Messages discarded when the term status is in @message (GELF output)
Description
Gliffy Diagrams
Activity
Show:
Jason Kendall March 5, 2014 at 3:47 PM
Is this still an issue with 1.3.3?
Details
Details
Assignee
Logstash DevelopersReporter
Jeroen GeusebroekLabels
Affects versions
Created March 11, 2013 at 3:25 PM
Updated March 5, 2014 at 3:47 PM
I've come across a bug while testing syslog-pri. I was missing some events and finally figured out that it had to do with the term "status" being in the event.
logstash itself renders the message perfectly (I can see it in the debug output) however it does not forwarded or parsed by the upstream server (graylog2 in this instance).
I think it might have to do with the GELF output plugin OR graylog2 itself (which I don't think is the issue because direct syslog traffic to graylog2 works).
Temporary workaround was using the gsub filter to rewrite status to stats.
Reproduce:
Fails:
{"@source":"udp://127.0.0.1:49211/","@tags":["got_syslog_pri","got_syslog_timestamp","got_syslog_host"],"@fields":{"syslog_pri":["22"],"syslog_raw_message":["<22>Mar 11 15:04:02 web postfix/smtp[7918]: 059EA120253: to=<bla@diebla.local>, orig_to=<vagrant>, relay=somehost.local[10.10.10.10]:25, delay=0.29, delays=0/0/0.09/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 23C1A10017F)"],"syslog_severity_code":6,"syslog_facility_code":2,"syslog_facility":"mail","syslog_severity":"informational","syslog_timestamp":["Mar 12 15:04:02"],"received_at":["2013-03-13T14:04:02.314Z"],"syslog_hostname":["server"],"logstash_source":["127.0.0.1"]},"@timestamp":"2013-03-12T14:04:02.000Z","@source_host":"server","@source_path":"/","@message":"postfix/smtp[7918]: 059EA120253: to=<bla@diebla.local>, orig_to=<vagrant>, relay=somehost.local[10.10.10.10:25, delay=0.29, delays=0/0/0.09/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 23C1A10017F)","@type":"bla"}
Works:
{"@source":"udp://127.0.0.1:49211/","@tags":["got_syslog_pri","got_syslog_timestamp","got_syslog_host"],"@fields":{"syslog_pri":["22"],"syslog_raw_message":["<22>Mar 11 15:04:02 web postfix/smtp[7918]: 059EA120253: to=<bla@diebla.local>, orig_to=<vagrant>, relay=somehost.local[10.10.10.10]:25, delay=0.29, delays=0/0/0.09/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 23C1A10017F)"],"syslog_severity_code":6,"syslog_facility_code":2,"syslog_facility":"mail","syslog_severity":"informational","syslog_timestamp":["Mar 12 15:04:02"],"received_at":["2013-03-13T14:04:02.314Z"],"syslog_hostname":["server"],"logstash_source":["127.0.0.1"]},"@timestamp":"2013-03-12T14:04:02.000Z","@source_host":"server","@source_path":"/","@message":"postfix/smtp[7918]: 059EA120253: to=<bla@diebla.local>, orig_to=<vagrant>, relay=somehost.local[10.10.10.10:25, delay=0.29, delays=0/0/0.09/0.19, dsn=2.0.0, statxus=sent (250 2.0.0 Ok: queued as 23C1A10017F)","@type":"bla"}