是否可以在Logstash confilg中获取由java日志引起的解析? 2016-06-02 17:00:32: org.apache.abcd2.abcdFault 位于org.apache.abcd2.abcdFault.makeFault(abcdFault.java:430) 位于org.apache.abcd2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83) 位于org.apache.abcd2.transport.http.commonHttpTransportSender.sendUsingOutputStream(commonHttpTransportSender.java:358) 运行(Thread.java:636) 原因:com.my.application.IOException:null 位于com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:1692) 位于com.ctc.wstx.sw.BaseStreamWriter.close(BaseStreamWriter.java:288) 位于org.apache.axiom.util.stax.wrapper.xmlStreamWriterRapper.close(xmlStreamWriterRapper.java:46) 位于org.apache.abcd2.WriteTo(SOAPMessageFormatter.java:79) ... 还有27个
所以现在如果我想得到像LOGLEVEL classname和caused by这样的值,我得到了LOGLEVEL和classname的值,但没有得到caused by消息。。这怎么可能 下面是我的配置文件是否可以在Logstash confilg中获取由java日志引起的解析? 2016-06-02 17:00:32: org.apache.abcd2.abcdFault 位于org.apache.abcd2.abcdFault.makeFault(abcdFault.java:430) 位于org.apache.abcd2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83) 位于org.apache.abcd2.transport.http.commonHttpTransportSender.sendUsingOutputStream(commonHttpTransportSender.java:358) 运行(Thread.java:636) 原因:com.my.application.IOException:null 位于com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:1692) 位于com.ctc.wstx.sw.BaseStreamWriter.close(BaseStreamWriter.java:288) 位于org.apache.axiom.util.stax.wrapper.xmlStreamWriterRapper.close(xmlStreamWriterRapper.java:46) 位于org.apache.abcd2.WriteTo(SOAPMessageFormatter.java:79) ... 还有27个,logstash,logstash-grok,elastic-stack,logstash-configuration,Logstash,Logstash Grok,Elastic Stack,Logstash Configuration,所以现在如果我想得到像LOGLEVEL classname和caused by这样的值,我得到了LOGLEVEL和classname的值,但没有得到caused by消息。。这怎么可能 下面是我的配置文件 2016-06-02 17:00:32<ERROR><CommonsHTTPTransportSender:361>: org.apache.abcd2.abcdFault at org.apache.abcd2.abcdFault.makeFault(abc
2016-06-02 17:00:32<ERROR><CommonsHTTPTransportSender:361>:
org.apache.abcd2.abcdFault
at org.apache.abcd2.abcdFault.makeFault(abcdFault.java:430)
at org.apache.abcd2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83)
at org.apache.abcd2.transport.http.CommonsHTTPTransportSender.sendUsingOutputStream(CommonsHTTPTransportSender.java:358)
at java.lang.Thread.run(Thread.java:636)
Caused by: com.my.application.IOException: null
at com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:1692)
at com.ctc.wstx.sw.BaseStreamWriter.close(BaseStreamWriter.java:288)
at org.apache.axiom.util.stax.wrapper.XMLStreamWriterWrapper.close(XMLStreamWriterWrapper.java:46)
at org.apache.abcd2.WriteTo(SOAPMessageFormatter.java:79)
... 27 more
输入{
文件{
路径=>“D:\Log\application.Log”
开始位置=>开始位置
编解码器=>多行{
模式=>“%{TIMESTAMP_ISO8601}”
什么=>“下一步”
否定=>true
}
}
}
滤器{
格罗克{
匹配=>[“消息”,“^%{TIMESTAMP_ISO8601}”]
}
变异{
gsub=>['message',“\n”,“”]
gsub=>['message',“\t”,“”]
}
}
输出{
stdout{}
弹性搜索{
索引=>“ABCD%{+YYYY.MM.dd}”
}
}
我主要关心的是解析时间戳loglevel classname和causedby值您的多行编解码器错误,这就是您的配置无法工作的原因。(我已经测试过了) 这是我在我的邮箱中使用配置时的标准输出(您没有发布):
input{
file{
path => "D:\Log\application.log"
start_position => beginning
codec => multiline{
pattern => "%{TIMESTAMP_ISO8601}"
what => "next"
negate => true
}
}
}
filter{
grok{
match => ["message","^%{TIMESTAMP_ISO8601}<%{LOGLEVEL}><(?<JavaClass>.*[:].*)>"]
}
mutate {
gsub => ['message', "\n", ""]
gsub => ['message', "\t", ""]
}
}
output {
stdout { }
elasticsearch {
index => "ABCD_%{+YYYY.MM.dd}"
}
}
有了这个,我可以更新您的grok以了解原因:
multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
grok{
