Hi Jochen, A previous correspondence said : Subject: GELF Output option issue for message stream - We will fix that one in the Graylog2 0.92.x version line. Another bugfix release for Graylog2 0.90.x and 0.91.x is currently not planned.
So all my GELF forwarding testing is from Graylog2 0.92.0. Graylog2 receiver just happened to be a 0.91.3 (all non-production servers) So digging deeper, just wondering why I only see in Elasticsearch and not in the Graylog UI (0.91.3), maybe because of the *'timestamp*' at the receiving GL2, it's 'morphed'. See below, the sending message (as shown from elasticsearch) to the receiving elasticsearch. Also the 'full_message' on output is only the 'message', so detail is removed. Perhaps its the precision timestamp, causing the issue. These are just Rsyslog messages, using the Graylog2 template ( GRAYLOGRFC5424) Hostnames have removed, from examples - HOST *Sending Node: GL2 0.92.0 / ES 1.4.1 [GELF TCP /12201]* $ curl -XGET 'http://localhost:9200/graylog2_deflector/_search?q=_id:460d9ef0-7b52-11e4-baaa-005056a6608f&pretty' { "took" : 14, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 1.0, "hits" : [ { "_index" : "graylog2_0", "_type" : "message", "_id" : "460d9ef0-7b52-11e4-baaa-005056a6608f", "_score" : 1.0, "_source":{"application_name":"CROND","gl2_source_node":"7116a2ca-a48c-4319-91d9-d15d8e7e4ba4","full_message":"<78>0 2014-12-04T12:10:02.078627+11:00 HOST CROND 6078 (root) CMD (/usr/lib64/sa/sa1 1 1)",*"timestamp":"2014-12-04 01:10:02.078"*,"message":" (root) CMD (/usr/lib64/sa/sa1 1 1)\n","level":6,"process_id":"6078","_id":"460d9ef0-7b52-11e4-baaa-005056a6608f","facility":"clock","source":"HOST","gl2_source_input":"54742bf0e4b0a45edc5d890c","streams":["544db9f4e4b0ea0d9b00cb1c"]} } ] } } *Receiving Node: GL2 0.91.1 / ES 1.3.4 [GELF TCP/12201]* I added a static field on Input "gelf_out_test":"gl2" $ curl -XGET 'http://localhost:9200/graylog2_deflector/_search?q=id:460d9ef0-7b52-11e4-baaa-005056a6608f&pretty' { "took" : 1, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 12.366719, "hits" : [ { "_index" : "graylog2_5", "_type" : "message", "_id" : "4612a800-7b52-11e4-9f04-005056a61b64", "_score" : 12.366719, "_source":{"gelf_out_test":"gl2","application_name":"CROND","gl2_source_node":"36a66731-b525-4973-a713-d6749c07ad13","full_message":"(root) CMD (/usr/lib64/sa/sa1 1 1)","version":"1.1","id":"460d9ef0-7b52-11e4-baaa-005056a6608f",*"timestamp":"46893-09-16 15:14:38.000"*,"message":" (root) CMD (/usr/lib64/sa/sa1 1 1)\n","process_id":"6078","level":6,"facility":"clock","_id":"4612a800-7b52-11e4-9f04-005056a61b64","source":"HOST","gl2_source_input":"547fa41fe4b009c113677ab5","streams":[],"forwarder":"org.graylog2.outputs.GelfOutput"} } ] } } Cheers, Marty -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
