1

我正在解析我的服务器文件的日志,并且只向我的 API 发送信息、警告和错误级别的日志,但问题是我收到了两次日志。在输出中,我将解析后的日志值映射到我的 JSON 字段,并将该 json 发送到我的 API,但我两次收到该 json 映射。

我正在分析我的 logstash 日志文件,但日志条目仅在日志文件中出现一次。

{
      "log_EventMessage" => "Unable to sendViaPost to url[http://ubuntu:8280/services/TestProxy.TestProxyHttpSoap12Endpoint] Read timed ",
               "message" => "TID: [-1234] [] [2017-08-11 12:03:11,545]  INFO {org.apache.axis2.transport.http.HTTPSender} -  Unable to sendViaPost to url[http://ubuntu:8280/services/TestProxy.TestProxyHttpSoap12Endpoint]  Read time",
                  "type" => "carbon",
             "TimeStamp" => "2017-08-11T12:03:11.545",
                  "tags" => [
        [0] "grokked",
        [1] "loglevelinfo",
        [2] "_grokparsefailure"
    ],
        "log_EventTitle" => "org.apache.axis2.transport.http.HTTPSender",
                  "path" => "/home/waqas/Documents/repository/logs/carbon.log",
            "@timestamp" => 2017-08-11T07:03:13.668Z,
              "@version" => "1",
                  "host" => "ubuntu",
    "log_SourceSystemId" => "-1234",
               "EventId" => "b81a054e-babb-426c-b0a0-268494d14a0e",
         "log_EventType" => "INFO"
}

以下是我的配置。

需要帮忙。无法弄清楚为什么会发生这种情况的原因。

input {
    file { 
       path => "LOG_FILE_PATH" 
      type => "carbon"   
    start_position => "end" 
       codec => multiline { 
            pattern => "(^\s*at .+)|^(?!TID).*$"
                negate => false    
                what => "previous"    
              auto_flush_interval => 1      
    }       
   }           
}            
filter {        

    #***********************************************************   
    #     Grok Pattern to parse Single Line Log Entries   
    #**********************************************************             
    if [type] == "carbon" {  
        grok {  
            match => [ "message", "TID:%{SPACE}\[%{INT:log_SourceSystemId}\]%{SPACE}\[%{DATA:log_ProcessName}\]%{SPACE}\[%{TIMESTAMP_ISO8601:TimeStamp}\]%{SPACE}%{LOGLEVEL:log_EventType}%{SPACE}{%{JAVACLASS:log_EventTitle}}%{SPACE}-%{SPACE}%{GREEDYDATA:log_EventMessage}" ]   
            add_tag => [ "grokked" ]           
    }   
        mutate {   
          gsub => [   
             "TimeStamp", "\s", "T",  
             "TimeStamp", ",", "."  
           ]   
        }           

        if "grokked" in [tags] {

            grok {

                match => ["log_EventType", "INFO"]

                add_tag => [ "loglevelinfo" ]

            }   
            grok {
                match => ["log_EventType", "ERROR"]
                add_tag => [ "loglevelerror" ]
              }
            grok {
                match => ["log_EventType", "WARN"]
                add_tag => [ "loglevelwarn" ]
              }
           }

        #***************************************************** 
        #     Grok Pattern in Case of Failure
        #*****************************************************              

        if !( "_grokparsefailure" in [tags] ) {

            grok{   
                    match => [ "message", "%{GREEDYDATA:log_StackTrace}" ] 
                    add_tag => [ "grokked" ]    
                }

            date {   
                    match => [ "timestamp", "yyyy MMM dd HH:mm:ss:SSS" ]    
                    target => "TimeStamp"    
                    timezone => "UTC"    
                }    
        }  
    }

    #*******************************************************************    
    #     Grok Pattern to handle MultiLines Exceptions and StackTraces    
    #*******************************************************************

    if ( "multiline" in [tags] ) {

        grok { 
            match => [ "message", "%{GREEDYDATA:log_StackTrace}" ]    
            add_tag => [ "multiline" ]   
            tag_on_failure => [ "multiline" ]           
        }

        date {

                match => [ "timestamp", "yyyy MMM dd HH:mm:ss:SSS" ]

                target => "TimeStamp"

        }          
    }          
}

    filter {  
    uuid {
     target => "EventId"    
      } 
    } 
output { 
    if [type] == "carbon" { 
        if "loglevelerror" in [tags] {
        stdout{codec => rubydebug}


#*******************************************************************
#        Sending Error Messages to API
#*******************************************************************

            http {

                url => "https://localhost:8000/logs"   
                headers => {
                    "Accept" => "application/json" 
                }    
                connect_timeout => 60 
                socket_timeout => 60    
                http_method => "post"    
                format => "json"  
                mapping => ["EventId","%{EventId}","EventSeverity","High","TimeStamp","%{TimeStamp}","EventType","%{log_EventType}","EventTitle","%{log_EventTitle}","EventMessage","%{log_EventMessage}","SourceSystemId","%{log_SourceSystemId}","StackTrace","%{log_StackTrace}"]    
            }   
        }    
    }
 if [type] == "carbon" {       
        if "loglevelinfo" in [tags] { 
            stdout{codec => rubydebug}              

#*******************************************************************
#                 Sending Info Messages to API 
#*******************************************************************  
                http {

                url => "https://localhost:8000/logs"

                headers => { 
                    "Accept" => "application/json"    
                }    
                connect_timeout => 60  
                socket_timeout => 60   
                http_method => "post"   
                format => "json"

                mapping => ["EventId","%{EventId}","EventSeverity","Low","TimeStamp","%{TimeStamp}","EventType","%{log_EventType}","EventTitle","%{log_EventTitle}","EventMessage","%{log_EventMessage}","SourceSystemId","%{log_SourceSystemId}","StackTrace","%{log_StackTrace}"]    
            }    
        }    
    }
 if [type] == "carbon" {       
        if "loglevelwarn" in [tags] {

            stdout{codec => rubydebug}
#*******************************************************************   
#                 Sending Warn Messages to API                  

            http {

                url => "https://localhost:8000/logs"    
                headers => {      
                    "Accept" => "application/json"    
                }    
                connect_timeout => 60    
                socket_timeout => 60    
                http_method => "post"    
                format => "json"    
                mapping => ["EventId","%{EventId}","EventSeverity","Medium","TimeStamp","%{TimeStamp}","EventType","%{log_EventType}","EventTitle","%{log_EventTitle}","EventMessage","%{log_EventMessage}","SourceSystemId","%{log_SourceSystemId}","StackTrace","%{log_StackTrace}"]              

            }   
        }
    }

}
4

0 回答 0