Multiline from log4net truncating

mgood22 · October 19, 2017, 9:54pm

We are using log4net to ship logs from one of our applications to graylog. When log4net ships a multiline file to graylog it’s getting truncated at the line break. What can I do to fix this?

jochen · October 20, 2017, 6:57am

What’s log4net?
What’s the configuration of your log4net appenders?
Which protocol are you using to ship logs to Graylog?
What type of input have you created in Graylog?
What’s the configuration of the Graylog input receiving these messages?

mgood22 · October 20, 2017, 12:59pm

Log4net is a log shipper 4 dotNet.
RemoteSyslogAppender

<layout type="log4net.Layout.PatternLayout" value="%d | %property{Site} | %-5p | %c | %m |" />

It ships logs to graylog via syslog format over udp port.

allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: true
force_rdns: false
override_source: Elevate Local Testing
port: 51980
recv_buffer_size: 262144
store_full_message: true

The error on the message that fails:

gl2_processing_error
For rule 'Elevate Service Rewrite': In call to function 'to_string' at 16:21 an exception was thrown: null

The pipleline rule:

rule "Elevate Service Rewrite"
when
    contains(to_string($message.source),"Elevate Local Testing",true)
then
    let splt_msg = split("\\Q|\\E",to_string($message.message));
    let splt_src = split(" ",to_string(splt_msg[0]));
    let splt_time = split(",",to_string(splt_src[2]));
    
    let timestmp = concat(to_string(splt_src[1]),"T");
    let timestmp = concat(to_string(timestmp),to_string(splt_time[0]));
    let timestmp = concat(to_string(timestmp),".");
    let timestmp = concat(to_string(timestmp),to_string(splt_time[1]));
    let timestmp = concat(to_string(timestmp),"Z");
    
    set_field("facility",to_string(splt_src[0]));
    set_field("site",to_string(splt_msg[1]));
    set_field("level_str",to_string(splt_msg[2]));
    set_field("process",to_string(splt_msg[3]));
    set_field("message",to_string(splt_msg[4]));
    set_field("msg_timestamp",to_string(timestmp));
end

From what I can tell log4net is shipping the messages with windows style line breaks.

jochen · October 20, 2017, 1:25pm

Syslog is a line-based protocol, so of course the message ends with the line break (no matter if LF or CRLF).

The error message is correct because there is no second match (splt_msg[1]). The message simply ends after the first line break.

If you want to use multi-line messages, consider deploying one of the GELF appenders for Log4Net from the Graylog Marketplace: https://marketplace.graylog.org/addons?tag=log4net

system · November 3, 2017, 1:25pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to whole file towards graylog , its posible? Graylog Central (peer support)	7	431	December 23, 2020
Multiline log messages Graylog Central (peer support)	1	2860	June 16, 2017
Shipping multiline logs to Graylog Graylog Central (peer support)	4	507	September 14, 2022
Graylog stream multiline logs Graylog Central (peer support) sidecar , nxlog , multi-linenx	1	940	November 5, 2020
Multiline logs in Graylog Graylog Central (peer support)	1	634	December 22, 2020

Multiline from log4net truncating

Related topics