2
responses

I'm using the OutputType GELF_TCP my questions are

1) Why nxlog sends short_message field and not the message field?
2) Why nxlog is truncating the log content to 65 char?

I can fix it by using the following Exec directive but why this at the first place?

Exec $ShortMessage = $raw_event

Output Config
##########

<Output default_out>
Module om_tcp
Host 10.30.0.85
Port 12203
OutputType GELF_TCP
</Output>

Now, with this config the event record I receive on the receiving end at 10.30.0.85 is following

{
"version": "1.1",
"_EventReceivedTime": "2018-08-03 16:08:08",
"_SourceModuleName": "dnsDebug_in",
"_SourceModuleType": "im_file",
"host": "srvr2012",
"short_message": "3/08/2018 4:07:12 PM 04C4 PACKET 00000039F019C100 UDP Rcv 10.30",
"timestamp": 1533276488,
"level": 6
}

AskedAugust 3, 2018 - 9:01am

Answer (1)

1) Why nxlog sends short_message field and not the message field?

The GELF spec says that short_message MUST be set.

2) Why nxlog is truncating the log content to 65 char?

Because it must be short. :)

If the question is about not getting the whole event in your Graylog then I guess you might want to use either of the following:

Exec $FullMessage = $raw_event; or Exec $Message = $raw_event;

Comments (1)

  • nxlog_user4983's picture

    The question isn't about the workaround. I already mentioned I know the Exec directive.

    The GELF spec says that short_message MUST be set

    The GELF spec also says to include full_message. Why is that missing from the event packet?

    Because it must be short. :)

    where is the official reference to 65 char?