Hi,
I have been running into an issue when I attempt to get my Postgres SQL logs from my AWS CloudWatch into my Google SecOps SIEM. I am able to successfully set up the ingestion feed, however, the logs appears to be getting broken up by the SQL query if it happens to contain a new line or tab in the log.
Has anyone else run into this issue and what was your workaround for this? That for the help in advance.
Hi @NotMarcus ,
Yes — this is a common issue when ingesting multiline logs like SQL into SIEM tools.
A typical workaround:
- In AWS CloudWatch, enable embedded metric formatting or set up a CloudWatch subscription filter that flattens multiline logs into single-line events.
- Alternatively, preprocess logs (for example, using a Lambda or Logstash) to replace newlines or tabs with spaces or markers before forwarding to SecOps SIEM.
Do you have any example template on how this is set up on AWS?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.