Question

我正在尝试使用Logstash解析错误日志以捕获少数字段，尤其是errormessage。但无法捕获Logstash中的错误消息。下面是我写的实际错误消息和解析器

     12345 http://google.com 2017-04-17 09:02:43.065 ERROR 10479 --- [http-nio-8052-exec-2] com.utilities.TokenUtils     : Error

org.xml.SAXParseException: An invalid XML character (Unicode: 0xe) was found in the value of attribute "ID" and element is "saml".
    at org.apache.parsers.DOMParser.parse(Unknown Source)
    at org.apache.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at javax.parsers.DocumentBuilder.parse(DocumentBuilder.java:121)
    at com.utilities.TokenUtils.validateSignature(TokenUtils.java:99)

解析器：

`%{NOTSPACE:stnum}\s*%{NOTSPACE:requestURL}\s*%{TIMESTAMP_ISO8601:log_timestamp}\s*%{LOGLEVEL:loglevel}\s*%{NUMBER:pid}\s*---\s*\[(?<thread>[A-Za-z0-9-]+)\]\s*%{DATA:class}\s*:\s%{NOTSPACE:level}\s*(?<errormessage>.[^\n]*).[^\n]*`

我正在尝试从日志中捕获此消息：

org.xml.SAXParseException: An invalid XML character (Unicode: 0xe) was found in the value of attribute "ID" and element is "saml".

Answer 1

您使用的是哪个logstash解析器？请提供conf文件，它可以提供更多信息。这是从日志中解析异常类型的示例（使用grok过滤器）。

filter {
grok {
match => ["message", "%{DATA:errormessage} %{GREEDYDATA:EXTRA}"]
}
}

Logstash Grok Parser不适用于错误日志

1 个答案: