AWS streaming multi-line log files from CloudWatch to ELK
up vote
0
down vote
favorite
We are streaming app logs from CloudWatch to AWS ELK. Our microservices are written in Java and so I am only concentrating on those. A typical java exception stack trace when logged looks like this:
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Normally, this will be ingested line by line in ELK stack, which breaks the entire message.
Usually, For entire stack trace to be ingested as a single message, one can configure multiline plugin either in Logstash or Filebeat.
Any idea how to enable multiline while streaming log files from CloudWatch to ELK by AWS lambda?
amazon-web-services elastic-stack amazon-cloudwatch amazon-elasticsearch
asked Nov 9 at 22:13
Fedor
609
add a comment |
up vote
0
down vote
favorite
We are streaming app logs from CloudWatch to AWS ELK. Our microservices are written in Java and so I am only concentrating on those. A typical java exception stack trace when logged looks like this:
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Normally, this will be ingested line by line in ELK stack, which breaks the entire message.
Usually, For entire stack trace to be ingested as a single message, one can configure multiline plugin either in Logstash or Filebeat.
Any idea how to enable multiline while streaming log files from CloudWatch to ELK by AWS lambda?
amazon-web-services elastic-stack amazon-cloudwatch amazon-elasticsearch
asked Nov 9 at 22:13
Fedor
609
What is your logging framework, and do you have any options to reconfigure it?
– kdgregory
Nov 10 at 12:13
And how are you writing the logs to CloudWatch? Are you running in Lambda and writing to its logger, or are you running in a container (or on EC2) and using the CloudWatch log agent? If the latter, then your problem is probably that agent, because it breaks the message into multiple lines in the log.
– kdgregory
Nov 10 at 12:14
@kdgregory slf4j with default config are used. any suggestions how to configure it? we run app in a container and use the CloudWatch log agent. is it possible to tell CloudWatch agent not break log per-line and combine them in case of sracktrace
– Fedor
Nov 10 at 12:31
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
We are streaming app logs from CloudWatch to AWS ELK. Our microservices are written in Java and so I am only concentrating on those. A typical java exception stack trace when logged looks like this:
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Normally, this will be ingested line by line in ELK stack, which breaks the entire message.
Usually, For entire stack trace to be ingested as a single message, one can configure multiline plugin either in Logstash or Filebeat.
Any idea how to enable multiline while streaming log files from CloudWatch to ELK by AWS lambda?
amazon-web-services elastic-stack amazon-cloudwatch amazon-elasticsearch
asked Nov 9 at 22:13
Fedor
609
We are streaming app logs from CloudWatch to AWS ELK. Our microservices are written in Java and so I am only concentrating on those. A typical java exception stack trace when logged looks like this:
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Normally, this will be ingested line by line in ELK stack, which breaks the entire message.
Usually, For entire stack trace to be ingested as a single message, one can configure multiline plugin either in Logstash or Filebeat.
Any idea how to enable multiline while streaming log files from CloudWatch to ELK by AWS lambda?
amazon-web-services elastic-stack amazon-cloudwatch amazon-elasticsearch
amazon-web-services elastic-stack amazon-cloudwatch amazon-elasticsearch
asked Nov 9 at 22:13
Fedor
609
asked Nov 9 at 22:13
Fedor
609
asked Nov 9 at 22:13
Fedor
609
asked Nov 9 at 22:13
Fedor
609
asked Nov 9 at 22:13
Fedor
609
609
What is your logging framework, and do you have any options to reconfigure it?
– kdgregory
Nov 10 at 12:13
And how are you writing the logs to CloudWatch? Are you running in Lambda and writing to its logger, or are you running in a container (or on EC2) and using the CloudWatch log agent? If the latter, then your problem is probably that agent, because it breaks the message into multiple lines in the log.
– kdgregory
Nov 10 at 12:14
@kdgregory slf4j with default config are used. any suggestions how to configure it? we run app in a container and use the CloudWatch log agent. is it possible to tell CloudWatch agent not break log per-line and combine them in case of sracktrace
– Fedor
Nov 10 at 12:31
add a comment |
What is your logging framework, and do you have any options to reconfigure it?
– kdgregory
Nov 10 at 12:13
And how are you writing the logs to CloudWatch? Are you running in Lambda and writing to its logger, or are you running in a container (or on EC2) and using the CloudWatch log agent? If the latter, then your problem is probably that agent, because it breaks the message into multiple lines in the log.
– kdgregory
Nov 10 at 12:14
@kdgregory slf4j with default config are used. any suggestions how to configure it? we run app in a container and use the CloudWatch log agent. is it possible to tell CloudWatch agent not break log per-line and combine them in case of sracktrace
– Fedor
Nov 10 at 12:31
What is your logging framework, and do you have any options to reconfigure it?
– kdgregory
Nov 10 at 12:13
What is your logging framework, and do you have any options to reconfigure it?
– kdgregory
Nov 10 at 12:13
And how are you writing the logs to CloudWatch? Are you running in Lambda and writing to its logger, or are you running in a container (or on EC2) and using the CloudWatch log agent? If the latter, then your problem is probably that agent, because it breaks the message into multiple lines in the log.
– kdgregory
Nov 10 at 12:14
And how are you writing the logs to CloudWatch? Are you running in Lambda and writing to its logger, or are you running in a container (or on EC2) and using the CloudWatch log agent? If the latter, then your problem is probably that agent, because it breaks the message into multiple lines in the log.
