You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Graylog cannot process input från the GELF-output with the windows log plugins appending error logs in the server.log.
The invalid JSON is not imported into graylog.
My impression is that GELF Output plugin creates invalid JSON with the logwinevt and it seems to be related to the
"StringInserts".
It does not escape the JSON correctly when File Paths is included in the "StringInserts". It looks like it is not
escaping \ (back-slash) and " (citation) correctly. Atleast what I can see in my logs.
The "Message" seems to be escaped correctly.
To Reproduce
Set up fluent-bit to use Input winevtlog and GELF as output. Point output to a graylog-server.
Expected behavior
Message should be read and parsed correctly by Graylog.
Screenshots
An example log from the Graylog server.log with an unrecognized escape character.
The JSON-message in the server log is truncated before the offending "escape character" so it's not a good example to paste.
Your Environment
Version used: 3.2
Configuration:
Environment name and version (e.g. Kubernetes? What version?): Windows Server
Operating System and version: Windows Server 2019
Filters and plugins: winevtlog as input, GELF and output.
Additional context
I give GELF as an output but that is not what I have tested with.
In my environment the flow of the message is "Windows Event Log" -> fluentbit Input winlogevt -> fluentbit output Forward -> (logaggregator) Input Forward -> output GELF -> Graylog GELF Input
I do not think these extra steps could be a problem and have not tested this.
What I have done is to try to fix this is to add Lua this Lua code in the fluentbit configuration as the windows server.
This seems to atleast stop the error in the graylog server log.
Bug Report
Describe the bug
Graylog cannot process input från the GELF-output with the windows log plugins appending error logs in the server.log.
The invalid JSON is not imported into graylog.
My impression is that GELF Output plugin creates invalid JSON with the logwinevt and it seems to be related to the
"StringInserts".
It does not escape the JSON correctly when File Paths is included in the "StringInserts". It looks like it is not
escaping \ (back-slash) and " (citation) correctly. Atleast what I can see in my logs.
The "Message" seems to be escaped correctly.
To Reproduce
Set up fluent-bit to use Input winevtlog and GELF as output. Point output to a graylog-server.
Expected behavior
Message should be read and parsed correctly by Graylog.
Screenshots
An example log from the Graylog server.log with an unrecognized escape character.
2025-02-20T13:35:02.422+01:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=1afd5c50-ef87-11ef-8aa5-0050568f43ab, messageQueueId=2773148970, codec=gelf, payloadSize=1733, timestamp=2025-02-20T12:35:02.421Z, seqenceNr=113762021, remoteAddress=/1.2.3.4:39435}
com.fasterxml.jackson.core.JsonParseException: Unrecognized character escape 'w' (code 119)
The JSON-message in the server log is truncated before the offending "escape character" so it's not a good example to paste.
Your Environment
Additional context
I give GELF as an output but that is not what I have tested with.
In my environment the flow of the message is "Windows Event Log" -> fluentbit Input winlogevt -> fluentbit output Forward -> (logaggregator) Input Forward -> output GELF -> Graylog GELF Input
I do not think these extra steps could be a problem and have not tested this.
What I have done is to try to fix this is to add Lua this Lua code in the fluentbit configuration as the windows server.
This seems to atleast stop the error in the graylog server log.
The text was updated successfully, but these errors were encountered: