logback logstash encoder Syslog header not set

Question

I'm trying to log Java logs to Syslog in JSON format but I've found a strange issue where the Syslog header is not being set as expected.

I'm testing this on a Mac and using wireshark to grab the packets as they get sent to the UDP 514 port (via loopback interface)

My logback.xml is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <conversionRule conversionWord="syslogStart" converterClass="ch.qos.logback.classic.pattern.SyslogStartConverter"/>

  <appender name="stash" class="net.logstash.logback.appender.LogstashSocketAppender">
    <host>localhost</host>
    <port>514</port>
    <prefix class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
      <layout class="ch.qos.logback.classic.PatternLayout">
        <pattern>%syslogStart{LOCAL5}</pattern>
      </layout>
    </prefix>
  </appender>

  <root level="INFO">
    <appender-ref ref="stash"/>
  </root>
</configuration>

and when I look at the output of wireshark I only see the JSON being logged (no PRI header field given)

 [truncated]Syslog message: (unknown): {"@timestamp":"2016-03-22T12:13:37.270+11:00","@version":1,"message":"Started App in 4.327 seconds (JVM running for 4.92)","logger_name":"au.com.xxx.App","threa

If I switch to the standard logback Syslog appender (non JSON output)

...
  <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
    <syslogHost>127.0.0.1</syslogHost>
    <Facility>LOCAL5</Facility>
    <SuffixPattern>%-5level MyApp %logger %msg</SuffixPattern>
  </appender>
...

I do see the correct header facility raw value <174> and parsed values LOCAL5.INFO in the wireshark packets

 Syslog message: LOCAL5.INFO: Mar 22 12:31:03 sbmelmac-06390.local INFO  App au.com.App Started App in 11.292 seconds (JVM running for 29.336)

The syslog header is required (in the syslog conf) to route the log messages to the correct files so without this I can't filter out log entries based on facility filters.

I'm using SpringBoot (1.2.7), (which uses logback 1.1.3), apache camel (2.16.1) and logstash-logback-encoder (4.6)

When I run in debug it looks like the SyslogStartConverter.convert method is never invoked.

Cheers Roy

Answer 1

After a lot of head scratching it looks like it's an issue with the wrapping LayoutWrappingEncoder part of the example.

When I use the latest SpringBoot version a logback configuration exception stops the app from starting up (previous versions did not stop the app from starting even though the exception was being raised).

Application startup failed
java.lang.IllegalStateException: Logback configuration error detected: 
ERROR in ch.qos.logback.core.joran.util.PropertySetter@10d307f1 - A "ch.qos.logback.core.encoder.LayoutWrappingEncoder" object is not assignable to a "ch.qos.logback.core.Layout" variable.
ERROR in ch.qos.logback.core.joran.util.PropertySetter@10d307f1 - The class "ch.qos.logback.core.Layout" was loaded by 
ERROR in ch.qos.logback.core.joran.util.PropertySetter@10d307f1 - [sun.misc.Launcher$AppClassLoader@73d16e93] whereas object of type 
ERROR in ch.qos.logback.core.joran.util.PropertySetter@10d307f1 - "ch.qos.logback.core.encoder.LayoutWrappingEncoder" was loaded by [sun.misc.Launcher$AppClassLoader@73d16e93].

so if I remove the wrapping LayoutWrappingEncoder and use a Pattern implementation in the prefix, the code works and I see the correct Facility details in the syslog headers.

 <conversionRule conversionWord="syslogStart" converterClass="ch.qos.logback.classic.pattern.SyslogStartConverter"/>
 <appender name="JSON_SYSLOG" class="net.logstash.logback.appender.LogstashSocketAppender">
    <host>127.0.0.1</host>
    <port>514</port>
    <prefix class="ch.qos.logback.classic.PatternLayout">
       <pattern>%syslogStart{LOCAL5}</pattern>
    </prefix>
  </appender>

and the resulting wireshark packets have the Facility information (LOCAL5.INFO|ERROR)

 [truncated]Syslog message: LOCAL5.INFO: Mar 22 14:12:18 sbmelmac-06390.local {"@timestamp":"2016-03-22T14:12:18.494+11:00","@version":1,"message":"Started App in 4.597 seconds (JVM running for 5.18)","logger":"au.com.myapp.