Before you begin

Before you begin using this tutorial, review the following information to understand Logging agent and multiline concepts.

• Learn about the Logging agent

• Learn about multiline support in non-orchestrated environments.

  • Linux Linux

  • Windows Windows

This tutorial also assumes you have:

• An IBM Cloud Logs instance provisioned and configured.

• The Logging agent deployed in a non-orchestrated environment.

  • Linux Linux

  • Windows Windows

The configuration files in this tutorial can be found where the package files were downloaded when you installed the Logging agent.

Sample Winston configuration

Let's assume your Node.js application uses Winston and logs to the console in the following format:

const winston = require('winston');

const logger = winston.createLogger({
  level: 'info',
  format: winston.format.combine(
    winston.format.timestamp({
      format: 'ddd MMM DD YYYY HH:mm:ss.SSS'
    }),
    winston.format.errors({ stack: true }),
    winston.format.printf(({ timestamp, level, message, stack }) => {
      const levelUpper = level.toUpperCase();
      const baseLog = `[${timestamp}] ${levelUpper} [Main] - ${message}`;
      if (stack) {
        return `${baseLog}\n${stack}`;
      }
      return baseLog;
    })
  ),
  transports: [
    new winston.transports.Console()
  ]
});

This format produces log entries that start with a timestamp and level, and multiline logs, such as error stack traces, follow on subsequent lines without timestamps.

Winston typically logs all output, including error stack traces, as a single string so a multiline parser is often not required. However, this example demonstrates what to do if your formatter prints multiline logs, and it helps illustrate how to approach multiline parsing for any custom format.

This configuration is provided as an example to show how to handle multiline logs when using custom log formatting. If your application uses a different structure or logging library, use this as a reference to create your own multiline parser accordingly.

Configuring multiline parsing manually by using a configuration file

To properly group logs, define a multiline parser that recognizes the timestamp at the beginning of new log entries and treats subsequent lines as continuations of the previous entries.

Define the multiline parser

Add the following to parsers.conf file:

[MULTILINE_PARSER]
    Name            multiline-nodejs-winston
    Type            regex
    Flush_timeout   500
    Rule            "start_state"     "/^\\[[A-Z][a-z]{2} [A-Z][a-z]{2} \\d{2} \\d{4} \\d{2}:\\d{2}:\\d{2}\\.\\d{3}\\] .*$/"
    Rule            "cont"            "/^(?!\\[[A-Z][a-z]{2} [A-Z][a-z]{2} \\d{2} \\d{4} \\d{2}:\\d{2}:\\d{2}\\.\\d{3}\\] ).*$/"

This parser assumes logs begin with a timestamp such as [Wed Jul 24 2025 14:52:31.456] .... Stack traces are indented on the following lines and do not match the timestamp regex, so they are grouped with the previous log line.

Apply the parser with a multiline filter

Add a filter block to the filters.conf file to use the parser:

[FILTER]
    Name                  multiline
    Match                 kube.*
    Multiline.key_content log
    Multiline.parser      multiline-nodejs-winston

Restart the agent

After updating the config map, restart the agent.

• Linux For Linux environments, run:

  systemctl daemon-reload && systemctl restart fluent-bit
  

• Windows For Windows environments, run:

  sc.exe stop fluent-bit && sc.exe start fluent-bit
  

Verify your multiline logs

Access your IBM Cloud Logs instance and confirm your multiline entries (for example, stack traces) are grouped correctly.

1. Access your IBM Cloud Logs instance.

2. Using the Logs view, verify that your multiline entries are grouped correctly.

   The grouped log data is included in the log field.