-
-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parsing issue: log_format=json to local file, only multiline json, but single line is the way to go. #357
Comments
The file-based json log was intended to be both human and machine readable, but perhaps that isn't the most useful default. I'll look into adding an option to log in single-line form, one record per line with no enclosing object which I believe is what you are after. BTW, if you log via syslog, the json records will be single-line. |
With syslog I know, but a single line JSON with no syslog at all involved is IMHO the modern way. Regarding the human friendly output: |
Defaulting to a single line per entry is simple enough. However, the json-format log file currently consists of a single object that contains all the log entries. What would be most useful for passing to a SIEM? A separate object per line or the existing practice of a single object where each line represents an entry? I'm guessing that one object per line would be easier to deal with but would like confirmation of that. |
A SIEM needs the whole JSON object ... everything, all the nested goodies etc. even if it means to 1000+ nested items. But it has to be a single line, not multiline. I don't know any SIEM that can parse Multiline JSON. |
@SirStephanikus I'm just trying to understand how you want to use this. Do you want the entire file to be a single line or multiple lines, each with independent JSON objects? I'm hoping you mean the latter. |
A single logfile that can contain 1000+ single line JSONs. I.E. LINE 1: Ultra-Mega complex JSON Object with tons of nested stuff -- related to a single event and one Ulta-Mega complex single line entry. |
Perhaps you send an example and I test if a SIEM parser can parse it? |
The "json_compact" log type logs one event per line in compact/minified JSON format. GitHub issue #357.
Rather than change the behavior of the default json logging, which would harm existing users, I added a "json_compact" format which logs one event per line. Each line is a standalone JSON objection, whereas the "json" logging format uses a single object for the entire file. I may deprecate the multi-line JSON format in the future but I'd like to avoid breaking people's existing configs. |
In a future version, "json" will be an alias for "json_compact" instead. GitHub issue #357.
Configuring sudo with
log_format=json
and storing it to a local file, results in a multiline JSON which can not be directly parsed by a SIEM. Various workarounds must be made.However, it would be way easier if sudo would store its JSON content in single line instead of multiline.
The text was updated successfully, but these errors were encountered: