Send echo message to graylog2 via GELF TCP 12201 port

Question

I need to send a message to graylog2 server via echo to test if the %{@type} for facility is corrent, but once I do the echo thats in GELF support does not arrive in to my graylog2 server. If it restart graylog2 then the messages about it starting arrive to the graylog2 server.

Example of the echo message:

echo '{"version": "1.1","host":"example.org","short_message":"A short message that helps you identify what is going on","full_message":"Backtrace here\n\nmore stuff","level":1,"_user_id":9001,"_some_info":"foo","_some_env_var":"bar"}' | nc -w 1 my.graylog.server 12201

What am I doing wrong? The graylog --debug mode does not show anything. It does not even see the message come in.

Edit:

Graylog2 input is setup for GELF TCP and shows active connections and it raises when I try to echo, but nothing reaches the server as for the message goes.

Answer 1

It seems that GELF TCP input needs a null character at the end of each Gelf message.

So you should send:

echo -e '{"version": "1.1","host":"example.org","short_message":"Short message","full_message":"Backtrace here\n\nmore stuff","level":1,"_user_id":9001,"_some_info":"foo","_some_env_var":"bar"}\0' | nc -w 1 my.graylog.server 12201

This answer was found in a discussion on Graylog's issues.

Answer 2

As I was trying to verify that a Logstash instance was correctly listening for GELF inputs, I've found this thread.

Here is a command that will work for Logstash + Gelf over UDP :

echo '{"version": "1.1","host":"example.org","short_message":"A short message that helps you identify what is going on","full_message":"Backtrace here\n\nmore stuff","level":1,"_user_id":9001,"_some_info":"foo","_some_env_var":"bar"}' | gzip | nc -u -w 1 127.0.0.1 12201

Notice that :

• a simple echo is enough, no need for -e
• the message is gziped, otherwise you'll get this error : Could not find parser for header: [123, 34] in Logstash logs
• netcat is sending over UDP