ppkarwasz commented on issue #3435: URL: https://github.com/apache/logging-log4j2/issues/3435#issuecomment-2646142032
> The term "_structured layout_" here, means to "**key=value**" format. > > When the log message is in **key=value** format, Both Splunk and ELK can recognize the **keys** automatically as a searchable filed. So we can do **filter**, **reporting**, **dashboard** based on the key. We use the term "_structured layout_" for formats that can be **deterministically** deserialized. The simple `key=value` used by `MdcPatternConverter` is not one of them and the way you parse your log files will expose you to log injections: - If a user puts `user login=root` as login, you'll end up with `login=user login=root` in your logs. - If a user puts `u a=a b=b c=c...`, you'll end up with `login=u a=a b=b c=c...` which will cause Splunk/ELK to index all those keys and increase the size of their indexes. If you are looking for a structured layout that resembles the Pattern layout, try the [RFC5424 layout](https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout). The `STRUCTURED-DATA` part of the message is similar to what you are looking for, except keys and values are properly escaped: ``` [mdc@32473 dbschema="abcschema" traceid="1234567" contextid="qwertyu" user="Complex\"entry \\"] ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
