当我在logstash中定义用于解析apache tomcat和应用程序日志文件的模式时,我们收到以下错误。 示例日志文件是:
2014-08-20 12:35:26,037 INFO [routerMessageListener-74] PoolableRuleEngineFactory Executing the rule -->ECE Tagging Rule
配置文件是:
filter{
grok{
type => "log4j"
#pattern => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:severity} \[\w+\[% {GREEDYDATA:thread},.*\]\] %{JAVACLASS:class} - %{GREEDYDATA:message}"
pattern => "%{TIMESTAMP_ISO8601:logdate}"
#add_tag => [ "level_%{level}" ]
}
date {
match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
}
}
未知设置'时间戳'对于日期{:level =>:error}
答案 0 :(得分:0)
您的帖子未显示日期过滤器的设置“时间戳”。我怀疑你已经开始使用这里使用时间戳设置的示例,该设置曾经是旧版本的日期过滤器。您正确地将其修复为较新版本的logstash以使用匹配设置,但可能尚未保存您的更改。使用logstash-1.5.3上面的过滤器我没有问题。
这是我的完整配置文件。注意我仍在测试它,但它似乎正在使用从现有日志文件导入的Log4J日志消息导入JBoss日志。
input {
tcp {
type => "log4j"
port => 4560
}
stdin {
type => "log4j"
}
}
filter {
grok{
type => "log4j"
#pattern => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:severity} \[\w+\[%{GREEDYDATA:thread},.*\]\] %{JAVACLASS:class} - %GREEDYDATA:message}"
pattern => "%{TIMESTAMP_ISO8601:logdate}"
#add_tag => [ "level_%{level}" ]
}
date {
type => "log4j"
match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
exclude_tags => "_grokparsefailure"
}
# Catches normal space indented type things, probably could be removed b/c the other multiline should do everythign we need
multiline {
type => "log4j"
tags => ["_grokparsefailure"] # exclude anything we already handled
pattern => ".*"
what => "previous"
add_tag => "notgrok"
}
}
output {
gelf {
host => "localhost"
custom_fields => ["environment", "PROD", "service", "BestServiceInTheWorld"]
}
# Print each event to stdout.
stdout {
codec => json
}
}