Hello everyone,
I'm running 3 node Elasticsearch Cluster with ES Version 8.3.3.
Elastic Agent is running with same version on Ubuntu 18.04.6 and trying to collect logs from Apache Tomcat 8.5.24 by reading catalina.out file.
When i look at the ingested data i have standard metadata (with host os information, AWS AMI information etc etc) and log.flags field contains dissect_parsing_error for each and every line of log.
When i try to filter out dissect_parsing_error i get 0 results.
Log file is something like this
2022-09-25 06:45:41.259 DEBUG 14556 --- [o-8443-exec-113] c.a.d.p.security.UserDetailsServiceImpl : Method-[UserDetails com.foo.barpoi.security.UserDetailsServiceImpl.loadUserByUsername(String)] Input-[baz]
2022-09-25 06:51:39.949 DEBUG 14556 --- [o-8443-exec-120] c.a.d.p.w.resources.PoiReleaseResources : Method-[PoiReleaseDTO com.foo.bar.poi.web.resources.PoiReleaseResources.getLocalizationRelease(String,String,Principal)] Input-[baz, null, org.springframework.security.authentication.UsernamePasswordAuthenticationToken@9439fff1: Principal: taz Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: laz; SessionId: null; Granted Authorities: ROLE_API_USER]
Could it be due to some different formatting than what grok pattern would expect?