graylog 2.1.2 with bro_ids plugin

[harveys3191]

Good Morning

we have graylog 2.1.2 with bro-ids plugin. when checking the server.log we have the below error

2017-01-30T05:54:54.351-05:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=428c9fbe-e6da-11e6-bf01-525400a97222, journalOffset=97573389, codec=gelf, payloadSize=244, timestamp=2017-01-30T10:52:57.515Z}
com.fasterxml.jackson.core.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: <13>Jan 30 06:14:58 vwdcprdlbids01 bro_dns: 1485774896.470227      CBJo0F4vMuYSBlzzXl      192.168.9.71    33919   68.94.156.1     53      udp     32863   0.023036        s.w-x.co        1       C_INTERNET      1       A       0       NOERROR F       F       T       T       0       prod.weather.map.fastly.net,151.101.45.63       55.000000,27.000000     F
; line: 1, column: 2]
        at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1586) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:521) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:450) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1823) ~[graylog.jar:?]
        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:708) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3847) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3792) ~[graylog.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2332) ~[graylog.jar:?]
        at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:120) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]

we see the messages from coming in from our bro box but no messages show when we click on "show messages"

Any help will be much appreciated

• Graylog Version: 2.1.2
• Elasticsearch Version: 2.4.4
• MongoDB Version: 3.2
• Operating System: centos 7
• Browser version: chrome, ie, firefox

[joschi]

@harveys3191 It looks like you're trying to send syslog to a GELF input. Please create a Syslog UDP or TCP input and try again.

Also take a look at the BRO content pack on the Graylog Marketplace: https://marketplace.graylog.org/addons/5e6cf3c6-7bdc-4a2c-bdca-441407e4a016

We are using GitHub issues for tracking bugs in Graylog itself, but this doesn't look like one. Please post this issue to our public mailing list or join the #graylog channel on freenode IRC.

Thank you!

[harveys3191]

thank you for your response, Receiving invalid json file error message when uploading the content pack

Could not import content pack Error importing content pack, please ensure it is a valid JSON file. Check your Graylog logs for more information.

[root@zt01cn7-dist1 mibs]# find / -iname 'TUNNEL-MIB.txt' /usr/share/snmp/mibs/TUNNEL-MIB.txt [root@zt01cn7-dist1 mibs]#

2017-01-30T18:23:16.269-05:00 WARN [SnmpMibsLoader] Error parsing MIB file: /usr/share/snmp/mibs/TUNNEL-MIB.txt

• undefined symbol 'TimeTicks'
• undefined symbol 'TimeTicks'
• undefined symbol 'TimeTicks'
• undefined symbol 'TimeTicks'
• undefined symbol 'TimeTicks'
• undefined symbol 'TimeTicks'
• undefined symbol 'TimeTicks'
• undefined symbol 'TimeTicks'
• undefined symbol 'TimeTicks'

[joschi]

@harveys3191 Please use the mailing list or the IRC channel.