Cannot see log file messages in Graylog using logstash-output-gelf

logstash-plugins / logstash-output-gelf

Apache License 2.0

15 stars 18 forks source link

Cannot see log file messages in Graylog using logstash-output-gelf #14

Open mshar039 opened 8 years ago

mshar039 commented 8 years ago

Hi all, I am facing an issue with GELF output plugin in Logstash. Recently started using Logstash. Wanted to visualize logs in Graylog2 using Logstash. So, gave a basic trail with this.

My config is:

input {
  file {
  path => "/root/Desktop/Graylog/test.log"
  start_position => "beginning"
  type => "logs"
  sincedb_path => "/dev/null"
 }
}
filter {
  if [type] == "logs" {
    mutate {
    add_field => {"message" => "%{Message}"}
  }
}
}
output {
   gelf {
      host => ["127.0.0.1"]
   }
}

I created a GELF UDP input in the Graylog and tried to see all the logs in it, I m not able to see any logs in Graylog. On clicking 'Show Received Messages', it shows 'Nothing found'.

Please help me.

pachecolp commented 7 years ago

I have the same problem. Did you manage to solve yours? I'm using the Graylog Vagrantfile to start a Graylog instance.

pachecolp commented 7 years ago

I think I solved my problem. Graylog starts an appliance-gelf-udp on port 12201 by default. My custom UDP input wasn't starting because of that. I changed my port to 12202 and created another UDP mapping in the Vagrantfile. That seems to have solved it. Now, I can't get any data in the GELF message.

wattazoum commented 7 years ago

I have the same issue, The workarround that I am using now is the following:

...
 output {
     udp {
         host => "127.0.0.1"
         port => 12201
     }
 }

With this I can see my logs in graylog2

trousse commented 7 years ago

https://dzone.com/articles/combining-logstash-and-graylog-for-log-management

perhaps because of that logstach and graylog dont finish data with the same character

eyudkin commented 5 years ago

Had the same issue. As for me, graylog silently declined messages which does not contain "short_message" property.

Following filter worked for me:

filter {
  if ![message] or [message] == "" {
    mutate {
      add_field => { "message" => "Hello, world!" }
    }
  }
  if ![short_message] or [short_message] == "" {
    mutate {
      add_field => { "short_message" => "%{message}"}
    }
  }
}

Weird thing is that

output {
     gelf {
         host => "127.0.0.1"
         port => 12201
         short_message => "Hello, short world!"
     }
 }

doesnt work as expected

Samirarahiqi commented 2 years ago

Hello, I have the same issue. I have 3 servers : first: Nginx server Second: Logstash Third: Graylog

I had installed filebeat on nginx server and the logstash gets the log in input. I defined input in logstash as below: input { beats { port => 5055 } } And the output of pipeline on logstash is as below: output { gelf { host => "graylog-ip" port => 1515 protocol => "UDP" } } Actually, I created an input in Graylog's panel (GELF UDP), and the stream is already attached to an index. also, there is a stream rule that set to use this input. But I don't see the logs on Graylog. What should I do?