1
response

Hi,

New to this community . I use nxlog community edition. My collegue sends from the source side (nxlog) hundreds of msgs in UDP GELF format to graylog syslog utility . Half of them are accepted, the other half get rejected with error "short_message" field is empty.

I trieded tcpdump , but nothing visible can be seen. Is there a way that nxlog can berecofigured, so that it will send msgs in more readable format, so I can decide if it is OK that those msgs are rejected. It can be even sent sent to TCP ,

Most important config details in nxlog:

Module xm_gelf ShortMessageLength -1

Module im_file File "C:\DNSLog\DNSDebug.txt" SavePos TRUE InputType LineBased

Module om_udp Host x.x.x.x Port yyyy OutputType GELF

Path dns => out

Module im_msvistalog

        Exec if not ($Severity == 'ERROR' or $Severity == 'CRITICAL' or $EventID IN (624, 630, 631, 634, 635, 638, 658, 662, 4624, 4625, 4720, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4767)) drop(); 
        Exec if ($EventID == 4769) drop();

Module om_udp Host x.x.x.x Port yyyz OutputType GELF

Path in => out2

Thanks in advance.

AskedDecember 18, 2017 - 4:08pm

Answer (1)

  • GELF_UDP is is compressed with zlib. GELF_TCP is uncompressed. This makes it easier to check the payload with tcpdum/wireshark.
  • You could try setting $ShortMessage manually.