Collecting Multi-line Messages
LogLogic® Universal Collector can combine multiple consecutive related lines or multi-lines in a source log file into a single line which will be sent to the LogLogic LMI multi-line message groups might require analysis to determine the correct expression to use if the format is complex. LogLogic® Universal Collector supports Java regular expressions.
Before sending, groups of lines that represent a logical message are converted to a single-line format. All of the original messages' data is kept intact – nothing is altered.
LogLogic® Universal Collector can collect multi-line messages from default application sources or custom ones:
| Log Source | Description |
|---|---|
| Tomcat / Servlet Container | Default log location is CATALINA_BASE/logs. Tomcat and application logs unless configured otherwise. The default format is multi-line, with the first line beginning with a timestamp. It might change due to localization. Logs are rotated daily by default |
| WebLogic Application Server | Default log location is under the server root DOMAIN_NAME/servers/ADMIN_SERVER_NAME/logs/. Each server or cluster maintains a server log and selected events are forwarded to a domain log. Most of the entries are single line, but can contain java exceptions. Each message begins with '####'. There might also be a web access log |
| WebSphere Application Server | Default log location is under the WebSphere directory APPSERVER/profiles/PROFILENAME/logs/SERVERNAME/. There is no default log rotation. There are server start and stop logs (SystemErr.log, SystemOut.log), JVM log files (native_stderr.log, native_stdout.log), and process log files (startServer.log, stopServer.log). All of these logs contain entries describing the system environment that do not have a timestamp. The error logs do not contain any timestamps. Continuation lines are indented |
| JBoss Application Server | Default log location is JBOSS_HOME/server/NAME/log. The boot log records startup events prior to the initialization of the logging service. The server.log file records activity while the server is running. The boot.log file entries begin with a time with no date. The server.log file entries start with a timestamp in the form 'YYYY-MM-DD HH:MI:SS,FFF'. Log messages can be multi-line and the continuation lines are sometimes indented, but frequently not. Messages start with a timestamp. |
| Note: The regex format for these default applications are indicated in <InstallationFolder>\runtime\conf\static\line_combiner.xml file. | |
| Custom multi-line |
Custom regex can be defined for custom multiline logs. You must define - the header regex pattern. - whether you keep orphaned lines, that is, LogLogic® Universal Collector sends messages that do not match the Header Regexp - the timeout after which messages are sent even if the regex is not found again. |