Skip to content

Commit

Permalink
Document the limitation of log message indexing
Browse files Browse the repository at this point in the history
Fixes quarkusio#15370
WIP Update docs/src/main/asciidoc/centralized-log-management.adoc

(cherry picked from commit 3e89e28)
  • Loading branch information
loicmathieu authored and gsmet committed Jun 22, 2021
1 parent 1ff213a commit 42e459c
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions docs/src/main/asciidoc/centralized-log-management.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,28 @@ quarkus.log.syslog.hostname=quarkus-test

Launch your application, you should see your logs arriving inside EFK: you can use Kibana available at http://localhost:5601/ to access them.

== Elasticsearch indexing consideration

Be careful that, by default, Elasticsearch will automatically map unknown fields (if not disabled in the index settings) by detecting their type.
This can become tricky if you use log parameters (which are included by default), or if you enable MDC inclusion (disabled by default),
as the first log will define the type of the message parameter (or MDC parameter) field inside the index.

Imagine the following case:

[source, java]
----
LOG.info("some {} message {} with {} param", 1, 2, 3);
LOG.info("other {} message {} with {} param", true, true, true);
----

With log message parameters enabled, the first log message sent to Elasticsearch will have a `MessageParam0` parameter with an `int` type;
this will configure the index with a field of type `integer`.
When the second message will arrive to Elasticsearch, it will have a `MessageParam0` parameter with the boolean value `true`, and this will generate an indexing error.

To work around this limitation, you can disable sending log message parameters via `logging-gelf` by configuring `quarkus.log.handler.gelf.include-log-message-parameters=false`,
or you can configure your Elasticsearch index to store those fields as text or keyword, Elasticsearch will then automatically make the translation from int/boolean to a String.

See the following documentation for Graylog (but the same issue exists for the other central logging stacks): link:https://docs.graylog.org/en/3.2/pages/configuration/elasticsearch.html#custom-index-mappings[Custom Index Mappings].

[[configuration-reference]]
== Configuration Reference
Expand Down

0 comments on commit 42e459c

Please sign in to comment.