Logstash tomcat堆栈跟踪解析失败

Question

我正在尝试使用logstash解析一些Tomcat日志，这是数据示例：

 07-05-19 11:24:32 INFO  [XmlWebApplicationContext] Closing Root WebApplicationContext: startup date [Wed Apr 10 15:58:07 CEST 2019]; root of context hierarchy" >> /var/lib/docker/volumes/test1/_data/tomcat.misc.log
 09-05-19 10:25:00 WARN  [BasicResourcePool] com.mchange.v2.resourcepool.BasicResourcePool@74f26dc -- Acquisition Attempt Failedclear! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). Last acquisition attempt exception: 
    org.postgresql.util.PSQLException: Connection to ii refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
            at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:265)
            at com.mchange.v2.async.ThreadPoolAsynchronousRunner .run(ThreadPoolAsynchronousRunner.java:696)
    Caused by: java.net.ConnectException: Network is unreachable (connect failed)
            at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:144)
            ... 13 more

我在其他主题上看到多行插件和模式很有用：

模式文件：

JAVA_TRACE (^.+Exception: .+)|(^\s+at .+)|(^\s+... \d+ more)|(^\s*Caused by:.+)

Logstash配置文件：

input {
        udp{
                port => 12201
        }
        tcp{
                port => 12201
                codec => multiline {
                        patterns_dir => ["/conf/patterns"]
                        pattern => "^%{JAVA_TRACE}"
                        negate => "true"
                        what => "previous"
                }
        }
}

filter{
                grok{
                        patterns_dir => ["/conf/patterns"]
                        match => {message => ["(^%{DATE_EU:date} %{TIME:time} %{LOGLEVEL})"]}
                        tag_on_failure => ["failed"]
                }
}

output{
        elasticsearch{
                hosts => ["elasticsearch:9200"]
                index => "tomcat_misc"
        }
}

仅供参考，这是我的syslog-ng客户端配置：

source s_test{
        wildcard-file(
                base-dir("/tmp")
                filename-pattern("*log")
                flags(no-parse)
                );
};

template no_header{
        template("$MSG\n");
        template_escape(no);
};

destination d_siem{
        tcp(X.X.X.X port(12201) template(no_header));
};

log {
        source(s_test);
        destination(d_siem);
};

问题是，当我使用此配置时，简单行得到了很好的解析，但是堆栈跟踪行返回了“失败”的tafg，就好像它们没有在多行编解码器中解释一样。例如，“ at com。[...]。run”行存储为一个日志行，而不是多行日志的一部分。

我在一个正则表达式网站上检查我的JAVA_TRACE模式是否正确并与我的堆栈跟踪匹配，所以我不明白为什么编解码器无法正常工作...有人有想法吗？

感谢您的帮助