Logstash + SpringBoot + Logback

logstash.conf

input {
  file {
    path =>  [ "/etc/myapp/myapp.log" ]
  }
}

filter {
   multiline {
      pattern => "^(%{LOGBACK_TIMESTAMP})"
      patterns_dir => "/etc/logstash/grok/patterns"
      negate => true
      what => "previous"
   }
   grok {
      patterns_dir => "/etc/logstash/grok/patterns"
      # Do multiline matching with (?m) as the above mutliline filter may add newlines to the log messages.
      match => [ "message", "(?m)^%{LOGBACK_TIMESTAMP:logtime}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{NUMBER:pid}%{SPACE}---%{SPACE}%{SYSLOG5424SD:thread}%{SPACE}%{JAVACLASS:javaclass}%{SPACE}:%{SPACE}%{GREEDYDATA:logmessage}"]  }
}

output {
  elasticsearch { host => "localhost" cluster => "elasticsearch" }
}

patterns

JAVACLASS (?:[\.]?[a-zA-Z0-9-]+\.)*[A-Za-z0-9$]+
MSEC (\d{3})
LOGBACK_TIMESTAMP %{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}.%{MSEC}

How to use the patterns?

Create the pattern file at /etc/logstash/grok/patterns, and put the content from patterns to it.

patterns_dir in filter.multiline and filter.grok is where the patterns get referenced.