Question

Multi line parser for Java applications.

  • 6 August 2021
  • 3 replies
  • 278 views

Hi.

We are trying to push multi-line logs to Logpoint, for example a stack trace.

They are created by Java applications like Jboss, Tomcat and few more. Where we have some debug information in logs such as content of XML messages processes by the system etc.

When such logs are displayed in Logpoint, we need to preserve the line breaks along with indentation to make them readable by a human.

Can you please show a complete recipe on how to achieve that?

I saw this topic
https://community.logpoint.com/normalization-parsing-43/multi-line-parser-147
and understood that there are some pre-compiled normalizers which can be used, can you please explain how they gonna work and how exactly we need to:
 1.  send logs to Logpoint
 2. process logs in logpoint

In order to be able to present properly formatted (line breaks and indentation)  logs for users who will look for the logs ?

 

Thanks


3 replies

Userlevel 4
Badge +7

LogPoint Normalisers are largely provided for specific devices and applications. Depending on the device’s log format, the normalisers are either standard or compiled normalisers - compiled normalisers offer better performance than standard normalisers for high-volume log sources and can support more complex formats.

In addition, there are some normalisers for generic data formats - namely JSON, XML, CEF and LEEF. That usually means that we can ingest key/value pairs, but as the key names are provided by the log format itself, they wouldn’t follow the LogPoint taxonomy. Therefore, for specific devices we might have specific XML, CEF etc. normalisers too.

I’m not sure where a stack trace would fit with LogPoint however. LogPoint is tailored towards structured data analysis, i.e. aggregations and correlations of data. Not sure what the use case would be for a stack trace.

For any log ingestion there are two steps:

  1. Receive/Retrieve the log somehow
  2. Normalise the log

For step a), there are fetchers and collectors. The most common way of getting logs into LogPoint are either receiving Syslog message, or collecting files - the latter through the LogPoint agent, SCP, FTP, CIFS etc.

For step b), you would apply a normalisation policy, selecting the correct normaliser.

Hi,


Thanks,


well, we are planning to use logpoint as a log management system and ship logs from our servers and applications there so they are stored in a secure manner and can be searched and analysed (automatically via reports or manually by support personnel).
The typical Jboss log would look like this:
-------
2021-06-18 13:01:39,064 INFO  [Owasp.CsrfGuard] CsrfGuard analyzing request /xxxx/CSI.ajax
2021-06-18 13:01:39,081 INFO  [se.marakanda.mutil.persistence.hibernate.SessionUtil] HibernateSessionFactory closed a hibernate session. ThreadID: 184
2021-06-18 13:01:39,081 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/].[AjaxServlet]] Servlet.service() for servlet AjaxServlet threw exception
java.lang.RuntimeException: Unknown exception caught in com.ebuilder.xxxx.business.admin.AdminDelegate
        at se.marakanda.mutil.business.BaseDelegate.handleError(BaseDelegate.java:177)
        xxxxxxxxxxx
        at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.NullPointerException
        at se.marakanda.mutil.access.ValidationHelper.handleError(ValidationHelper.java:156)
        xxxxxxxxxxxxx        at com.ebuilder.xxxx.business.admin.AdminDelegate.getSubscriptions(AdminDelegate.java:1035)
        ... 39 more
2021-06-18 13:01:41,902 INFO  [se.marakanda.jboss.LoginContextValve] Charactor encoding does not set
2021-06-18 13:01:41,902 INFO  [Owasp.CsrfGuard] CsrfGuard analyzing request /logout.do
2021-06-18 13:01:41,903 INFO  [STDOUT] logout: xxx - 641592
2021-06-18 13:01:41,963 INFO  [se.marakanda.jboss.LoginContextValve] Charactor encoding does not set
----------------
Logs from Tomcat are similar 
----------------
25-May-2021 02:01:14.057 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
25-May-2021 02:01:14.061 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 8073 ms
26-May-2021 00:00:12.315 INFO [http-nio-8080-exec-10] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
 java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
        at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:463)
        xxxxxxxxxxxxx
        at java.lang.Thread.run(Thread.java:748)
26-May-2021 00:00:16.299 INFO [http-nio-8080-exec-3] org.apache.tomcat.util.http.parser.Cookie.logInvalidHeader A cookie header was received [key="key" type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[xxxxxxxxxxxxx] that contained an invalid cookie. That cookie will be ignored.Note: further occurrences of this error will be logged at DEBUG level.
26-May-2021 00:00:40.340 INFO [http-nio-8080-exec-9] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
--------------
I can send these logs to Logpoint via NXLog and preserve all the line breaks and indentations.
But logpoint either will strip out all the line breaks or will split the multiline mesage into multiple individual log records (one line will be an individual log records).

I would want to be able to see the ERROR mesage from Jboss and  the Exception message from Tomcat as one message in Logpoint with preserved line breaks and indentations,

I want to see them "as is", in the same format as I sent them. The logs need to be readable.
Is it doable?

How?
Are the plans to support multiline logs "out of the box" in logpoint ?

Hi @24Solutions Support,

having the exact same requirement (using lp for log management) and java exceptions in the logs, I wonder if you eventually found a way of resolving this. As syslog runs line-based, one idea would be to change the tomcat/jboss logging to support this. 

I had asked ChatGPT for its input and it came up with following suggestion (I did not validate so far), which takes me to the next question, ie. if the normalizer package “LP_Apache Tomcat” would still work or if we would need to define custom normalization packages.

 

Yes, it is possible to configure the logging of a Tomcat server to output logs in a single line, including stack traces for exceptions, so that they can be shipped to a central log management server via syslog.

To do this, you would need to configure the logging properties of Tomcat. Specifically, you would need to set the org.apache.catalina.util.LifecycleBase logger to output logs in a single line, and then configure syslog to capture these logs and send them to your central log management server.

Here's an example of how you might configure Tomcat's logging properties:

  1. Open the logging.properties file in the conf directory of your Tomcat installation.

  2. Add the following line to the file:

    code

    org.apache.catalina.util.LifecycleBase.level = INFO org.apache.catalina.util.LifecycleBase.handlers = org.apache.juli.SyslogHandler org.apache.catalina.util.LifecycleBase.useParentHandlers = false org.apache.juli.SyslogHandler.level = ALL org.apache.juli.SyslogHandler.facility = LOCAL0 org.apache.juli.SyslogHandler.ident = tomcat org.apache.juli.SyslogHandler.useFormat = true org.apache.juli.SyslogHandler.useLogMsgFormat = true org.apache.juli.SyslogHandler.logMsgFormat = %msg% %n% %throwable{short} org.apache.juli.SyslogHandler.encoding = UTF-8

    This configures the org.apache.catalina.util.LifecycleBase logger to output logs in a single line, including stack traces for exceptions. It also configures the logger to use the SyslogHandler for output, and sets the handler's format and encoding.

  3. Save the logging.properties file and restart Tomcat.

Once Tomcat is running with this configuration, its logs should be output in a single line with stack traces for exceptions, and syslog should be capturing these logs and sending them to your central log management server.

 

Kind regards,

Peter

Reply