+1Hi,
I have been running into an issue when I attempt to get my Postgres SQL logs from my AWS CloudWatch into my Google SecOps SIEM. I am able to successfully set up the ingestion feed, however, the logs appears to be getting broken up by the SQL query if it happens to contain a new line or tab in the log.
Has anyone else run into this issue and what was your workaround for this? That for the help in advance.
+4Hi @NotMarcus ,
Yes — this is a common issue when ingesting multiline logs like SQL into SIEM tools.
A typical workaround:
- In AWS CloudWatch, enable embedded metric formatting or set up a CloudWatch subscription filter that flattens multiline logs into single-line events.
- Alternatively, preprocess logs (for example, using a Lambda or Logstash) to replace newlines or tabs with spaces or markers before forwarding to SecOps SIEM.
+1Do you have any example template on how this is set up on AWS?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
