Problems

This section covers some problems that I encountered.

Common Issues

During the setup and configuration of this architecture, I encountered a few problems that you should be aware of to avoid falling into the same traps.

1. Graylog JSON Field Extraction Issue

When extracting fields from a JSON message in Graylog (using extractors or pipelines), do not use the dot . as a separator in your field names.

Why?
Graylog automatically replaces . with _ in field names for key seprator. This behavior may also lead to strange errors where Graylog claims the field name is neither using . nor _.

Solution:
Use underscore _ in all your JSON keys if you plan to extract them in Graylog.

Bad:

{
  "user.name": "admin"
}

Good:

{
  "user_name": "admin"
}

This will save you from compatibility issues and avoid silent bugs during pipeline processing.

PreviousFluent Bit

Getting Started

Installation

Wazuh

Problems

Common Issues

1. Graylog JSON Field Extraction Issue

On this page