[英]How to disable JSON format and send only the log message to Cloudwatch with Fluentbit?
[英]How to disable JSON format and send only the log message to Sumologic with Fluentbit?
我们在运行 do.net 应用程序的 ECS fargate 集群中使用 Fluentbit 作为 Sidecar 容器,最初我们遇到了 fluentbit 以多行方式发送日志的问题,我们使用 Fluentbit Multilne 功能解决了它。 现在日志以 Multiple 的形式发送到 Sumologic,但是它以 Json 格式发送,而我们只希望 fluentbit 只发送原始日志
日志目前
{
date:1675120653.269619,
container_id:"xvgbertytyuuyuyu",
container_name:"XXXXXXXXXX",
source:"stdout",
log:"2023-01-30 23:17:33.269Z DEBUG [.NET ThreadPool Worker] Connection.ManagedDbConnection - ComponentInstanceEntityAsync - Executing stored proc: dbo.prcGetComponentInstance"
}
我们只想要这条线
2023-01-30 23:17:33.269Z DEBUG [.NET ThreadPool Worker] Connection.ManagedDbConnection - ComponentInstanceEntityAsync - Executing stored proc: dbo.prcGetComponentInstance
您需要修改 Fluent Bit 配置以具有以下过滤器和 output 配置:
fluent.conf
:
## prepare headers for Sumo Logic
[FILTER]
Name record_modifier
Match *
Record headers.content-type text/plain
## Set headers as headers attribute
[FILTER]
Name nest
Match *
Operation nest
Wildcard headers.*
Nest_under headers
Remove_prefix headers.
[OUTPUT]
Name http
...
# use log key as body
body_key $log
# use headers key as headers
headers_key $headers
这样,您将手动制作 HTTP 请求。 这将按日志发送请求,这不是一个好主意。 为了减轻您可以添加以下解析器并使用它(flush_timeout 可能需要调整):
parsers.conf
# merge everything as one big log
[MULTILINE_PARSER]
name multiline-all
type regex
flush_timeout 500
#
# Regex rules for multiline parsing
# ---------------------------------
#
# configuration hints:
#
# - first state always has the name: start_state
# - every field in the rule must be inside double quotes
#
# rules | state name | regex pattern | next state
# ------|---------------|--------------------------------------------
rule "start_state" ".*" "cont"
rule "cont" ".*" "cont"
fluent.conf
:
[INPUT]
name tail
...
multiline.parser multiline-all
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.