Grouping logs entries and Escaping Characters
Hello Team,
We've noticed that since moving from Log4j to Logback Sumo Logic is no longer correctly parsing our JSON formatted logs; grouping multiple log entries and escaping quotations. We have tried numerous Logback configurations (logstash encoder, change line delimiters, decrease number of properties) without luck, even when upgrading collectors to 2.6.0. (note. Auto Parse enabled, default JSON Auto Parsing in FER used)
Raw server log:
{"@timestamp":1646777293645,"@version":1,"timestamp":"2022-03-08T22:08:13.645Z","level":"INFO"
Sumo (as JSON)
"{\"@timestamp\":1646777293645,\"@version\":1,\"timestamp\":\"2022-03-08T22:08:13.645Z\",\"level\":\"INFO\"
Sumo (as raw):
{\"@timestamp\":1646777293645,\"@version\":1,\"timestamp\":\"2022-03-08T22:08:13.645Z\",\"level\":\"INFO\"
As per: https://help.sumologic.com/03Send-Data/Sources/04Reference-Information-for-Sources/Collecting-Multiline-Logs#Infer_Boundaries, we have enabled Multiline Processing with automatic detection, and have tried multiline boundary regexes without luck.
Please advise if this is this something you are aware that manifested without other customers not using log4j anymore?
Thank You,
Shamshir
Please sign in to leave a comment.
Comments
0 comments