tomcat - logstash multline issue with java logs -
i installing logstash tomcat , having issue grab java stack trace call, following config
input { udp { type => "tomcat" port => "514" format => "plain" } } filter{ multiline { pattern => "(^.+exception.*)|(^\s+at .+)|(^\s+... \d+ more)|(^\s*caused by:.+)" => "previous" } } here sample logs of tomcat
2014-03-24 19:08:53,246 [thread-pool8] error org.apache.catalina.core.containerbase.[engine].[localhost] - exception processing errorpage[errorcode=500, location=/error/error500.jsp] org.apache.jasper.jasperexception: java.lang.nullpointerexception @ org.apache.jasper.servlet.jspservletwrapper.handlejspexception(jspservletwrapper.java:549) @ org.apache.jasper.servlet.jspservletwrapper.service(jspservletwrapper.java:470) @ org.apache.jasper.servlet.jspservlet.servicejspfile(jspservlet.java:390) @ org.apache.jasper.servlet.jspservlet.service(jspservlet.java:334) @ javax.servlet.http.httpservlet.service(httpservlet.java:728) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:305) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:210) @ org.apache.catalina.core.applicationdispatcher.invoke(applicationdispatcher.java:749) @ org.apache.catalina.core.applicationdispatcher.processrequest(applicationdispatcher.java:489) @ org.apache.catalina.core.applicationdispatcher.doforward(applicationdispatcher.java:412) @ org.apache.catalina.core.applicationdispatcher.forward(applicationdispatcher.java:339) @ org.apache.catalina.core.standardhostvalve.custom(standardhostvalve.java:467) @ org.apache.catalina.core.standardhostvalve.status(standardhostvalve.java:338) @ org.apache.catalina.core.standardhostvalve.invoke(standardhostvalve.java:203) @ org.apache.catalina.valves.errorreportvalve.invoke(errorreportvalve.java:99) @ org.apache.catalina.core.standardenginevalve.invoke(standardenginevalve.java:118) @ org.apache.catalina.connector.coyoteadapter.service(coyoteadapter.java:408) @ org.apache.coyote.http11.abstracthttp11processor.process(abstracthttp11processor.java:1023) @ org.apache.coyote.abstractprotocol$abstractconnectionhandler.process(abstractprotocol.java:589) @ org.apache.tomcat.util.net.nioendpoint$socketprocessor.run(nioendpoint.java:1686) @ java.util.concurrent.threadpoolexecutor.runworker(threadpoolexecutor.java:1145) @ java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:615) @ java.lang.thread.run(thread.java:744) caused by: java.lang.nullpointerexception @ org.apache.jsp.error.error500_jsp._jspservice(error500_jsp.java:266) @ org.apache.jasper.runtime.httpjspbase.service(httpjspbase.java:70) @ javax.servlet.http.httpservlet.service(httpservlet.java:728) @ org.apache.jasper.servlet.jspservletwrapper.service(jspservletwrapper.java:432) ... 21 more i have tired combination , none of work :( don't know how works other folks..
edit:
i have tried following , didn't work too
pattern => "^%{timestamp_iso8601}" negate => true following result
filter received {:event=>{"message"=>"<139>2014-03-24 21:07:58,908 [] [] [thread-pool4] error org.apache.catalina.core.containerbase.[engine].[localhost] - exception processing errorpage[errorcode=500, location=/error/error500.jsp]\n", "@version"=>"1", "@timestamp"=>"2014-03-25t01:07:59.128z", "type"=>"tomcat", "host"=>"10.3.68.22"}, :level=>:debug, :file=>"(eval)", :line=>"15"} <139>2014-03-24 21:07:58,908 [] [] [thread-pool4] error org.apache.catalina.core.containerbase.[engine].[localhost] - exception processing errorpage[errorcode=500, location=/error/error500.jsp] {:pattern=>"^%{timestamp_iso8601} ", :match=>false, :negate=>true, :level=>:debug, :file=>"logstash/filters/multiline.rb", :line=>"160"} filter received {:event=>{"message"=>"<139>org.apache.jasper.jasperexception: java.lang.nullpointerexception", "@version"=>"1", "@timestamp"=>"2014-03-25t01:07:59.131z", "type"=>"tomcat", "host"=>"10.3.68.22"}, :level=>:debug, :file=>"(eval)", :line=>"15"} <139>org.apache.jasper.jasperexception: java.lang.nullpointerexception {:pattern=>"^%{timestamp_iso8601} ", :match=>false, :negate=>true, :level=>:debug, :file=>"logstash/filters/multiline.rb", :line=>"160"} filter received {:event=>{"message"=>"<139> @ org.apache.jasper.servlet.jspservletwrapper.handlejspexception(jspservletwrapper.java:549)", "@version"=>"1", "@timestamp"=>"2014-03-25t01:07:59.134z", "type"=>"tomcat", "host"=>"10.3.68.22"}, :level=>:debug, :file=>"(eval)", :line=>"15"} update:
i ran logstash in debug mode udp protocol , strange number <139> coming in @messages see following output of debug, if use nc command send sample logs works somehow tomcat syslog not working
{ "message" => "<139>2014-03-28 13:52:25,548 [] [] [thread-pool2] error org.apache.catalina.core.containerbase.[engine].[localhost] - exception processing errorpage[errorcode=500, location=/error/error500.jsp]\n", "@version" => "1", "@timestamp" => "2014-03-28t17:52:26.116z", "host" => "10.3.68.22" } { "message" => "<139>org.apache.jasper.jasperexception: java.lang.nullpointerexception", "@version" => "1", "@timestamp" => "2014-03-28t17:52:26.134z", "host" => "10.3.68.22" } { "message" => "<139> @ org.apache.jasper.servlet.jspservletwrapper.handlejspexception(jspservletwrapper.java:549)", "@version" => "1", "@timestamp" => "2014-03-28t17:52:26.151z", "host" => "10.3.68.22" } { "message" => "<139> @ org.apache.jasper.servlet.jspservletwrapper.service(jspservletwrapper.java:470)", "@version" => "1", "@timestamp" => "2014-03-28t17:52:26.166z", "host" => "10.3.68.22" } { "message" => "<139> @ org.apache.jasper.servlet.jspservlet.servicejspfile(jspservlet.java:390)", "@version" => "1", "@timestamp" => "2014-03-28t17:52:26.183z", "host" => "10.3.68.22" }
whether logs start date time?
you can use pattern. example,
input { stdin { } } filter { multiline { pattern => "^%{timestamp_iso8601} " negate => true => previous } } output { stdout {debug => true} } this filter worked @ me logs. hope can :)
Comments
Post a Comment