GELF message with missing fields is dropped #3970

jalogisch · 2017-07-03T15:22:47Z

Expected Behavior

If a message send via GELF (TCP) is missing some specifications or a field that should not only be visible when switching the log to debug.

https://github.com/Graylog2/graylog2-server/blob/2.2.3/graylog2-server/src/main/java/org/graylog2/shared/buffers/processors/DecodingProcessor.java#L179-L186

Current Behavior

GELF Message missing a field - short_message for example the message silently disappear.

Possible Solution

Change the logging level in case the decoding does not work.

Steps to Reproduce (for bugs)

Create GELF TCP Input
send a message with whitespaced short message

echo -e '{"version": "1.1","host":"example.org","short_message":" ","full_message":"Backtrace here\n\nmore stuff","level":1,"_user_id":9001,"_some_info":"foo","_some_env_var":"bar"}\0' | nc -w 1 GRAYLOG_SERVER 12201

To verify send a working message

echo -e '{"version": "1.1","host":"example.org","short_message":"Short","full_message":"Backtrace here\n\nmore stuff","level":1,"_user_id":9001,"_some_info":"foo","_some_env_var":"bar"}\0' | nc -w 1 GRAYLOG_SERVER 12201

Change log level to debug to see that the message with empty short_message is discarded

Your Environment

Graylog Version: 2.2.3

The text was updated successfully, but these errors were encountered:

Instead of waiting for a later stage and "silently" dropping (logged on DEBUG) invalid messages, `GelfCodec` now actively checks for the existence and validity of mandatory GELF message fields (such as "version", "host", "short_message", and "timestamp", according to the GELF spec). Refs http://docs.graylog.org/en/2.2/pages/gelf.html Fixes #3970

* Fail fast and loud for invalid GELF messages Instead of waiting for a later stage and "silently" dropping (logged on DEBUG) invalid messages, `GelfCodec` now actively checks for the existence and validity of mandatory GELF message fields (such as "version", "host", "short_message", and "timestamp", according to the GELF spec). Refs http://docs.graylog.org/en/2.2/pages/gelf.html Fixes #3970 * Don't check "version" field for backward-compatibility There are still many GELF client libraries out there using either "1.0" or no value at all for the GELF "version" field. * Make GELF validation more lenient * Add test for minimal GELF messages * Fix logic for validating "host" message field

joschi self-assigned this Jul 3, 2017

joschi added the improvement label Jul 3, 2017

joschi added this to the 2.3.0 milestone Jul 3, 2017

joschi mentioned this issue Jul 3, 2017

Fail fast and loud for invalid GELF messages #3972

Merged

ghost added the in progress label Jul 3, 2017

joschi removed their assignment Jul 3, 2017

joschi removed the in progress label Jul 3, 2017

joschi self-assigned this Jul 5, 2017

joschi added the in progress label Jul 5, 2017

bernd closed this in #3972 Jul 5, 2017

ghost removed the in progress label Jul 5, 2017

Graylog2 / graylog2-server

GELF message with missing fields is dropped #3970

GELF message with missing fields is dropped #3970

jalogisch commented Jul 3, 2017 •

edited by joschi

Graylog2 / graylog2-server

GELF message with missing fields is dropped #3970

GELF message with missing fields is dropped #3970

Comments

jalogisch commented Jul 3, 2017 • edited by joschi

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Your Environment

jalogisch commented Jul 3, 2017 •

edited by joschi