logspout icon indicating copy to clipboard operation
logspout copied to clipboard

Published 20 hours ago verified publisher icon gliderlabs

Multiline logging failed to take effect

Open jkqjkq opened this issue 5 years ago • 3 comments

Judging from the left side of the picture, these log messages are not sent together, sent line by line image

configuration information

docker run -d --name="logspout" --volume=/var/run/docker.sock:/var/run/docker.sock \
--volume=/etc/hostname:/etc/host_hostname:ro -p 8000:80 \
-e MULTILINE_PATTERN='^\[\d{4}-\d{2}-\d{2}' \
-e LOGSPOUT=ignore  \
-e MULTILINE_MATCH=first \
gliderlabs/logspout \
multiline+syslog+tcp://172.17.0.1:5000

jkqjkq avatar Aug 27 '20 11:08 jkqjkq

With "tcp", there will be a problem, after removing it, use the default "udp", there is no problem

jkqjkq avatar Aug 28 '20 00:08 jkqjkq

same problem with tls

lukasa1993 avatar Mar 18 '21 14:03 lukasa1993

resuscitating this issue for whomever come here searching for a solution to this very problem: thoroughly search for non-printable characters in your logs. In my case, docker container's emitting the logs, were prepending an ANSI color at the beginning of each line, followed by a date. so after a lot of trial and error i came up with my specific case:

      - MULTILINE_MATCH=first
      - MULTILINE_PATTERN=^(.\[2m)(\d{4}-\d{2}-\d{2})

.\[2m is the "color" for my case, it could change for you. try to capture the raw log from the original docker container to catch these hidden chars.

A more general regex to detect ANSI color is:

\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]

(also useful to remove them with a mutate => gsub to remove them in logstash)

mauropanzeriitaliaonline avatar Jan 20 '22 17:01 mauropanzeriitaliaonline