I want to send logmessages from a Java application to Graylog, using slf4j on top of logback with a logback GELF-appender on one side and a Graylog GELF-input on the other. To test it, i'm running Graylog in a Docker container (using Docker for Mac) and run my Java application locally. The gist of my story is that the Graylog GELF-input does not receive anything from the Java application. Somehow the Java application and Graylog don't seem to be able to communicate. The same applies when i switch to a different appender/input combination (one based on syslog records). However, when echoing a message from the commandline to a different Graylog input, namely the RAW input that's listening to port 5555, that message is received fine.
Any idea what the problem is? This is my setup using GELF:
Java app:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class LogDemo {
public static void main(String[] args) {
Logger logger = LoggerFactory.getLogger(LogDemo.class);
logger.error("Hello World 2");
}
}
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>logdemo</artifactId>
<version>1.0-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>de.appelgriepsch.logback</groupId>
<artifactId>logback-gelf-appender</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
</project>
logback.xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appender name="GELF" class="de.appelgriepsch.logback.GelfAppender">
<server>localhost</server>
<port>12201</port>
<protocol>TCP</protocol>
</appender>
<root level="error">
<appender-ref ref="GELF"/>
</root>
</configuration>
Graylog docker startup:
$ docker run --name mongo -d mongo:3
$ docker run --name elasticsearch \
-e "http.host=0.0.0.0" \
-e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \
-d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.10
$ docker run --link mongo --link elasticsearch \
-p 9000:9000 -p 12201:12201 -p 1514:1514 -p 5555:5555 \
-e GRAYLOG_HTTP_EXTERNAL_URI="http://127.0.0.1:9000/" \
-d graylog/graylog:3.3
Graylog GELF tcp input (running):
bind_address: 0.0.0.0
decompress_size_limit: 8388608
max_message_size: 2097152
number_worker_threads: 4
override_source: <empty>
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********
use_null_delimiter: true
As stated, when i run the java app and Graylog is running as a Docker container in the background, Graylog does not receive the logmessage i sent. However, when i type the following on my commandline (using Terminal on Mac), the message IS received by the Graylog RAW input:
$ echo "Testmessage" | nc localhost 5555
Does somebody got a clue what i'm doing wrong?
I found a solution, though i'm not sure what the exact cause of the problem was. The solution was to use a different Gelf appender. Instead of the one i mentioned above, i'm now using the following one:
That did the trick, but as i said, i'm unsure why the one i used earlier did not work.