuredSyslogServerEvent.parseDate(StructuredSyslogServerEvent.java:132) ~[graylog.jar:?]
at org.graylog2.syslog4j.server.impl.event.SyslogServerEvent.parsePriority(SyslogServerEvent.java:178) ~[graylog.jar:?]
at org.graylog2.syslog4j.server.impl.event.SyslogServerEvent.parse(SyslogServerEvent.java:194) ~[graylog.jar:?]
at org.graylog2.syslog4j.server.impl.event.structured.StructuredSyslogServerEvent.<init>(StructuredSyslogServerEvent.java:65) ~[graylog.jar:?]
at org.graylog2.inputs.codecs.SyslogCodec.parse(SyslogCodec.java:136) ~[graylog.jar:?]
at org.graylog2.inputs.codecs.SyslogCodec.decode(SyslogCodec.java:104) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:156) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:94) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:104) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:52) [graylog.jar:?]
at org.graylog2.shared.buffers.PartitioningWorkHandler.onEvent(PartitioningWorkHandler.java:52) [graylog.jar:?]
at com.lmax.disruptor.BatchEventProcessor.processEvents(BatchEventProcessor.java:167) [graylog.jar:?]
at com.lmax.disruptor.BatchEventProcessor.run(BatchEventProcessor.java:122) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.base/java.lang.Thread.run(Unknown Source) [?:?]

3. What steps have you already taken to try and solve the problem?
A timestamp extractor like described here: Extract timestamp from message

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.