JSON type null is unsupported

[artis3n]

I am using Axiom Cloud, and I am attempting to stream logs from HashiCorp Vault with this syslog proxy and a socket audit log on Vault's end. I've configured the Vault resource with the following Terraform:

resource "vault_audit" "axiom" {
  options = {
    format      = "json"
    address     = "127.0.0.1:601"
    socket_type = "tcp"
  }
  type        = "socket"
  path        = "axiom"
  description = "Ingestion to Axiom"
  local       = false
}

When I perform actions in Vault, I get the following errors from this service:

[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.18] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported
[03:23:57.19] warn  axiom-syslog-proxy@api.parser parse.go:237 JSON type null is unsupported

Nothing appears on Axiom's end, however when I enable a prefix such as vault I continue getting the JSON error but I see the entries appear in Axiom (malformed due to the prefix).

How can I best troubleshoot why this service is unable to parse the JSON that Vault is sending? Why do the logs successfully send when a prefix string is prepended to the JSON blob, breaking the ability to index on fields?

[lukasmalkmus]

This is indeed interesting. Clearly the warning indicates that the null type is not supported when parsing JSON. So I presume vault sends some JSON in the message property that contains some named null object, e.g. "auth": null. This omits sending the event.

I guess, when a prefix is present, the message is never parsed because it is not valid JSON, instead, it is transmitted as a string value for the message property.

I'll have to sync with the appropriate teams and take a closer look at the code. In the meanwhile, could a quick fix be utilising our Endpoints product? https://www.axiom.co/docs/endpoints/introduction#endpoints.

[lukasmalkmus]

I have taken a look at the documentation link you posted. It looks like the format is not actually syslog, but rather json or "jsonx", as they call it. So technically you should be able to point Vault directly at Axioms ingest endpoint.

[artis3n]

I realized my mistake there afterward :D Posted to the discord group as well, ended up getting this working pretty easily with vector.dev and its Axiom sink. https://discord.com/channels/1065957163161370664/1073388883997364334/1073388883997364334

Notably, not mentioned in this original issue, I was getting authentication errors using an API token with this proxy, whereas a personal token worked fine. The same API token that was failing works fine through vector - so I feel like there's some underlying auth issue in this module. https://discord.com/channels/1065957163161370664/1073077109536333874/1074037512474984570

[lukasmalkmus]

Interesting, thanks for the follow-up!