面对logstash中的错误

时间:2014-09-04 08:31:34

标签: logstash-grok logstash-forwarder

当我在logstash中定义用于解析apache tomcat和应用程序日志文件的模式时,我们收到以下错误。 示例日志文件是:

2014-08-20 12:35:26,037 INFO [routerMessageListener-74] PoolableRuleEngineFactory Executing the rule -->ECE Tagging Rule

配置文件是:

filter{
   grok{
    type => "log4j"
    #pattern => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:severity} \[\w+\[%              {GREEDYDATA:thread},.*\]\] %{JAVACLASS:class} - %{GREEDYDATA:message}"
    pattern => "%{TIMESTAMP_ISO8601:logdate}"

    #add_tag => [ "level_%{level}" ]
 }



   date {
        match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
   }
}

未知设置'时间戳'对于日期{:level =>:error}

1 个答案:

答案 0 :(得分:0)

您的帖子未显示日期过滤器的设置“时间戳”。我怀疑你已经开始使用这里使用时间戳设置的示例,该设置曾经是旧版本的日期过滤器。您正确地将其修复为较新版本的logstash以使用匹配设置,但可能尚未保存您的更改。使用logstash-1.5.3上面的过滤器我没有问题。

这是我的完整配置文件。注意我仍在测试它,但它似乎正在使用从现有日志文件导入的Log4J日志消息导入JBoss日志。

input {
  tcp {
    type => "log4j"
    port => 4560
  }
  stdin {
    type => "log4j"
  }
}

filter {
  grok{
    type => "log4j"
    #pattern => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:severity} \[\w+\[%{GREEDYDATA:thread},.*\]\] %{JAVACLASS:class} - %GREEDYDATA:message}"
    pattern => "%{TIMESTAMP_ISO8601:logdate}"

    #add_tag => [ "level_%{level}" ]
 }

  date {
    type => "log4j"
    match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
    exclude_tags => "_grokparsefailure"
  }

  # Catches normal space indented type things, probably could be removed b/c the other multiline should do everythign we need
  multiline {
    type => "log4j"
    tags => ["_grokparsefailure"] # exclude anything we already handled
    pattern => ".*"
    what => "previous"
    add_tag => "notgrok"
  }
}


output {
  gelf {
     host => "localhost"
     custom_fields => ["environment", "PROD", "service", "BestServiceInTheWorld"]
     }
  # Print each event to stdout.
  stdout {
    codec => json
  }
}