Unexpected end-of-input - size limit?

juemue · September 18, 2017, 2:34pm

Hi,

we send our apache accesslogs with our own logformat in GELF to graylog, e.g.

LogFormat “{ “version”: “1.1”,
“host”: “%h”,
”_GEOIP_COUNTRY_CODE": " %{GEOIP_COUNTRY_CODE}e",\

…

“short_message”: “%r” }" extended_gelf

Sometimes graylog can’t parse the shortmessage with an Unexpected end-of-input:

com.fasterxml.jackson.core.JsonParseException: Unexpected end-of-input: was expecting closing quote for a string value

The error always occurs at column 4097. Is there a size limit of 4096 characters for GELF / JSON here ?

Thanks
Jürgen

jochen · September 18, 2017, 3:01pm

What’s the exact LogFormat configuration of your Apache httpd?
How are you shipping these manually built GELF messages to Graylog?
How did you take care of properly escaping the variable values (e. g. %r)?

Also take a look at

juemue · September 18, 2017, 3:42pm

Hi Jochen,

We can’t use the mod_log_gelf because it use mpm_prefork

The complete LogFormat directive is

#extended_gelf für Graylog
LogFormat "{ \"version\": \"1.1\",\
 \"host\": \"%h\",\
 \"_GEOIP_COUNTRY_CODE\": \" %{GEOIP_COUNTRY_CODE}e\",\
 \"_User\": \"%u\",\
 \"timestamp\": %{%s}t,\
 \"_Status\": \"%>s\",\
 \"_user_agent\": \"%{User-Agent}i\",\
 \"_X-Forwarded-For\": \"%{X-Forwarded-For}i\",\
 \"_ServerName\": \"%v\",\
 \"_Local_IP-address\":  \"%A\",\
 \"_Port\": \"%p\",\
 \"_Response-Handler\": \"%R\",\
 \"_BALANCER_WORKER_ROUTE\": \"%{BALANCER_WORKER_ROUTE}e\",\
 \"_Connection_status\": \"%X\",\
 \"_Cookie\":\"%{cookie}n\",\
 \"_UNIQUE_ID\": \"%{UNIQUE_ID}e\",\
 \"_SSL_PROTOCOL\": \"%{SSL_PROTOCOL}x\",\
 \"_SSL_CIPHER\": \"%{SSL_CIPHER}x\",\
 \"_Bytes_received\": \"%I\",\
 \"_Bytes_send\": \"%O\",\
 \"_ratio\": \"(%{ratio}n%%)\",\
 \"_Request_time\": \"%D\",\
 \"_ModSecTimeIn\": \"%{ModSecTimeIn}e\",\
 \"_ApplicationTime\": \"%{ApplicationTime}e\",\
 \"_ModSecTimeOut\": \"%{ModSecTimeOut}e\",\
 \"_ModSecAnomalyScoreIn\": \"%{ModSecAnomalyScoreIn}e\",\
 \"_ModSecAnomalyScoreOut\": \"%{ModSecAnomalyScoreOut}e\",\
 \"short_message\": \"%r\" }" extended_gelf

Shipping per Apache:

CustomLog  "|/bin/nc -u XXX.XXXX.de 9333"  extended_gelf

If there was a problem with the escaping, there would be other error messages, too.

jochen · September 18, 2017, 3:44pm

You’re using UDP which, depending on the underlying network, might have a restriction in packet size.
Try using TCP.

FWIW, Graylog itself doesn’t have a size restriction for GELF messages and Elasticsearch happily ingests message fields up to 32 KB each.

The problem with unescaped variable values remains.

system · October 2, 2017, 3:44pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ERROR: org.graylog2.inputs.codecs.GelfCodec - Could not parse JSON, first 400 characters: {"host":"app","version":"1.1","short_message Graylog Central (peer support)	2	432	March 16, 2023
java.lang.IllegalStateException: GELF message is too short Graylog Central (peer support)	42	3404	January 12, 2019
ERROR: org.graylog2.inputs.codecs.GelfCodec - Could not parse JSON, first 400 characters: A?H?S?>N?)?}a+&? Graylog Central (peer support)	4	567	January 19, 2023
Parse Errors GELF_TCP over TLS Graylog Central (peer support)	3	1126	August 6, 2018
Custom Logs with Dashboard Graylog Central (peer support)	6	607	July 16, 2020

Unexpected end-of-input - size limit?

Related Topics