The following is from graylog2's debug log when I set up logback-gelf.

2013-04-01 15:34:06,266 INFO : org.graylog2.inputs.syslog.SyslogProcessor - Syslog message is missing date or date could not be parsed. (Possibly set allow_override_syslog_date to true) Not further handling. Message was: ï¿ï¿½ï¿½AK�@��ʲ�l�61���Pï¿x�߼?J��J��4Ee¿½ï¿½ï¿½"�9L��L{�����*��3���z���gp��"����Ð
��MSVMQgRG=�_�Z�6�c�=�=� ���Qw�)����h$&���!F�>D��Q��0��m���%�Z��iÆ$Y6/��7ÔJ��
2013-04-01 15:34:06,266 ERROR: org.graylog2.inputs.syslog.SyslogProcessor - Could not parse syslog message. Not further handling.
java.lang.IllegalStateException

I've captured the message being sent using Wireshark on the machine that is sending the message and it appears to be completely garbled as well there.

I also have been getting error messages on start up if I have shortMessagePattern, staticAdditionalField, or includeFullMDC set up in my appender configuration.

Here's what I have right now:

<appender name="GELF" class="me.moocar.logbackgelf.GelfAppender">
    <facility>logback-gelf-test</facility>
    <graylog2ServerHost>devu01</graylog2ServerHost>
    <graylog2ServerPort>513</graylog2ServerPort>
    <useLoggerName>true</useLoggerName>
    <useThreadName>true</useThreadName>
    <graylog2ServerVersion>0.9.6</graylog2ServerVersion>
    <chunkThreshold>1000</chunkThreshold>
    <messagePattern>%m%rEx</messagePattern>
    <shortMessagePattern>%.-100(%m%rEx)</shortMessagePattern>
    <additionalField>ipAddress:_ip_address</additionalField>
    <additionalField>requestId:_request_id</additionalField>
    <staticAdditionalField>_node_name:www013</staticAdditionalField>
    <includeFullMDC>true</includeFullMDC>
</appender>

Sorry that this doesn't give you much to go on; if I have time I'll download the code and see if stepping through it tells me anything.

This was caused by configuring the appender incorrectly - I was sending GELF messages to the syslog port.