ELK-Filebeat和多行设置

时间:2018-07-12 11:29:31

标签: logstash elastic-stack filebeat

我尝试通过filebeat将包括Java异常的日志消息保存到ELK堆栈中。普通消息,例如

25 Jun 2018 13:02:24,430  INFO [.myjavaclass: 540] The sun is shining.

没问题。不幸的是,以下堆栈跟踪无法识别:

25 Jun 2018 13:02:09,072 ERROR [ypes.CmsResourceTypeXmlContent: 339] Ungültiges XML Schema "/system/modules/de.wmg.commons.template.blog/schemas/blog.xsd" konfiguriert für den Ressourcentyp "Blog".
org.opencms.xml.CmsXmlException: Ungültige Custom-Widget-Klasse "com.alkacon.opencms.v8.comments.CmsCommentConfigurationSelectWidget" für das Element "ConfigUri" in Content Definition "opencms://system/modules/de.wmg.commons.template.blog/schemas/blog.xsd".
    at org.opencms.xml.content.CmsDefaultXmlContentHandler.addWidget(CmsDefaultXmlContentHandler.java:1907)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: com.alkacon.opencms.v8.comments.CmsCommentConfigurationSelectWidget
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720)
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Unknown Source)
    at org.opencms.xml.content.CmsDefaultXmlContentHandler.addWidget(CmsDefaultXmlContentHandler.java:1899)
    ... 23 more

此堆栈跟踪由日期启动。这之后是文本行,然后是堆栈跟踪。问题可能出在这三行的组合上。

filebeat.yml:

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /var/log/test/*.log
  fields:
    system: "intranet"

  multiline.pattern: '\d\d \w{1,3} \d\d\d\d \d\d:\d\d:\d\d,\d\d\d^[[:space:]]+(at|\.{3})\b|^Caused by:[:space:]'
  multiline.negate: true
  multiline.match: after

output.logstash:
  hosts: ["elk:5044"]

logsstash.conf:

input {
  beats {
    port => 5044
  }
}


filter {
   if [fields][system] == "intranet" {
      grok {
         match => { "message"
                 => "(?<datetime>%{MONTHDAY} %{MONTH} %{YEAR} %{HOUR}:%{MINUTE}:%{SECOND},%{NONNEGINT})  *%{LOGLEVEL:loglevel} \[ *(?<class>[A-Za-z0-9$_.]+): *%{NONNEGINT:line}\] *%{GREEDYDATA:message}$"}

   overwrite => [ "message" ]
     }

     mutate {
        add_field => { "insertDate" => "%{@timestamp}" }
        #update => { "message" => "%{msg}" }
     }

     date {
        match => ["datetime", "dd MMM yyyy HH:mm:ss,SSS"]
        target => ["@timestamp"]
        remove_field => ["datetime"]
     }

   }
}

output {
        if [fields][system] == "intranet" {
                elasticsearch {
                        hosts => "localhost:9200"
                        manage_template => false
                        index => "intranet-%{+YYYY.MM.dd}"
                }
        }
}

有什么想法吗?

0 个答案:

没有答案
相关问题
最新问题