This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Ingesting AWS PostgreSQL logs into Google SecOps SIEM

Posted on 05-05-2025 02:12 PM
NotMarcus
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

I have been running into an issue when I attempt to get my Postgres SQL logs from my AWS CloudWatch into my Google SecOps SIEM. I am able to successfully set up the ingestion feed, however, the logs appears to be getting broken up by the SQL query if it happens to contain a new line or tab in the log.

Has anyone else run into this issue and what was your workaround for this? That for the help in advance.

1 2 244
Topic Labels
Reply
2 REPLIES 2

Posted on --/--/---- --:-- AM
a_aleinikov
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Hi @NotMarcus ,

Yes — this is a common issue when ingesting multiline logs like SQL into SIEM tools.

A typical workaround:
- In AWS CloudWatch, enable embedded metric formatting or set up a CloudWatch subscription filter that flattens multiline logs into single-line events.
- Alternatively, preprocess logs (for example, using a Lambda or Logstash) to replace newlines or tabs with spaces or markers before forwarding to SecOps SIEM.

0 Likes
Reply

Posted on --/--/---- --:-- AM
NotMarcus
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Do you have any example template on how this is set up on AWS?

0 Likes
Reply
Top Solution Authors
View all