Open rogermartensson opened 6 years ago
If the information can be found in the received message about who actually is sending this unknown beat protocol it would be nice to have it displayed.
Unfortunately TCP/IP doesn't include any information about the origin host and doesn't support adding this information to TCP packets.
What we could do, though, is logging a hexdump of the received Beats packet (at least the first few bytes) on DEBUG level, so that interested parties can investigate further.
If the data could be parsed (you do get the beat procol version) then maybe there is some destination in the parseable data that contains the source of the message. But if that isn't possible then if the hexdump(ascii-dump?) contains any information that could help finding the source of the message then it would be nice to have in the logs. If not then there is no reason for a hex-dump.
But then.. This is only when hiding behind a load balancer but I guess I'm not the only one having such a configuration.
It also would be nice to replace the stack trace with a simple yet informative log entry.
If the data could be parsed (you do get the beat procol version) then maybe there is some destination in the parseable data that contains the source of the message.
The problem is that there are currently only 2 versions of the Beats (formerly Lumberjack) protocol, which means that protocol version "3" is invalid in the first place.
Expected Behavior
I have some beats with "Unknown" protocol version that Graylog 2.4.3 does not understand. I need some more information of the beat sending agent displayed and reduced output in the logs. All this if possible.
Current Behavior
Current behaviour is like this: 2018-04-26T11:14:42.793+02:00 ERROR [NettyTransport] Error in Input [Beats/5ad61f82a3f2bb438c2d992a] (channel [id: 0x6a2af37f, /remote:port :> /graylognode:port]) java.lang.Exception: Unknown beats protocol version: 3