We have a logging flow where our java application fills an MDC which is transferred via log4j2 to syslog to a central rsyslog installation. Here we make extensive use of MDC. Our setup is thus:
<Syslog name="syslog" format="RFC5424" host="localhost" port="514" protocol="UDP"
appName="messaging_platform.${application}" mdcId="mdc" includeMDC="true" facility="LOCAL5" connectTimeoutMillis="100" ignoreExceptions="false">
<LoggerFields>
<KeyValuePair key="class" value="%c"/>
<KeyValuePair key="classname" value="%c{1}"/>
<KeyValuePair key="exception" value="%ex{full}"/>
<KeyValuePair key="method" value="%method"/>
<KeyValuePair key="line" value="%line"/>
<KeyValuePair key="application_name" value="${application}"/>
<KeyValuePair key="sequenceNumber" value="%sequenceNumber"/>
<KeyValuePair key="application_version" value="${application.version}"/>
<KeyValuePair key="marker" value="%marker"/>
<KeyValuePair key="thread" value="%thread"/>
<KeyValuePair key="system_nano_time" value="%nano"/>
<KeyValuePair key="app_uptime" value="%relative"/>
</LoggerFields>
</Syslog>
I'm trying to convert this to use graylog and it seems GELF is the recommended transport protocol for that. I've found multiple libraries to do this and started with the build-in GelfLayout of log4j2. But that does not support LoggerFields.
So what's the recommended way to get these fields into Graylog? If I do
<Socket name="Graylog" protocol="udp" host="localhost" port="12201">
<GelfLayout host="localhost" compressionType="GZIP" compressionThreshold="1024">
<KeyValuePair key="class" value="%c"/>
<KeyValuePair key="classname" value="%c{1}"/>
<KeyValuePair key="exception" value="%ex{full}"/>
<KeyValuePair key="method" value="%method"/>
<KeyValuePair key="line" value="%line"/>
<KeyValuePair key="application_name" value="${application}"/>
<KeyValuePair key="sequenceNumber" value="%sequenceNumber"/>
<KeyValuePair key="application_version" value="${application.version}"/>
<KeyValuePair key="marker" value="%marker"/>
<KeyValuePair key="thread" value="%thread"/>
<KeyValuePair key="system_nano_time" value="%nano"/>
<KeyValuePair key="app_uptime" value="%relative"/>
</GelfLayout>
</Socket>
I get a bunch of fields in Graylog but the values are not expanded.
I found a solution with logstash-gelf:
<Gelf name="gelf" host="udp:localhost" port="12201" version="1.1" extractStackTrace="true"
filterStackTrace="true" mdcProfiling="true" includeFullMdc="true" maximumMessageSize="8192"
originHost="%host{fqdn}">
<Field name="class" pattern="%c"/>
<Field name="classname" pattern="%c{1}"/>
<Field name="exception" pattern="%ex{full}"/>
<Field name="method" pattern="%method"/>
<Field name="line" pattern="%line"/>
<Field name="application_name" pattern="${application}"/>
<Field name="sequenceNumber" pattern="%sequenceNumber"/>
<Field name="application_version" pattern="${application.version}"/>
<Field name="marker" pattern="%marker"/>
<Field name="thread" pattern="%thread"/>
<Field name="system_nano_time" pattern="%nano"/>
<Field name="app_uptime" pattern="%relative"/>
<Field name="severity" pattern="%level{WARN=Warning, DEBUG=Debug, ERROR=Error, TRACE=Trace, INFO=Info}"/>
</Gelf>