Message Size Filter Plugin for Graylog

This plugin installs a new filter that prints out all messages that have an estimated size crossing a configured threshold during processing. Huge messages can lead to issues in Graylog or Elasticsearch and this plugin aims to help with identifying the source of these large messages.

It will log any message that crosses the threshold like this:

2017-06-06 13:55:17,031 INFO : org.graylog.plugins.messagesizefilter.MessageSizeFilter - SIZE: [1520680 byte], SOURCE: [foo.example.org], INPUT: [5936f6fe277f695f099ff512], REMOTE ADDR: [/127.0.0.1]

Required Graylog version: 2.0 and later

Installation

Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

Usage

The default size threshold is 1MB. You can change the threshold in your graylog-server.conf configuration file like this:

# Set large message thresshold to 2MB
message_size_filter_threshold_bytes = 2000000

Plugin Release

We are using the maven release plugin:

$ mvn release:prepare
[...]
$ mvn release:perform

This sets the version numbers, creates a tag and pushes to GitHub. Travis CI will build the release artifacts and upload to GitHub automatically.