graylog2 output get messy after a few seconds #4792
Comments
|
Hi,
Can you send me the samples? Eg. The good formatting and the way it changes.
Thanks
…On Thu, Jan 18, 2024, 13:00 Francesco Pasqualini ***@***.***> wrote:
syslog-ng Version of syslog-ng
syslog-ng 4 (4.4.0)
Platform
Linux Ubuntu 22.04.3 LTS x86_64
Debug bundle
I configured a graylog2 destination (graylog on the same host)
destination d_graylog {
graylog2(
host("127.0.0.1")
transport("udp")
);
};
Everything works for a few seconds (10 /20 seconds) then syslogng start
sending data in wrong format: graylog2 starts complaining of the wrong
format and I have verified with tcpdump that after a few seconds the format
change.
If I restart syslogng the output format come back correct but after a few
seconds become wrong again. The format is correct only for a few second
after a syslogng start/restart.
Thanks.
—
Reply to this email directly, view it on GitHub
<#4792>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFOK5TAQWXGVA4TM4B7GNTYPEFFBAVCNFSM6AAAAABCAEXPYSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA4DQMJUGAYDQNY>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Thanks for the support. After a restart I execute this command
and I see: $some_binary_chars{$json_like_properties ... "short_message": "...."} $some_binary_chars{$json_like_properties ... "short_message": "...."} $some_binary_chars{$json_like_properties ... "short_message": "...."} where: $some_binary_chars is a placeholder for some binary chars after a while the format change: It seems it starts sending only the content of the "json" field "short_message". (SyslogNg receives a CEF stream and sends it to Graylog) ...I hope this is enough in order to investigate the problem thanks |
|
From the error logs, I get the feeling that the JSON data is truncated. GELF over UDP supports only 64K sized messages: https://go2docs.graylog.org/5-0/getting_in_log_data/gelf.html#GELFviaUDP
Is it possible to use TCP in your scenario? I think it would fix the problem. If not, we would need to have the GELF UDP chunking implemented in |
|
Thank you, unfortunately I'm using UDP because in TCP there are other problems (maybe in the Graylog side or in the source) that cause many CEF messages to be received as one message. What I don't understand is why in UDP everything works fine but only for a few seconds. How can this work if, as you say, Thank you
|
Maybe log messages are starting small (below 64K), and getting larger after a couple of seconds, but that is just a guess. You can check what exactly gets sent to graylog by switching to a Each line is what goes into one UDP packet. If my theory is right, after a couple of seconds you should see some really long lines after a couple of seconds, and those messages cause the issue when sending to graylog.
A simple GELF over UDP below 64K message size does not need UDP Chunking. If we implemented UDP Chunking, we would solve this 64K issue. |
I tried and this is the result. After a while the format change. |
|
Hmmm, maybe the problem is on the receiving side, then? 64k is a huge message size, so maybe the CEF side is at fault here. For instance the end of message there may not be recognized and a whole bunch of cef messages end up in a single, huge message. Can you post your source driver declaration and maybe a capture of the input? |
|
The messages are very shorts something like 1000 characters, the problem is that after a while they get grouped together How can I capture the input ? |
|
The source is very simple:
|
|
That seems to indicate that it is indeed the source that is at fault. There are two ways to capture this
If the input does not terminate log lines or if syslog-ng is configured differently than the sender, something like this may happen. Effectively concatenating the input into one huge message. The sample is needed to make sure there's some form of record separation on the input and that syslog-ng is using the same expectation. |
I capured the input using syslog-ng in foreground. I see the same behaviour: some Incoming log entry contains many CEF entry so the line is very long. Normal lines, at the beginning of the file (fresh start), contain only one CEF entry, Is this normal ? |
|
Here is the line size of "Incoming log entry" lines 1109 at some point after starting syslog_ng line sizes become huge and stay huge |
|
No. and that's a clear indication of the problem. syslog-ng's default log-msg-size() parameter is 64k and I guess the incoming messages are all coalesced into a huge message and we are splitting them up at 64k So my assumption: he issue is that your source device is not sending a newline character between messages But I can only confirm if you send me at least one of your "Incoming message" lines. Or look into a separator character between the records and see for yourself. syslog-ng's tcp or network driver would expect a newline (or NUL) character there. If there's nothing then the peer needs to be configured properly. But again, I can only help here if you share the message, possibly in private. |
Thank you for the support. I found a work around. If I send the CEF stream to syslog_ng in UDP (instead of TCP) the problem vanish. I'm not shure but I think I can opt for CEF UDP and keeep this workaround Unfortunately I cannot send the log (tcpdump output) outside this network, I could obfuscate the logs, but I don'have a script at hand in order to manage this. |
|
Now in UDP I have another problem. Syslog_ng modify the message and send as: instead of "short_message":"CEF:0| .................. It seems that if syslog_ng receive CEF messages in TCP sends as "short_message":"CEF:0| .................. if it receice CEF messages in UDP sends as "short_message":"0| .................. "_program":"CEF","_facility":"local7"} |
|
You might want to specify flags(no-parse) as you are clearly not receiving
syslog.
What's the sending application? It might be easier to help you that way
…On Thu, Jan 25, 2024, 14:48 Francesco Pasqualini ***@***.***> wrote:
Now in UDP I have another problem.
Syslog_ng modify the message and send as:
"short_message":"0| ..................
"_program":"CEF","_facility":"local7"}
instead of
"short_message":"CEF:0| ..................
—
Reply to this email directly, view it on GitHub
<#4792 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFOK5RD4TAN5WEKLJF7NXDYQJPCVAVCNFSM6AAAAABCAEXPYSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJQGI2TKMZYHE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Thank you, What is the reason why if the source comes in UDP, Syslog-ng parses the messages and if the source is in TCP it doesn't? |
|
In UDP, every datagram is a separate message In TCP, log messages follow each other within the tcp stream. The separation between messages is the NL character, just as with simple text files. Since you didn't share the input I don't know if fortigate indeeds inserts a newline character after every message or not. |
|
I switched to UDP with
As a workaround I switched to UDP with flags(no-parse) . I suppose the problem was in Fortigate side as the following message. https://community.graylog.org/t/fortinet-fortigate-tcp-raw-input-and-delimiter/17184 I suspected it was a syslog-ng problem because after a syslog-ng restart the messages are splitted correctly for the first 20 seconds approx. Thanks for the support |
|
What is the "mode" setting on the fortigate side? https://docs.fortinet.com/document/fortigate/7.0.13/cli-reference/393620/config-log-syslogd-setting I guess now you are using udp. But when you were using tcp, what was the setting? "reliable" ? According to this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-syslog-via-TCP-and-log-parsing/ta-p/198397 fortigate will send octet counted messages over simple TCP. That can be received by syslog-ng, using the syslog() driver. I was using this config to parse that format: |
|
this should resolve the input side issues and let you properly process logs from fortigate, at least with its "mode" setting set to "reliable" |
syslog-ng
Version of syslog-ng
syslog-ng 4 (4.4.0)
Platform
Linux Ubuntu 22.04.3 LTS x86_64
Issue
I configured a graylog2 destination (graylog is on the same host) as follow
Everything works fine for a few seconds (10 / 20 seconds) then syslogng starts sending data in wrong format: graylog2 starts complaining of the wrong format and I verified with tcpdump that after a few seconds the format change.
If I restart syslogng the output format come back correct, but after a few seconds it becomes wrong again. The format is correct only for a few seconds after a syslogng start/restart.
Thanks.
Graylog errors follow:
The text was updated successfully, but these errors were encountered: