Trouble sending GELF event

Hi all,

I see a few "Google" entries with this issue, but haven't located a fix.

In short I have Windows event logs being shipped to Logstash with nxlog in JSON format. I don't currently have a filter, and the output goes elasticsearch and Graylog. Input and Output config is below:

input {
    tcp {
    codec => json_lines { charset => CP1252 }
    port => 1516
    type => "winlog"
    }
}
output {
  elasticsearch {
    cluster => "hill_log"
    host => "192.168.0.10"
    node_name => "hillstash"
    }
  gelf {
    host => "192.168.0.10"
    port => "12201"
    short_message => "short_message"
  }
}

This ends up with the following error log (sorry it a bit log, relevant pieces seem to be at the start and the end):

{:timestamp=>"2015-07-04T01:13:08.228000+1200", :message=>"Trouble sending GELF event", :gelf_event=>{"short_message"=>nil, "full_message"=>"%{message}", "host"=>"192.168.0.101", "_EventTime"=>"2015-07-04 01:13:08", "_Hostname"=>"jr02", "_SeverityValue"=>3, "_Severity"=>"WARNING", "_SourceName"=>"nxlog-ce", "_ProcessID"=>4056, "_Message"=>"stopping nxlog service", "_EventReceivedTime"=>1435929188, "_SourceModuleName"=>"internal", "_SourceModuleType"=>"im_internal", "_type"=>"winlog", "level"=>6}, :event=>#<LogStash::Event:0x67bc2bfe @metadata_accessors=#<LogStash::Util::Accessors:0xb1257a6 @store={"retry_count"=>0}, @lut={}>, @cancelled=false, @data={"EventTime"=>"2015-07-04 01:13:08", "Hostname"=>"jr02", "SeverityValue"=>3, "Severity"=>"WARNING", "SourceName"=>"nxlog-ce", "ProcessID"=>4056, "Message"=>"stopping nxlog service", "EventReceivedTime"=>1435929188, "SourceModuleName"=>"internal", "SourceModuleType"=>"im_internal", "@version"=>"1", "@timestamp"=>"2015-07-03T13:13:08.223Z", "host"=>"192.168.0.101", "type"=>"winlog"}, @metadata={"retry_count"=>0}, @accessors=#<LogStash::Util::Accessors:0x21c1975f @store={"EventTime"=>"2015-07-04 01:13:08", "Hostname"=>"jr02", "SeverityValue"=>3, "Severity"=>"WARNING", "SourceName"=>"nxlog-ce", "ProcessID"=>4056, "Message"=>"stopping nxlog service", "EventReceivedTime"=>1435929188, "SourceModuleName"=>"internal", "SourceModuleType"=>"im_internal", "@version"=>"1", "@timestamp"=>"2015-07-03T13:13:08.223Z", "host"=>"192.168.0.101", "type"=>"winlog"}, @lut={"host"=>[{"EventTime"=>"2015-07-04 01:13:08", "Hostname"=>"jr02", "SeverityValue"=>3, "Severity"=>"WARNING", "SourceName"=>"nxlog-ce", "ProcessID"=>4056, "Message"=>"stopping nxlog service", "EventReceivedTime"=>1435929188, "SourceModuleName"=>"internal", "SourceModuleType"=>"im_internal", "@version"=>"1", "@timestamp"=>"2015-07-03T13:13:08.223Z", "host"=>"192.168.0.101", "type"=>"winlog"}, "host"], "type"=>[{"EventTime"=>"2015-07-04 01:13:08", "Hostname"=>"jr02", "SeverityValue"=>3, "Severity"=>"WARNING", "SourceName"=>"nxlog-ce", "ProcessID"=>4056, "Message"=>"stopping nxlog service", "EventReceivedTime"=>1435929188, "SourceModuleName"=>"internal", "SourceModuleType"=>"im_internal", "@version"=>"1", "@timestamp"=>"2015-07-03T13:13:08.223Z", "host"=>"192.168.0.101", "type"=>"winlog"}, "type"], "[type]"=>[{"EventTime"=>"2015-07-04 01:13:08", "Hostname"=>"jr02", "SeverityValue"=>3, "Severity"=>"WARNING", "SourceName"=>"nxlog-ce", "ProcessID"=>4056, "Message"=>"stopping nxlog service", "EventReceivedTime"=>1435929188, "SourceModuleName"=>"internal", "SourceModuleType"=>"im_internal", "@version"=>"1", "@timestamp"=>"2015-07-03T13:13:08.223Z", "host"=>"192.168.0.101", "type"=>"winlog"}, "type"], "message"=>[{"EventTime"=>"2015-07-04 01:13:08", "Hostname"=>"jr02", "SeverityValue"=>3, "Severity"=>"WARNING", "SourceName"=>"nxlog-ce", "ProcessID"=>4056, "Message"=>"stopping nxlog service", "EventReceivedTime"=>1435929188, "SourceModuleName"=>"internal", "SourceModuleType"=>"im_internal", "@version"=>"1", "@timestamp"=>"2015-07-03T13:13:08.223Z", "host"=>"192.168.0.101", "type"=>"winlog"}, "message"], "tags"=>[{"EventTime"=>"2015-07-04 01:13:08", "Hostname"=>"jr02", "SeverityValue"=>3, "Severity"=>"WARNING", "SourceName"=>"nxlog-ce", "ProcessID"=>4056, "Message"=>"stopping nxlog service", "EventReceivedTime"=>1435929188, "SourceModuleName"=>"internal", "SourceModuleType"=>"im_internal", "@version"=>"1", "@timestamp"=>"2015-07-03T13:13:08.223Z", "host"=>"192.168.0.101", "type"=>"winlog"}, "tags"], "severity"=>[{"EventTime"=>"2015-07-04 01:13:08", "Hostname"=>"jr02", "SeverityValue"=>3, "Severity"=>"WARNING", "SourceName"=>"nxlog-ce", "ProcessID"=>4056, "Message"=>"stopping nxlog service", "EventReceivedTime"=>1435929188, "SourceModuleName"=>"internal", "SourceModuleType"=>"im_internal", "@version"=>"1", "@timestamp"=>"2015-07-03T13:13:08.223Z", "host"=>"192.168.0.101", "type"=>"winlog"}, "severity"]}>>, :error=>#<ArgumentError: short_message is missing. Options version, short_message and host must be set.>, :level=>:warn}

Can anyone offer a solution to this? Thanks again.

...posting for the archives...

I solved this issue by adding the following filter:

filter {
  if [type] == "winlog" {
    mutate {
      add_field => { "message" => "%{Message}" }
    }
  }
}

--
Roland

i am facing same issue, and tried to use your solution with adding the filter. but again got the error as below:

Trouble sending GELF event {:gelf_event=>{"short_message"=>["", "%{Message}"], "full_message"=>",%{M........"path"=>"/root/Desktop/Graylog/test.txt", "host"=>"localhost.localdomain", "type"=>"grayLog"}, "severity"]}>>, :error=>#SocketError: send: name or service not known>, :level=:warn}

I have omitted the log and only shown the relevant things.
Can u please help me with this.

My config is
input {
file {
path => "/root/Desktop/Graylog/test.log"
start_position => "beginning"
type => "grayLog"
sincedb_path => "/dev/null"
}
}
filter {
if [type] == "grayLog" {
mutate {
add_field => {"message" => "%{Message}"}
}
}
}
output {
gelf {
host => ["127.0.0.1:9000"]
}
}

using logstash v2.2 with
Graylog 1.3
I am a newbie in linux environment and tools. kindly help me.

@mshar039, please start a new thread for your unrelated problem.

hello! This method is feasible for me. But why?