Last active
December 5, 2019 14:13
-
-
Save glnds/8774267 to your computer and use it in GitHub Desktop.
Logstash Glassfish server.log config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Logstash config for Glassfish logs | |
# Used in combination with slf4j and logback | |
# Output: | |
# - application: glassfish | |
# - type: application or internal | |
# - categorie: technical or functional | |
input { | |
# If running logstash under a different user then check your permission to be sure that | |
# logstash has access to the server.log file. If logstash has no access to the file you | |
# don't get an appropriate message to inform you! | |
# I've put the umask of the Glassfish service to 0022. | |
file { | |
codec => multiline { | |
'negate' => true | |
'pattern' => '^\[\#\|\d{4}' | |
'patterns_dir' => '/opt/logstash/agent/etc/patterns' | |
'what' => 'previous' | |
} | |
'path' => '/var/log/glassfish/greyhound/server.log' | |
'type' => 'glassfish' | |
} | |
} | |
filter { | |
mutate { | |
'add_field' => ['application', '%{type}'] | |
} | |
# Filter for 'type', application log messages are marked with '[GLF_INT]' by logback. | |
if [message] =~ /\[GLF_INT\]/ { | |
mutate { | |
'update' => ['type', 'application'] | |
} | |
# Grok filter uses the deprecated 'pattern' property for matching cause using the 'match' | |
# property gives a grokfailure from time to time. | |
grok { | |
'keep_empty_captures' => true | |
'named_captures_only' => true | |
'pattern' => '(?m)\[\#\|%{TIMESTAMP_ISO8601:timestamp}\|%{LOGLEVEL}\|%{DATA:server_version}\|%{JAVACLASS}\|%{DATA:thread}\|\[GLF_INT\]%{DATA:categorie}\|%{DATA:loglevel}\|%{DATA:class}\|line:%{DATA:linenumber}\|%{DATA:message_detail}\|\#\]' | |
'patterns_dir' => '/opt/logstash/agent/etc/patterns' | |
} | |
} else { | |
mutate { | |
'add_field' => ['categorie', 'technical'] | |
'update' => ['type', 'internal'] | |
} | |
grok { | |
'keep_empty_captures' => true | |
'named_captures_only' => true | |
'pattern' => '(?m)\[\#\|%{TIMESTAMP_ISO8601:timestamp}\|%{LOGLEVEL:loglevel}\|%{DATA:server_version}\|%{JAVACLASS:class}\|%{DATA:thread}\|%{DATA:message_detail}\|\#\]' | |
'patterns_dir' => '/opt/logstash/agent/etc/patterns' | |
} | |
} | |
if [type] == 'application' and [categorie] == '' { | |
mutate { | |
'update' => ['categorie', 'technical'] | |
} | |
} | |
date { | |
'match' => ['timestamp', 'ISO8601'] | |
} | |
} | |
output { | |
redis { | |
'data_type' => 'list' | |
'host' => '172.168.1.250' | |
'key' => 'logstash' | |
} | |
} |
Note that %{JAVACLASS:class}
will fail to parse errors like
[#|2019-12-05T15:09:28.010+0100|WARNING|glassfish 5.0|org.eclipse.persistence.session./file:/my/glassfish/install/nodes/my-node/my-app/applications/app/WEB-INF/classes/_datasource|_ThreadID=111;_ThreadName=ajp-listener(5);_TimeMillis=1575400168010;_LevelValue=900;|...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Which version of logstash do you use when created this pattern?
For me it doesn't work, but i pipe standard glassfish logs.