I've been sending our application logs via UDP wrapped in a JSON format, so the log looks something like this
{
"key1" : "value1",
"key2" : "value2",
"message" : "2017-03-02 INFO com.company.app Hello world!"
}
and my Logstash input filter looks like tis
input {
udp {
port => 1234
codec => json
}
}
However Logstash gives me _jsonparsefailure when the message contains a long stack dump or an XML file. (See Help with _jsonparsefailure)
So I want to try sending my logs in a non-JSON format, and I have two questions.
Question 1:
Should I send them like this, i.e., single line
key1: value1 key2: value2 message: 2017-03-02 INFO com.company.app Hello world!
...or should I send them like this, that is, multi-lines
key1: value1 key2: value2 message: 2017-03-02 INFO com.company.app Hello world!
Question 2:
In either case, how should my input filter look like so I can separate logs from each other?
This is the main reason I wrapped the logs in JSON in the first place since they were naturally separated.
I hope that makes sense. Thanks!