thank you for responding. We are using the syslog udp not gelf udp input
for suricata alerts
On Tuesday, January 31, 2017 at 5:07:08 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Sean,
>
> it looks like you're sending plaintext to a GELF input. Please check that
> you're using the correct input type in Graylog.
>
> Cheers,
> Jochen
>
> On Tuesday, 31 January 2017 11:03:55 UTC+1, sean harvey wrote:
>>
>> Good Day,
>>
>> have a pfsense suricata pointing to graylog syslog udp input not gelf udp
>> input. when we check server.log we have the below error message. Can
>> graylog parse eve.json?
>>
>> 2017-01-29T11:32:13.351-05:00 ERROR [GelfCodec] Could not parse JSON, first
>> 400 characters: | [SNORTIDS[ALERT]: [zt01zn2pf02.cymaticssecurity.com] ] ||
>> 2017-01-29 11:14:10.370+-05 2 [1:2013054:2] ET USER_AGENTS PyCurl Suspicious
>> User Agent Outbound || attempted-recon || 6 38.70.1.76 52.49.94.197 || 37953
>> 8080 ||
>> |^@
>> com.fasterxml.jackson.core.JsonParseException: Unexpected character ('|'
>> (code 124)): expected a valid value (number, String, array, object, 'true',
>> 'false' or 'null')
>> at [Source: | [SNORTIDS[ALERT]: [zt01zn2pf02.cymaticssecurity.com] ] ||
>> 2017-01-29 11:14:10.370+-05 2 [1:2013054:2] ET USER_AGENTS PyCurl Suspicious
>> User Agent Outbound || attempted-recon || 6 38.70.1.76 52.49.94.197 || 37953
>> 8080 ||
>> |^@; line: 1, column: 2]
>> at
>> com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1586)
>> ~[graylog.jar:?]
>> at
>> com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:521)
>> ~[graylog.jar:?]
>> at
>> com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:450)
>> ~[graylog.jar:?]
>> at
>> com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddValue(ReaderBasedJsonParser.java:1823)
>> ~[graylog.jar:?]
>> at
>> com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:708)
>> ~[graylog.jar:?]
>> at
>> com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:3847)
>> ~[graylog.jar:?]
>> at
>> com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3792)
>> ~[graylog.jar:?]
>> at
>> com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:2332)
>> ~[graylog.jar:?]
>> at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:120)
>> [graylog.jar:?]
>> at
>> org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146)
>> [graylog.jar:?]
>> at
>> org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87)
>> [graylog.jar:?]
>> at
>> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:58)
>> [graylog.jar:?]
>> at
>> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>> [graylog.jar:?]
>> at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143)
>> [graylog.jar:?]
>> at
>> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>> [graylog.jar:?]
>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/f8f2e98b-dda3-4a9d-a803-6b3b81374fa2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
