I'm running an API on a Linux VM as a Compute Instance in the Google Cloud. The API is being run with systemd, and it's logging to syslog. I run the StackDriver logging agent to transfer the logs to StackDriver.
From this API I'm logging Json messages to the standard output. If I read /var/log/syslog (or do systemctl status), I see such messages:
May 9 14:10:25 test-rulesapi-core-473n dotnet-example[4021]: {"customfield": "value"}
What I'd like to achieve is to make this Json payload end up in the jsonPayload field of the log entries to be able to run custom queries. What I tried to do is to modify the StackDriver config so that it ignores the prefix prepended to the log messages (with the date and the name of the app, etc), so that only the raw Json is sent to StackDriver. The config looks like this (the default one is commented out):
# format /^(?<message>(?<time>[^ ]*\s*[^ ]* [^ ]*) .*)$/
format /^(?<time>[^ ]*\s*[^ ]* [^ ]*)[^{]*(?<message>.*)$/
This seems to properly extract only the json part of the message, but my problem is that in the log entries it still ends up in the textPayload field.
For example if I retrieve one specific log entry with gcloud, it looks like this:
$ gcloud logging read "logName=projects/my-project/logs/syslog AND insertId=ajooj1g318gl2l"
---
insertId: ajooj1g318gl2l
labels:
compute.googleapis.com/resource_name: myapi-473n
logName: projects/travix-production/logs/syslog
receiveTimestamp: '2018-05-09T14:00:03.877941542Z'
resource:
labels:
instance_id: '3565608832621021979'
project_id: travix-production
zone: europe-west1-c
type: gce_instance
textPayload: '{"customfield": "value"}'
timestamp: '2018-05-09T14:00:03Z'
How can I get StackDriver to put the Json object into jsonPayload as a proper object to be able to use custom queries?
