logstash-grok - 面临logstash中的错误

Question

当我在 logstash 中定义解析 apache tomcat 和应用程序日志文件的模式时，我们收到以下错误。示例日志文件是：

2014-08-20 12:35:26,037 INFO [routerMessageListener-74] PoolableRuleEngineFactory Executing the rule -->ECE Tagging Rule

配置文件是：

filter{
   grok{
    type => "log4j"
    #pattern => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:severity} \[\w+\[%              {GREEDYDATA:thread},.*\]\] %{JAVACLASS:class} - %{GREEDYDATA:message}"
    pattern => "%{TIMESTAMP_ISO8601:logdate}"

    #add_tag => [ "level_%{level}" ]
 }



   date {
        match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
   }
}

日期 {:level=>:error} 的未知设置“时间戳”

score 0 · Accepted Answer

您的帖子未显示日期过滤器的设置“时间戳”。我怀疑您是从这里的示例开始的，该示例使用了旧版本的日期过滤器中的时间戳设置。您为较新版本的 logstash 正确修复了它以使用匹配设置，但可能没有保存您的更改。将上述过滤器与 logstash-1.5.3 一起使用没有问题。

这是我的完整配置文件。注意我仍在测试它，但它似乎正在使用从现有日志文件导入的 Log4J 日志消息导入 JBoss 日志。

input {
  tcp {
    type => "log4j"
    port => 4560
  }
  stdin {
    type => "log4j"
  }
}

filter {
  grok{
    type => "log4j"
    #pattern => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:severity} \[\w+\[%{GREEDYDATA:thread},.*\]\] %{JAVACLASS:class} - %GREEDYDATA:message}"
    pattern => "%{TIMESTAMP_ISO8601:logdate}"

    #add_tag => [ "level_%{level}" ]
 }

  date {
    type => "log4j"
    match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
    exclude_tags => "_grokparsefailure"
  }

  # Catches normal space indented type things, probably could be removed b/c the other multiline should do everythign we need
  multiline {
    type => "log4j"
    tags => ["_grokparsefailure"] # exclude anything we already handled
    pattern => ".*"
    what => "previous"
    add_tag => "notgrok"
  }
}


output {
  gelf {
     host => "localhost"
     custom_fields => ["environment", "PROD", "service", "BestServiceInTheWorld"]
     }
  # Print each event to stdout.
  stdout {
    codec => json
  }
}

logstash-grok - 面临logstash中的错误

1 回答 1

Related

Reference