We're trying to migrate our Java applications from from the current Elastic Beanstalk JDK 8 platforms to the new ones running Corretto 11 on Amazon Linux 2. The app works well, but the way logs are handled changed. The output from the web process is now stored in /var/log/web.stdout.log and every line is prefixed with the timestamp and process name, ie:
May 20 17:00:00 ip-10-48-41-129 web: {"timestamp":"2020-05-20T17:00:00.035Z","message":"...","logger":"...","thread":"MessageBroker-2","level":"INFO"}
How can we get rid of the prefix? These logs are streamed into CloudWatch and we're outputting them to stdout in JSON so that we can later query them with Logs Insights. But with the prefix, Insights doesn't "see" the JSON and just treats the whole line as a text blob.
I cannot find any documentation for that on AWS. Almost all of Elastic Beanstalk's documentation refers to the first version of Amazon Linux.
Best Answer
I found a solution that works well enough, so I'll post it here for posterity. If someone can suggest a better one, please do.
Elastic Beanstalk on Amazon Linux 2 relies on
rsyslogfor log processing and output. There's a file at/opt/elasticbeanstalk/config/private/rsyslog.confthat during deployment gets copied over to/etc/rsyslog.d/web.confand it's the one that's directing all output from thewebapplication to/var/log/web.stdout.log.The file doesn't include any custom template. It relies on
rsyslog's default template, which prefixes any%msg%with a timestamp and$programname(which iswebin this case).I tried replacing this file via an
.ebextensionsconfig, but that didn't work, because Elastic Beanstalk seems to be overwriting this file after.ebextensionsrun. So I added an additional platform hook that deletes the file, keeping the custom one I added.Here's the
.ebextensions/logs.configfile:and
.platform/hooks/predeploy/remove-default-rsyslog-conf.sh(make sure youchmod +xthis one):