Let's fix your NXLog configuration to properly send your pre-formatted GELF logs over UDP, whether you want to forward the full JSON as a single field or map all individual fields correctly.

Option 1: Forward the Entire JSON Log as a Single GELF Field #

If your primary goal is to get the complete log content into Graylog (and handle parsing there with extractors), this is a straightforward approach. We'll set the full raw JSON line as the short_message in the GELF payload, and map the host field from your logs to the GELF host attribute.

Update your configuration like this:

<Extension json>
  Module xm_json
</Extension>

<Input jsonLogs>
  Module im_file
  File '<File Location>'
  PollInterval 5
  SavePos True
  ReadFromLast True
  Recursive False
  RenameCheck False
  CloseWhenIdle True
  # Parse the JSON to extract the host field, then set the raw log as the message
  Exec parse_json(); $Message = $raw_event; $Hostname = $host;
</Input>

<Output udp>
  Module om_udp
  Host <IP>
  Port <Port>
  OutputType GELF_UDP
</Output>

This will send the entire JSON string in the short_message field, and use the host value from your log for the GELF host field. You can then create a JSON extractor in Graylog to pull out all individual fields from short_message.

Option 2: Map All GELF Fields Directly #

If you want NXLog to properly forward all your existing GELF fields (including the _extraField* attributes) without losing them, we need to explicitly map the core GELF fields to NXLog's internal fields, and ensure the extra fields are preserved.

NXLog's GELF_UDP output automatically includes any fields starting with _ as GELF extra fields, so we just need to make sure those fields are present after parsing the JSON.

Use this configuration:

<Extension json>
  Module xm_json
</Extension>

<Input jsonLogs>
  Module im_file
  File '<File Location>'
  PollInterval 5
  SavePos True
  ReadFromLast True
  Recursive False
  RenameCheck False
  CloseWhenIdle True
  Exec parse_json();
  # Map core GELF fields to NXLog's internal fields
  $Message = $short_message;       # Maps to GELF short_message
  $FullMessage = $full_message;    # Maps to GELF full_message
  $Hostname = $host;               # Maps to GELF host
  # If your extra fields lost their underscores after parsing, re-add them:
  # $_extraField1 = $extraField1;
  # $_extraField2 = $extraField2;
  # $_extraField3 = $extraField3;
</Input>

<Output udp>
  Module om_udp
  Host <IP>
  Port <Port>
  OutputType GELF_UDP
</Output>

If after parsing the JSON, your _extraField* fields appear without the leading underscore in NXLog (e.g., $extraField1 instead of $_extraField1), uncomment the lines that reassign them with the underscore prefix—this ensures the GELF_UDP output recognizes them as extra fields.

Why Your Original Configuration Failed #

When you used parse_json() without field mapping, NXLog's GELF_UDP output only uses its default internal fields ($Message, $Hostname, $FullMessage) unless explicitly told to include others. By mapping the fields correctly, we ensure all your GELF attributes are included in the UDP payload.

内容的提问来源于stack exchange，提问作者NT93