We have been slowly working through debugging the various error messages seen in our graylog server.log file so we can see when there are real issues.
This particular message is a current concern:
2017-02-19T12:10:51.869-05:00 WARN [ProcessBufferProcessor] Unable to process message <5dc778dc-f6c6-11e6-9b33-0025b5ff0071>: org.graylog.plugins.pipelineprocessor.ast.exceptions.FunctionEvaluationException: java.lang.IllegalArgumentException: This IPv6 address cannot be used in IPv4 context
It occurs around 2500 times each day.
What is the BEST way to troubleshoot error messages related to “unable to process message”? Has anyone written up a basic procedure that one could follow?
In older versions of Graylog I vaguely remember an interface where I could see the message that could not be processed, making it simple to find and fix the problem. If that’s here now I might be missing it.
@jochen This looks like the message is being discarded. Can you confirm? If so, we should change the behavior of cidr_match() and make the function throw a warning but handle it gracefully, i.e. not lose the whole message.
Here is a reduced bit of pipeline we currently have deployed.
rule "from datacenter subnet"
when
cidr_match("192.168.1.0/24", to_ip($message.gl2_remote_ip)) OR cidr_match("192.168.2.0/24", to_ip($message.gl2_remote_ip))
then
set_field(field: "LocationTag", value: "datacenter");
end
I am trying to confirm with log data, but I am assuming that an ipv6 address isn’t safely handled by “to_ip”. Will post back once I know for sure.
