I am using logstash to process Tomcat logs and i am using below pattern Java Logs
JAVATHREAD (?:[A-Z]{2}-Processor[\d]+)
JAVACLASS (?:[a-zA-Z0-9-]+.)+[A-Za-z0-9$]+
JAVAFILE (?:[A-Za-z0-9_.-]+)
JAVASTACKTRACEPART at %{JAVACLASS:class}.%{WORD:method}(%{JAVAFILE:file}:%{NUMBER:line})
JAVALOGMESSAGE (.*)
2014-01-09 17:32:25,527 -0800 | ERROR | com.example.controller.ApiController - Request exception
javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://api.example.com/DataServices/Data?WSDL. It failed with:
Connection reset.
at com.example.webservices.Data.(Data.java:50)
at com.example.service.soap.DataService.submitRequest(DataService.groovy:28)
at com.example.service.request.RequestService.addRequest(RequestService.groovy:26)
at com.example.controller.ApiController.request(ApiController.groovy:692)
at grails.plugin.cache.web.filter.PageFragmentCachingFilter.doFilter(PageFragmentCachingFilter.java:200)
at grails.plugin.cache.web.filter.AbstractFilter.doFilter(AbstractFilter.java:63)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:311)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:776)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:705)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898)
Caused by: java.net.SocketException: Connection reset
... 17 more
Are you feeding Logstash more than one message? If not, Logstash is waiting for a line that starts with a timestamp so that it can flush the current message. Try feeding it another message and see if you get the first message back in parsed form.
(Hint: If you have code-like text that shouldn't be formatted with Markdown, like configuration files and logs snippets, select the text and press Ctrl+K.)
Failed parsing date from field {:field=>"timestamp", :value=>"Tue Jun 02 11:30:46 2015", :exception=>java.lang.IllegalArgumentException: Invalid format: "Tue Jun 02 11:30:46 2015", :level=>:warn}
[2015-03-23 13:57:16,866 ] INFO AprLifecycleListener -- OpenSSL successfully initialized (OpenSSL0.9.8e-fips-rhel5 01 Jul 2008)
[2015-03-23 13:57:17,719 ] INFO AbstractProtocol -- Initializing ProtocolHandler ["http-bio--8443"]
[2015-03-23 13:57:18,276 ] ERROR AbstractProtocol -- Failed to initialize end point associated with ProtocolHandler ["http-bio--8443"]
java.net.BindException: Address already in use /:8443
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:406)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
You're not taking the square brackets around the timestamp into consideration and you only have a single hyphen between the logger name and the log message. This should work better. If it doesn't work you'll have to dig into it yourself or hope that someone else can help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.