Produced ECS log events are invalid

[MarkusKramer]

I'm using quarkus-logging-json version 2.0.0 with the following config in my project:

quarkus.log.json.log-format=ecs

This produces output like:

{"@timestamp":"2022-11-18T11:44:56.862+01:00","log.logger":"io.quarkus","log.level":"INFO","process.thread.name":"Quarkus Main Thread","process.thread.id":89,"host.name":"xxx","message":"Profile dev activated. Live Coding activated.","ecs.version":"1.12.1"}

However, "log.logger" is incorrect. The ECS spec states: The document structure should be nested JSON objects. If you use Beats or Logstash, the nesting of JSON objects is done for you automatically. If you’re ingesting to Elasticsearch using the API, your fields must be nested objects, not strings containing dots.

"logger" should be nested inside a "log" object e.g.:

{"@timestamp":"2022-11-18T11:44:56.862+01:00","log":{"logger":"io.quarkus","level":"INFO"}, ...}

The current notation makes it hard / not possible to process in tools like CloudWatch.

[SlyngDK]

I think you have to read the header, in the guide you referring from, without a link to it. Also look at the bullet after talking about why use dot notation.

[MarkusKramer]

You're right, I've misread the spec. Both ways are allowed. But considering that CloudWatch can't deal with the flattened "log.level" key (CloudWatch docs, escaping doesn't work either) we would really like to use nesting of individual objects.

Does the extension support this? I guess this is a feature request then - and not a bug.

[SlyngDK]

The formatter for ECS, will follow the guideline of ECS, which is with dots. But you can just create your own "formatter", by implementing JsonProvider as shown in README.md and disable default fields using config.

[MarkusKramer]

Okay implementing a custom logger seems like the way to go. Thanks for the advice.