Cannot parse jboss server log

dlopez · May 9, 2016, 4:03pm

Hi,

I'm newbie on logstash, I've successfully installed and configured ElasticSearch, LogStash and Kibana as well as my first input using the Remote Log4J connector.

But now I'm trying to parse the server.log file with no success. This is my latest config file:

input {
   #log4j {
   #    mode => "server"
   #    host => "localhost"
   #    port => 4712
   #  }

    file {
        path => "/home/dlopez/server.log"
        start_position => "beginning"
        }
   }


   output {
     elasticsearch {
      hosts => "localhost:9200"
      index => "logstash-%{+YYYY.MM.dd}"
    }
  }

Anybody can help me,please? I just only need to send the whole file to Elastic and let Kibana do the rest.
Thank you very much in advanced.

Best regards

dlopez · May 10, 2016, 2:45pm

Finally I got it working,
now I'm trying to use a grok filter. I've tested the filter using the Grok Debugger but when restarting logstash, nothing is parsed.

Here is my logstash.conf file:

input {
  file {
        path => "/home/dlopez/server.log"
        start_position => "beginning"
       }
}

filter {
   grok {
     match =>
        {
          "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:level}\s+\[%{DATA:className}\]%{SPACE}%{GREEDYDATA:message}"
        }
   }
}
output {
  elasticsearch {
    hosts => "localhost:9200"
    index => "logstash-%{+YYYY.MM.dd}"
  }
}

Any help would be appreciated. Thanks

Regards

magnusbaeck · May 12, 2016, 5:47am

Logstash is probably tailing the input file and waiting for more lines to be added to it. Either delete the sincedb file or set sincedb_path to /dev/null. Also, if the file is older than a day you need to adjust the file input's ignore_older option.

dlopez · May 12, 2016, 8:02am

Thank you very much! it works now!