match=>[“message”,“^%{TIMESTAMP_ISO8601:ts}.*由以下原因引起:%{GREEDYDATA:data}”]
}
在我的盒子上输入,然后运行它,我得到:
grok {
match => ["message","^%{TIMESTAMP_ISO8601:ts}<%{LOGLEVEL:log}><(?<JavaClass>.*[:].*)>.*Caused by:%{GREEDYDATA:data}"]
}
artur@pandaadb:~/dev/logstash$。/logstash-2.3.2/bin/logstash-f conf2/
设置:默认管道工人:8
将管道工作线程默认为1,因为有些筛选器可能无法与多个工作线程一起工作{:count_was=>8,:filters=>[“multiline”],:level=>:warn}
主管道已启动
{
“message”=>“2016-06-02 17:00:32:\norg.apache.abcd2.abcdFault\n位于org.apache.abcd2.abcdFault.makeFault(abcdFault.java:430)\n位于org.apache.abcd2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83)\n位于org.apache.abcd2.transport.http.commonhttptransportsender.sendUsingOutputStream(CommonHttpTransportSender.java:358)\n位于java.lang.Thread.run(Thread.java:636)\n使用者:com.my.application.IOException:null\n位于com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:1692)\n位于com.ctc.wstx.sw.BaseStreamWriter.close(BaseStreamWriter.java:288)\n位于org.apache.axiom.util.stax.wrapper.xmlStreamWriterRapper.close(xmlStreamWriterRapper.java:46)\n位于org.apache.abcd2.WriteTo(SOAPMessageFormatter.java:79)\n…27更多“,
“@version”=>“1”,
“@timestamp”=>“2016-06-22T09:22:38.227Z”,
“路径”=>“/home/artur/tmp/logstash/in2/test.log”,
“主机”=>“pandaadb”,
“标签”=>[
[0]“多行”
],
“ts”=>“2016-06-02 17:00:32”,
“日志”=>“错误”,
“JavaClass”=>“CommonHttpTransportSender:361”,
“data”=>“com.my.application.IOException:null\n位于com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:1692)\n位于com.ctc.wstx.sw.BaseStreamWriter.close(BaseStreamWriter.java:288)\n位于org.apache.axiom.util.statx.wrapper.xmlstreamwriterrapper.close(xmlstreamwriterrapper.java:46)\n位于org.apache.abcd2.WriteTo(SOAPMessageFormatter.java:79)\n…27更多“
}
希望有帮助
作为将来的参考,关于日志存储问题,举一个例子来说明stdin并打印到stdout总是很有帮助的,因为它可以很快复制
另外,stdout(rubydebug)的输出将准确地告诉您原始消息是什么,并使您很容易看到多行不起作用,这就是问题的原因
干杯
Artur您的多行编解码器错误,这就是您的配置无法工作的原因。(我已经测试过了) 这是我在我的邮箱中使用配置时的标准输出(您没有发布):
input{
file{
path => "D:\Log\application.log"
start_position => beginning
codec => multiline{
pattern => "%{TIMESTAMP_ISO8601}"
what => "next"
negate => true
}
}
}
filter{
grok{
match => ["message","^%{TIMESTAMP_ISO8601}<%{LOGLEVEL}><(?<JavaClass>.*[:].*)>"]
}
mutate {
gsub => ['message', "\n", ""]
gsub => ['message', "\t", ""]
}
}
output {
stdout { }
elasticsearch {
index => "ABCD_%{+YYYY.MM.dd}"
}
}
有了这个,我可以更新您的grok以了解原因:
multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
grok{
match=>[“message”,“^%{TIMESTAMP_ISO8601:ts}.*由以下原因引起:%{GREEDYDATA:data}”]
}
在我的盒子上输入,然后运行它,我得到:
grok {
match => ["message","^%{TIMESTAMP_ISO8601:ts}<%{LOGLEVEL:log}><(?<JavaClass>.*[:].*)>.*Caused by:%{GREEDYDATA:data}"]
}
artur@pandaadb:~/dev/logstash$。/logstash-2.3.2/bin/logstash-f conf2/
设置:默认管道工人:8
将管道工作线程默认为1,因为有些筛选器可能无法与多个工作线程一起工作{:count_was=>8,:filters=>[“multiline”],:level=>:warn}
主管道已启动
{
“message”=>“2016-06-02 17:00:32:\norg.apache.abcd2.abcdFault\n位于org.apache.abcd2.abcdFault.makeFault(abcdFault.java:430)\n位于org.apache.abcd2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83)\n位于org.apache.abcd2.transport.http.commonhttptransportsender.sendUsingOutputStream(CommonHttpTransportSender.java:358)\n位于java.lang.Thread.run(Thread.java:636)\n使用者:com.my.application.IOException:null\n位于com.ctc.wstx.sw.BaseStreamWriter.finishDocument(BaseStreamWriter.java:1692)\n位于com.ctc.wstx.sw.BaseStreamWriter.close(BaseStreamWriter.java:288)\n位于org.apache.axiom.util.stax.wrapper.xmlStreamWriterRapper.close(xmlStreamWriterRapper.java:46)\n位于org.apache.abcd2.WriteTo(SOAPMessageFormatter.java:79)\n…27更多“,
“@version”=>“1”,
“@tim