Graylog2-server: Multiline Grok

Created on 7 Jul 2016  路  23Comments  路  Source: Graylog2/graylog2-server

The Grok extractor currently only supports single line matches which makes it hard to match log messages containing stack traces or other multiline content.

Logstash's implementation of Grok supports multiline matches by using the (?m) modifier in the pattern, but Graylog's Grok implementation doesn't.

feature triaged
Source
picture joschi
👍39

Most helpful comment

Hello @joschi
True, that makes sense. However all the output of all my containers all go to stdout, which docker sends to syslog, which is then read by filebeat. It would be weird to adapt my applications just to send the stacktraces through GELF when everything else is working.
I like the filebeat way of working because of the buffer it uses and the fact that the application does not have to care about it.

It is also best practice in the Twelve-Factor App

A twelve-factor app never concerns itself with routing or storage of its output stream. It should not attempt to write to or manage logfiles. Instead, each running process writes its event stream, unbuffered, to stdout.

picture EvertMDC on 28 Apr 2017
👍9

All 23 comments

+1

pramodanarase picture pramodanarase on 1 Sep 2016

+1

nhsalexb picture nhsalexb on 19 Dec 2016

This also affects the pipeline grok function.

areynolds77 picture areynolds77 on 12 Feb 2017

I use different modifier (?s) in my pipeline functions to handle multi-line messages. It works well on 2.1.2.

wildaxe picture wildaxe on 12 Feb 2017
👍4

That works perfectly, thanks @Nemchin!

areynolds77 picture areynolds77 on 12 Feb 2017

(?s) does not seem to work in the extractors.
There does not seem to be a lot of momentum to close this, which I find curious. May I know an estimation of when this will be fixed?

I would have assumed that any enterprise using Java will run into this. Or is it a better practice to use the pipelines?

EvertMDC picture EvertMDC on 28 Apr 2017

@EvertMDC There are GELF appenders for virtually every Java logging framework which can be used to send log messages including multiline stack traces directly to Graylog, so there's no need to read these messages line-by-line from a file and merge them again at a later point.

joschi picture joschi on 28 Apr 2017

Hello @joschi
True, that makes sense. However all the output of all my containers all go to stdout, which docker sends to syslog, which is then read by filebeat. It would be weird to adapt my applications just to send the stacktraces through GELF when everything else is working.
I like the filebeat way of working because of the buffer it uses and the fact that the application does not have to care about it.

It is also best practice in the Twelve-Factor App

A twelve-factor app never concerns itself with routing or storage of its output stream. It should not attempt to write to or manage logfiles. Instead, each running process writes its event stream, unbuffered, to stdout.

EvertMDC picture EvertMDC on 28 Apr 2017
👍9

+1

aliasmee picture aliasmee on 24 Jul 2017

I agree with @EvertMDC, this should definitely not be the concern of the application.
It'd be nice to have GELF supporting this natively.

danvaida picture danvaida on 25 Jul 2017

Any news on when this will be fixed?
It's pretty annoying to work with filebeat inputs without the ability to use the extractor properly.

kb-elmo picture kb-elmo on 25 Jul 2018
😕1

Same problem as above. Is there any workaround for the Grok extractor or the only solution right now is to use pipelines for the extraction?

rcny picture rcny on 14 Nov 2018

Hi all, I want to extract fields from modsecurity audit log, which is multiline log with sections A,B,..Z. I can merge multiline messages of a single event using multiline feature in Graylog input.
How can I extract fields of all sections of a single event of a modsecurity log?

afaqbabar picture afaqbabar on 14 Dec 2018

@afaqbabar your issues looks more like a problem on ingest. You need to ingest the multi-line message as one.

This issue is about the ability to match multiline messages with one GROK pattern not to merge them together!

@afaqbabar please use the community that will help you with your request.

jalogisch picture jalogisch on 14 Dec 2018

+1

jayakumar-ml picture jayakumar-ml on 8 Jul 2019

+1

matiza5 picture matiza5 on 10 Oct 2019

+1

alexandervasylev picture alexandervasylev on 10 Nov 2019

+1

jmacku picture jmacku on 20 Jan 2020

+1

albertMkhitaryan picture albertMkhitaryan on 14 Feb 2020

+1

jzandbergen picture jzandbergen on 10 Mar 2020

+1

pericajakimov-sng picture pericajakimov-sng on 13 May 2020

+1

markoknez picture markoknez on 10 Jun 2020

Dear Graylog Team,

I can confirm that this is working in a pipline_rule

I use different modifier (?s) in my pipeline functions to handle multi-line messages. It works well on 2.1.2.

I did not test in extractors.
If we could find a clear way to address this topic.

Thx

xtruthx picture xtruthx on 7 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jalogisch picture jalogisch  路  3Comments
jozefbarcin picture jozefbarcin  路  3Comments
naisanza picture naisanza  路  4Comments
1tft picture 1tft  路  3Comments
bernd picture bernd  路  3Comments