Consuming multiline Docker logs via GELF UDP

replicant0wnz · April 27, 2017, 9:25pm

So I’m currently running multiple Graylog colllectors under Docker, and telling Docker to use it’s GELF logging mechanize to dump it’s logs to our Greylog deployment (itself basically).

Only issue is all the Java stacktraces are mutliline so each line is getting submitted as an individual message. So one stacktrace can equal almost 30 messages. Is there any plugins, log4j2, GROK, etc etc to get each stacktrace into a single message?

Anyone run into this? Doing some basic Googling I’ve seen several people have run into this but no solution. Seems like it would be a common issue?

jan · April 28, 2017, 7:00am

Hej @replicant0wnz

you can not merge messages with Graylog. You will need to submit the multiline message as single message to have that as single message in Graylog.

regards
Jan

davidoff · April 28, 2017, 7:40am

you can use filebeat which supports multiline to read logs from files.

replicant0wnz · April 28, 2017, 3:14pm

Either way it seems I can’t use the native Docker GELF driver. Seems the Docker team doesn’t want to support multi-line:

Topic		Replies	Views
Enable stack trace logging Graylog Central (peer support)	7	7476	January 25, 2018
How to stream docker logs with multiline to graylog Graylog Central (peer support)	3	4418	July 19, 2018
Using Sidecars to have a multiline ouptut from GELF input Graylog Central (peer support)	2	834	February 1, 2022
How to view stacktrace in Graylog Graylog Central (peer support) gelf	5	1289	July 12, 2023
Monitoring Docker Containers with Graylog Monitoring Graylog Central (peer support)	2	6621	July 31, 2018

Consuming multiline Docker logs via GELF UDP

Related topics