– kdgregory
Nov 10 at 12:14
@kdgregory slf4j with default config are used. any suggestions how to configure it? we run app in a container and use the CloudWatch log agent. is it possible to tell CloudWatch agent not break log per-line and combine them in case of sracktrace
– Fedor
Nov 10 at 12:31
@kdgregory slf4j with default config are used. any suggestions how to configure it? we run app in a container and use the CloudWatch log agent. is it possible to tell CloudWatch agent not break log per-line and combine them in case of sracktrace
– Fedor
Nov 10 at 12:31
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
It turned out to be a know issue with AWS cloudwatch logger, see RichardBronosky's comment at https://github.com/visionmedia/debug/issues/296
I did some testing and found that CloudWatch log entries can be made multiline
by usingras the line delimiter. Using eithern(Unix) orrn(DOS) line
endings will result in separate entries
So I fixed it by adding following ExceptionHandler to Spring Boot RestController
@ExceptionHandler(Throwable.class)
void handleUnhandledExceptions(Throwable e, HttpServletResponse response) throws IOException {
StringWriter buffer = new StringWriter();
e.printStackTrace(new PrintWriter(buffer));
log.error(buffer.toString().replace("n", "r"));
response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(), e.getMessage());
}
answered Nov 10 at 21:40
Fedor
609
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
It turned out to be a know issue with AWS cloudwatch logger, see RichardBronosky's comment at https://github.com/visionmedia/debug/issues/296
I did some testing and found that CloudWatch log entries can be made multiline
by usingras the line delimiter. Using eithern(Unix) orrn(DOS) line
endings will result in separate entries
So I fixed it by adding following ExceptionHandler to Spring Boot RestController
@ExceptionHandler(Throwable.class)
void handleUnhandledExceptions(Throwable e, HttpServletResponse response) throws IOException {
StringWriter buffer = new StringWriter();
e.printStackTrace(new PrintWriter(buffer));
log.error(buffer.toString().replace("n", "r"));
response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(), e.getMessage());
}
answered Nov 10 at 21:40
Fedor
609
add a comment |
up vote
0
down vote
accepted
It turned out to be a know issue with AWS cloudwatch logger, see RichardBronosky's comment at https://github.com/visionmedia/debug/issues/296
I did some testing and found that CloudWatch log entries can be made multiline
by usingras the line delimiter. Using eithern(Unix) orrn(DOS) line
endings will result in separate entries
So I fixed it by adding following ExceptionHandler to Spring Boot RestController
@ExceptionHandler(Throwable.class)
void handleUnhandledExceptions(Throwable e, HttpServletResponse response) throws IOException {
StringWriter buffer = new StringWriter();
e.printStackTrace(new PrintWriter(buffer));
log.error(buffer.toString().replace("n", "r"));
response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(), e.getMessage());
}
answered Nov 10 at 21:40
Fedor
609
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
It turned out to be a know issue with AWS cloudwatch logger, see RichardBronosky's comment at https://github.com/visionmedia/debug/issues/296
I did some testing and found that CloudWatch log entries can be made multiline
by usingras the line delimiter. Using eithern(Unix) orrn(DOS) line
endings will result in separate entries
So I fixed it by adding following ExceptionHandler to Spring Boot RestController
@ExceptionHandler(Throwable.class)
void handleUnhandledExceptions(Throwable e, HttpServletResponse response) throws IOException {
StringWriter buffer = new StringWriter();
e.printStackTrace(new PrintWriter(buffer));
log.error(buffer.toString().replace("n", "r"));
response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(), e.getMessage());
}
answered Nov 10 at 21:40
Fedor
609
It turned out to be a know issue with AWS cloudwatch logger, see RichardBronosky's comment at https://github.com/visionmedia/debug/issues/296
I did some testing and found that CloudWatch log entries can be made multiline
by usingras the line delimiter. Using eithern(Unix) orrn(DOS) line
endings will result in separate entries
So I fixed it by adding following ExceptionHandler to Spring Boot RestController
@ExceptionHandler(Throwable.class)
void handleUnhandledExceptions(Throwable e, HttpServletResponse response) throws IOException {
StringWriter buffer = new StringWriter();
e.printStackTrace(new PrintWriter(buffer));
log.error(buffer.toString().replace("n", "r"));
response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(), e.getMessage());
}
answered Nov 10 at 21:40
Fedor
609
edited Nov 10 at 22:55
answered Nov 10 at 21:40
Fedor
609
answered Nov 10 at 21:40
Fedor
609
answered Nov 10 at 21:40
Fedor
609
609
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53233934%2faws-streaming-multi-line-log-files-from-cloudwatch-to-elk%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What is your logging framework, and do you have any options to reconfigure it?
– kdgregory
Nov 10 at 12:13
And how are you writing the logs to CloudWatch? Are you running in Lambda and writing to its logger, or are you running in a container (or on EC2) and using the CloudWatch log agent? If the latter, then your problem is probably that agent, because it breaks the message into multiple lines in the log.
– kdgregory
Nov 10 at 12:14
@kdgregory slf4j with default config are used. any suggestions how to configure it? we run app in a container and use the CloudWatch log agent. is it possible to tell CloudWatch agent not break log per-line and combine them in case of sracktrace
– Fedor
Nov 10 at 12:31