Logstash error - Failed to decode CEF payload. Generating failure event with payload in message field

Elastic Stack Logstash
1

I configued the syslog.conf file to get the traffic to elasticsearch(installed in same server).

Syslog data traffic is coming as CEF format to logstash.
syslog.conf file as bellow:

input {
tcp {
port => 5514
type => "syslog"
codec => cef
}

}

filter {
}

output {
if [type] == "syslog" {
stdout { codec => rubydebug }
elasticsearch {
hosts => "localhost:9200"
user => "elastic"
password => "XXXXXXX"
http_compression => "true"
index => "syslog-%{+YYYY.MM.dd}"
}
}
}
Syslog data traffic is coming to elasticsearch.
But I got error - Failed to decode CEF payload. Generating failure event with payload in message field
I'm using ELK 7.10.1 version

2

What does the message field look like?

3

This is the full error:

[2021-02-24T15:24:52,824][ERROR][logstash.codecs.cef ][main][37ba9816c43c43e8bac33efbd4f123f36e0cdadabc1b11535fbd9cbb41dd16ae] Failed to decode CEF payload. Generating failure event with payload in message field. {:exception=>NoMethodError, :message=>"undefined method include?' for nil:NilClass", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-cef-6.1.1-java/lib/logstash/codecs/cef.rb:306:in handle'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-cef-6.1.1-java/lib/logstash/codecs/cef.rb:267:in decode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:62:in block in decode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:65:in time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:64:in time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:61:in decode'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.6-java/lib/logstash/inputs/tcp.rb:190:in decode_buffer'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.6-java/lib/logstash/inputs/tcp/decoder_impl.rb:22:in `decode'"], :data=>"<22>Feb 24 20:54:53 KMG postfix/smtpd[14822]: disconnect from unknown\n<20>Feb 24 20:54:53 KMG klms-smtp_proxy: Unexpected end of SMTP input: Bad file descriptor at void lms::filters::smtp_proxy::CopySmtpStream(std::istream&, std::ostream&, bool)\n"}

4

That error is occuring here. I think it is telling you that there is no CEF version header in the message.

<22>Feb 24 20:54:53 KMG postfix/smtpd[14822]: disconnect from unknown[50.3.251.142]\n<20>Feb 24 20:54:53 KMG klms-smtp_proxy: Unexpected end of SMTP input: Bad file descriptor at void lms::filters::smtp_proxy::CopySmtpStream(std::istream&, std::ostream&, bool)\n"}

And indeed, that is a syslog message, but not CEF.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.