I have more or less the same issue as this: #12
My log source is a golang package called logrus and issues single line json that looks like this:
{"context":["STRING","STRING","STRING"],"level":"info","msg":"MESSAGESTRING","stacktrace":["BLAH1", "BLAH2", "BLAH3"],"time":"2018-03-06T12:24:48Z"}
I also cant seem to map the "time" to "@timestamp" using patterns.yml. My patterns file looks like this:
patterns:
- # Web Logs
sourceName: !!js/regexp .*gateway.*
match:
- regex: !!js/regexp ^\{.*
type: absgateway_logs
fields: [context,level,msg,stacktrace,ts]
dateFormat: YYYY-MM-DDTHH:mm:ssZ
However, in my logsene dashboard, the only json that gets reported is like this:
{
"@timestamp": "2018-03-06T12:24:48.412Z",
"message": "{"context":["STRING"],"level":"info","msg":"MESSAGESTRING","stacktrace":["BLAH1", "BLAH2", "BLAH3"],"time":"2018-03-06T12:24:48Z"}",
"severity": "info",
"host": "ip-1-2-3-4",
"ip": "1.2.3.4",
"logSource": "ab.cde.io/abs/absgateway:staging_r-absStagingStack-absGatewayStaging-1-hash_hash",
"container_id": "hash",
"image_name": "ab.cde.io/abs/absgateway:staging",
"container_name": "r-absStagingStack-absGatewayStaging-1-hash",
"logType": "docker",
"container_hostname": "hash",
"@timestamp_received": "2018-03-06T12:25:25.055Z",
"logsene_original_type": "docker"
}
Maybe its relevant, I am using rancher.
Note that it works fine in logagent doing an echo "{json: blah blah}" | logagent --yaml
. It parses it correctly. However the patterns file still doesnt work. "time" just gets pasted as a string AND a new @timestamp is added where it is just simply the time I typed the logagent command in.
Lastly, there's also this block of example surrounding json which is entirely confusing. Am I supposed to use the json block in tandem with the patterns block? Does the json block apply to ALL patterns regardless of logSource?
Not sure what I am doing wrong. Any help would be appreciated.
UPDATE
I tried to plug this in the docker /etc/logagent/patterns.yml
- nope doesn't do anything. Works perfectly on my command line using normal logagent.
json:
enabled: true
autohashFields:
time: true
removeFields:
- stacktrace
transform: !!js/function >
function (sourceName, parsedObject, config) {
for (var i=0; i<config.removeFields.length; i++) {
console.log('delete ' + config.removeFields[i])
delete parsedObject[config.removeFields[i]]
}
}
Then I tried to attack the message
field that shows up in the logsene like this
json:
enabled: true
autohashFields:
message: true
UPDATE 2
Vanilla nginx logs work perfectly fine. These are non-json and simply space delimited. In logsene, I can see it fully structured with method
, user_agent
etc. etc. I just used the default patterns.yml file (i.e. I dont pass any pattern file argument during docker run).
Nope, logsene shows non-hashed message.
UPDATE 3
The following regex application worked finally:
patterns:
- # Gateway Logrus Logs
sourceName: !!js/regexp .*gateway.*
match:
- regex: !!js/regexp \{"context":(.*),"level":(.*),"msg":(.*),"stacktrace":(.*),"time":(.*)\}
type: absgateway_logs
fields: [context,level,msg,stacktrace,ts]
dateFormat: YYYY-MM-DDTHH:mm:ssZ
So essentially we mis-assumed that json structured logs are automatically parsed but instead they are to be treated like any other single line? It doesn't sound like that in the documents we have read so far.