I am trying to import JSON formatted log files into NLS. I am getting ""_jsonparsefailure" error. Could someone please tell me what I am doing wrong with in input and/or filter.
Sample log file:
{"Var1":"Foo","Var2":Bar,"Var3":"Alpha","Var4":"Beta"}
{"Var1":"Foo","Var2":Bar,"Var3":"Alpha","Var4":"Beta"}
Input:
tcp {
type => 'jason_test'
tags => 'jason_test'
port => 2100
}
Filter:
if [type] == 'jason_test' {
json {
source => "message"
}
}
JSON files
Re: JSON files
You shouldn't actually need a filter. Setting the codec on your input to JSON should be sufficient. Here's the default JSON input that comes with NLS:
This doesn't always work well with multi-line "pretty" JSON though, for the record.
Code: Select all
tcp {
type => 'import_json'
tags => 'import_json'
port => 2057
codec => json
}Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: JSON files
I've tried "import_json" but no luck. I am seeing "_jsonparsefailure,import_json" tags in the dashboard. I've also tried changing codec like the following.
codec => json_lines
codec => json_lines
Re: JSON files
Are you sure you're sending properly formatted JSON? I notice the JSON in your original post that you provided as an example is malformed. If you could provide a few actual events from the log file, I could more accurately figure out what's going on.
If I send a generic udp packet to the JSON input like so:
I get the following event on a fresh install of NLS:
If I send a generic udp packet to the JSON input like so:
Code: Select all
nc -w 1 -u 192.168.67.4 2057 <<< '{"Var1":"Foo","Var2":"Bar","Var3":"Alpha","Var4":"Beta"}'You do not have the required permissions to view the files attached to this post.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: JSON files
If I use netcat command, it works.
If I use "setup-linux.sh" command, I am getting "_jsonparsefailure" error.
Code: Select all
nc -w 1 <nls_server> 2057 <<< `cat /var/tmp/logs/test.log`Code: Select all
bash setup-linux.sh -s <nls_server> -p 2057 -f "/var/tmp/logs/test.log" -t import_json
Re: JSON files
Could you show us the data contained in test.log so we can attempt to replicate this in house?
Former Nagios Employee
Re: JSON files
This is what I have in test.log file. I am using NLS 1.4.2
Code: Select all
{"Var1":"Foo","Var2":"Bar","Var3":"Alpha","Var4":"Beta"}Re: JSON files
There may be some rsyslog configurations to consider. From the CLI of the machine that is sending the JSON file, can you share the outputs of:
Code: Select all
ls -al /etc/rsyslog.d/
cat /etc/rsyslog.d/*.confFormer Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
avandemore
- Posts: 1597
- Joined: Tue Sep 27, 2016 4:57 pm
Re: JSON files
This works for me when importing from a file: /var/www/html/nagioslogserver/www/scripts/setup-linux.sh -s localhost -p 2057 -f /tmp/log.log -t import_json
You do not have the required permissions to view the files attached to this post.
Previous Nagios employee
Re: JSON files
Problem is not with importing the file into Nagios Log Server. After importing the file, Nagios Log Server is not applying the filters properly. If you take a closer look at your output, you would see "_jasonparsefailure" in tags.
Following is the "nc" command and screenshot from Nagios Log Server. You can see that NLS properly assigned fields Var1, Var2 etc..
Following is the "nc" command and screenshot from Nagios Log Server. You can see that NLS properly assigned fields Var1, Var2 etc..
Code: Select all
nc -w 1 localhost 2057 <<< '{"Var1":"Foo","Var2":"Bar","Var3":"Alpha","Var4":"Beta"}'You do not have the required permissions to view the files attached to this post.