Unexpected end-of-input - size limit?

juemue · September 18, 2017, 2:34pm

Hi,

we send our apache accesslogs with our own logformat in GELF to graylog, e.g.

LogFormat “{ “version”: “1.1”,
“host”: “%h”,
”_GEOIP_COUNTRY_CODE": " %{GEOIP_COUNTRY_CODE}e",\

…

“short_message”: “%r” }" extended_gelf

Sometimes graylog can’t parse the shortmessage with an Unexpected end-of-input:

com.fasterxml.jackson.core.JsonParseException: Unexpected end-of-input: was expecting closing quote for a string value

The error always occurs at column 4097. Is there a size limit of 4096 characters for GELF / JSON here ?

Thanks
Jürgen

jochen · September 18, 2017, 3:01pm

What’s the exact LogFormat configuration of your Apache httpd?
How are you shipping these manually built GELF messages to Graylog?
How did you take care of properly escaping the variable values (e. g. %r)?

Also take a look at

juemue · September 18, 2017, 3:42pm

Hi Jochen,

We can’t use the mod_log_gelf because it use mpm_prefork

The complete LogFormat directive is

#extended_gelf für Graylog
LogFormat "{ \"version\": \"1.1\",\
 \"host\": \"%h\",\
 \"_GEOIP_COUNTRY_CODE\": \" %{GEOIP_COUNTRY_CODE}e\",\
 \"_User\": \"%u\",\
 \"timestamp\": %{%s}t,\
 \"_Status\": \"%>s\",\
 \"_user_agent\": \"%{User-Agent}i\",\
 \"_X-Forwarded-For\": \"%{X-Forwarded-For}i\",\
 \"_ServerName\": \"%v\",\
 \"_Local_IP-address\":  \"%A\",\
 \"_Port\": \"%p\",\
 \"_Response-Handler\": \"%R\",\
 \"_BALANCER_WORKER_ROUTE\": \"%{BALANCER_WORKER_ROUTE}e\",\
 \"_Connection_status\": \"%X\",\
 \"_Cookie\":\"%{cookie}n\",\
 \"_UNIQUE_ID\": \"%{UNIQUE_ID}e\",\
 \"_SSL_PROTOCOL\": \"%{SSL_PROTOCOL}x\",\
 \"_SSL_CIPHER\": \"%{SSL_CIPHER}x\",\
 \"_Bytes_received\": \"%I\",\
 \"_Bytes_send\": \"%O\",\
 \"_ratio\": \"(%{ratio}n%%)\",\
 \"_Request_time\": \"%D\",\
 \"_ModSecTimeIn\": \"%{ModSecTimeIn}e\",\
 \"_ApplicationTime\": \"%{ApplicationTime}e\",\
 \"_ModSecTimeOut\": \"%{ModSecTimeOut}e\",\
 \"_ModSecAnomalyScoreIn\": \"%{ModSecAnomalyScoreIn}e\",\
 \"_ModSecAnomalyScoreOut\": \"%{ModSecAnomalyScoreOut}e\",\
 \"short_message\": \"%r\" }" extended_gelf

Shipping per Apache:

CustomLog  "|/bin/nc -u XXX.XXXX.de 9333"  extended_gelf

If there was a problem with the escaping, there would be other error messages, too.

jochen · September 18, 2017, 3:44pm

You’re using UDP which, depending on the underlying network, might have a restriction in packet size.
Try using TCP.

FWIW, Graylog itself doesn’t have a size restriction for GELF messages and Elasticsearch happily ingests message fields up to 32 KB each.

The problem with unescaped variable values remains.

system · October 2, 2017, 3:44pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ERROR: org.graylog2.inputs.codecs.GelfCodec - Could not parse JSON, first 400 characters: {"host":"app","version":"1.1","short_message Graylog Central (peer support)	2	613	March 16, 2023
GELF message ERROR in server.log Graylog Tech Challenges	6	2458	July 27, 2021
GELF input truncate message to 1064 bytes Graylog Central (peer support) gelf	6	558	September 27, 2023
java.lang.IllegalStateException: GELF message is too short Graylog Central (peer support)	42	3632	January 12, 2019
GELF HTTP input issue after upgrading to 3.0 Graylog Central (peer support)	6	3745	March 27, 2019

Unexpected end-of-input - size limit?

Related topics