AWS cloudwatch logs not extracting timestamp from compact json format

2
votes

I am using AWS cloudwatch logs and configured my application to write the logs in compact json format with sink being rolling file. Below is the sample log from application.

{"@t":"2017-12-21T10:00:51.5955080Z","@mt":"Error {@args}","@l":"Error","args":["args","31"]}

Now the issue i am facing here with cloud watch logs is that its not picking up the timestamp from this compact json formatted logs because AWS cloudwatch logs expect first parameter to be timestamp followed by space and then followed by message.So above log needs to be in below format to be picked up by AWS cloud watch logs

2017-12-21T10:00:51.5955080Z {"@mt":"Error {@args}","@l":"Error","args":["args","31"]}

So to make my compact json logs to be processed by AWS cloudwatch logs, i need to extract the timestamp explicitly and put it before each logs ? Or does AWS doesn't provide the compact json formatted logs ? or any other workaround on this please

I have searched around this but could not get any useful info. Thanks a lot in advance.

1
amazon-cloudwatchamazon-cloudwatchlogs
Hi, we're facing the same issue, did you get some answer? Thanks!Nacho Coll
@NachoColl, unfortunately not. I am sorry but still I dont have answer for this.Parashuram
Hi, any updates on this one? I am facing the same issue :-(Bashir
@Bashir Unfortunately not :(Parashuram
Hi @Parashuram, did you sort out this issue at all?His

1 Answers

0
votes

If we can change JSON we can make it working. This is not solution for original question. I post it in the hope that it might help.

Here is the log line. Most important thing here is space after time and before "request”.

{"time":"11/Jan/2021:17:26:03 +0100", "request_addr":"78.82.196.176","request_length":"920","request_method":"POST","request_host":"aaa.elb.amazonaws.com","request_url":"http://aaa.elb.amazonaws.com/admin/netCallback.php","geoip_country_code":"SE","response_status": "200","response_sent":"257","response_time":"0.651","upstream_response_time":"0.652","upstream_connect_time":"0.000","http_referrer":"http://aaa.elb.amazonaws.com/admin/index.php","http_user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"}

In this case date time format would be the following.

datetime_format = {"time":"%d/%b/%Y:%H:%M:%S %z",