Updated to v3.2: issue with json extractor

Hello,

Upgraded my test environment from 3.1.X to 3.2.X and zero logs showed in the “Search” page…

I have been using rsyslog as my log collector since 2.X with no issues…

  • I can confirm that rsyslog is receiving logs from devices
  • I can confirm that rsyslog sends the logs to the graylog inputs (using Syslog UDP) ( without any extractors )

  • The moment I add a json extractor, logs stop showing in the search page. ( i dont see Doc count increase either in elasticsearch )

Typical log format:

{"timestamp":"2020-02-03T20:11:45+00:00","source":"H-TXA-1LAB-SW-1","ip_address":"2607:2400:9:2091:21c:2eff:fe57:cd00","application_name":"00422","message":" chassis:  Slot D Ready","level":"6","facility":"local3"}

Interestingly I see graylog-server logs:

2020-02-03T20:15:18.379Z WARN  [ProcessBufferProcessor] Unable to process message <e5a6fca1-46c1-11ea-beba-78e3b509de78>: java.lang.ClassCastException: Cannot cast java.lang.String to org.joda.time.DateTime
2020-02-03T20:15:18.601Z WARN  [ProcessBufferProcessor] Unable to process message <e5c8b570-46c1-11ea-beba-78e3b509de78>: java.lang.ClassCastException: Cannot cast java.lang.String to org.joda.time.DateTime
2020-02-03T20:15:29.302Z WARN  [ProcessBufferProcessor] Unable to process message <ec296630-46c1-11ea-beba-78e3b509de78>: java.lang.ClassCastException: Cannot cast java.lang.String to org.joda.time.DateTime

I also tried using a “Raw/Plaintext UDP” input and without Extractors the log comes up, but when I add an extractor it no longer works.

Any input is much appreciated!!

CentOS Linux release 7.7.1908 (Core) 3.10.0-1062.9.1.el7.x86_64
graylog-server-3.2.0-6.noarch
openjdk version "1.8.0_242"
elasticsearch-6.8.6-1.noarch
rsyslog-8.24.0-41.el7_7.2.x86_64
mongodb-org-server-4.0.16-1.el7.x86_64
mongodb-org-shell-4.0.16-1.el7.x86_64
mongodb-org-4.0.16-1.el7.x86_64
mongodb-org-mongos-4.0.16-1.el7.x86_64

Thanks,
Dave

1 Like

Hi @davama,

sorry for the inconvenience. A bug has made it to the release and an issue was created for that: https://github.com/Graylog2/graylog2-server/issues/7364

The issue includes a possible workaround.

A bug fix release should be coming soon.

Thanks for your input!

Best regards,
Konrad

This is now fixed with the new 3.2.1 release

Thanks!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.