-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Nginx access log was manipulated incorrectly by multi-line concatenation behavior #32111
Comments
@gh123man as the recent implemented by your PR, I would love to hear your thought here :) |
Hi @toan-hf Thanks for the ping!
From looking at the screenshot - I can take a guess: It looks like you may be hitting a case of "mixed format logs" ex: your log file contains both JSON and non JSON logs. The code you linked to is actually designed to fix this problem among others. (however it is disabled at the moment while we test it). Let me know if my assessment is accurate. If you can confirm the agent configuration settings you are using, I can make some suggestions on how to resolve it. |
@gh123man Thanks for your swift response, I can confirm quickly
However, I am fully aware that Nginx logs are allowed to be customized for the This can be an example snippet for the access log
So because of this, I think the error log is under syslog format under JSON (non-JSON) as you said,
In the Datadog WebUI, the default pipeline (standard one) leans to the source we emitted above. I am looking forward to hearing your suggestion here. Thank you very much |
Thanks for confirming the configuration!
No worries! If you do not expect multiline logs from the nginx source, I would suggest disabling auto multiline detection just on this source. You can do this by setting
This sounds reasonable to me. Let me know if my above suggestion works. |
@gh123man thanks for your hint. The key thing that I am trying to understand a bit further here is what exactly the difference between that As far as I can understand, the auto_multi_line_detection on version 7.52.0 was enabled, we set this globally on the Datadog Agent configuration side. In short, auto_multi_line_detection has been applied widely for Nginx Ingress as well as other log sources.
Now when it comes to the new version 7.59.1 if we want to disable that specifically for Ingress Nginx only ,it is fine but still a bit ambiguous about how this feature actually works Appreciate for your insight. |
There should be no difference. The changes for NOTE that this particular behavior is fixed in V2 (which we are working on rolling out). Our goal is to remove this ambiguity around how the feature works. |
Thank you for your explanation @gh123man, we have had a chance to revise the code, and what we figured out is quite similar to what you have explained, As that change introduces a few new patterns that it could match the nginx log format (including JSON access log and ERROR in Syslog format), hence the auto_multi_line_detection was trigged to concatenate many Nginx log lines. My last question here would be awesome if you can clarify is: whether we have any option to disable the log_combination feature individually without disabling the auto_multi_line_detection feature entirely? Thank you very much for your guidance. |
I hope I am understanding correctly: Yes. logs_config:
auto_multi_line_detection: true you may disable it per source with: logs:
- type: file
path: /my/file.log
service: testApp
source: java
auto_multi_line_detection: false (or if in K8s the same way via the pod annotation). This will ensure all sources will still use
I don't have a firm date, but the feature is complete, and we are just waiting to enable it in the config as we do some extra testing on our end. I'd expect it to be fully released in a few agent versions from now (sometime Early 2025). Just a heads up, Ill be away until the new year starting tomorrow so my responses may be delayed. |
Hmm i understand we can disable multiline detection per service/source, but what i am asking is I want to disable the feature log_combination individually as it was apart of multiline_detection feature I guess we don't have that for now Thank you, we can close this case |
Ah - yes sorry I misunderstood. I'll evaluate this and see if it fits into our design as a future feature 👍 |
Agent Environment
agent version 7.59.1
helm version 3.81.0
Describe what happened:
Since we upgraded the Datadog-Agent from 7.52.0 to the latest one 7.59.1, the Nginx access log was manipulated incorrectly by multi-line concatenation behavior
Using agent status, we can quickly identify the log combined is actively working.
I think this issue comes from the recent refactoring that was introduced here
Describe what you expected:
The logline should not be combined like the one above, each line should be separated
Steps to reproduce the issue:
Additional environment details (Operating System, Cloud provider, etc):
AWS EKS 1.29.0
The text was updated successfully, but these errors were encountered: