Looking for some guidance on how to pull some specific pieces of data out of a multiline log. Have been using a logstash filter, but it is taking too long, and I am hoping there is a better way.
The logfile:
2017-04-25[08:02:16(UTC+06:00)]:E:pillase: ******* S T A R T of Error message ******* 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: Log message called from /view/port9.1a.01.nlbaucc.ccadm.snapshot/vobs/tt/lib/al_1/al_fpath.c: #279 keyword: sopen 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: Pid 32121 Uid 23707 Euid 23707 Gid 125 Egid 125 Pset pillase@10.10.10.1:60090 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: user_type N language 2 user_name pillase locale ISO88591/NULL package_comb b61prod 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: session: "ottstpbdeman ";object: "ottstpbdeman"; function: "tgcomlogging.write" seq.open; company number: 301 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: Errno 13 (Permission denied) bdb_errno 0 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: Log_mesg: 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: Error during sopen(/ln/bse/log/log.ottst, /ln/bse/log/log.ottst) 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: ******* E N D of Error message ******* 2017-04-25[08:02:16(UTC+06:00)]:E:pillase: 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: ******* S T A R T of Error message ******* 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Log message called from /view/port9.1a.01.nlbaucc.ccadm.snapshot/vobs/tt/lib/al_1/al_fpath.c: #279 keyword: sopen 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Pid 32121 Uid 23707 Euid 23707 Gid 125 Egid 125 Pset pillase@10.10.10.1:60090 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: user_type N language 2 user_name pillase locale ISO88591/NULL package_comb b61prod 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: session: "ottstpbdeman ";object: "ottstpbdeman"; function: "tgcomlogging.write" seq.open; company number: 301 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Errno 13 (Permission denied) bdb_errno 0 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Log_mesg: 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Error during sopen(/ln/bse/log/log.ottst, /ln/bse/log/log.ottst) 2017-04-25[08:03:24(UTC+06:00)]:E:pillase: ******* E N D of Error message ******* 2017-04-25[08:03:24(UTC+06:00)]:E:pillase:
My logstash multiline codec is working for me:
codec => multiline { pattern => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\[%{HOUR}:%{MINUTE}:%{SECOND}\(UTC%{ISO8601_TIMEZONE}\)\]:E:%{USERNAME}:[[:space:]]\*\*\*\*\*\*\* S" negate => true what => previous }
My Grok filter is working until I get too deep into the log data, and it starts timing out.
match =>{"message" => "(?[0-9]{4}-[0-9]{2}-[0-9]{2})[(?[0-9]{2}:[0-9]{2}:[0-9]{2})(UTC%{ISO8601_TIMEZONE:timezone})]:E:%{USERNAME:username}:[[:space:]]******* S T A R T of Error message *******\n%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[%{HOUR}:%{MINUTE}:%{SECOND}(UTC%{ISO8601_TIMEZONE})]:E:%{USERNAME}: Log message called from %{PATH:program}: #%{NUMBER} keyword: %{WORD:keyword}\n%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[%{HOUR}:%{MINUTE}:%{SECOND}(UTC%{ISO8601_TIMEZONE})]:E:%{USERNAME}: Pid %{NUMBER:pid} Uid %{NUMBER:uid} Euid %{NUMBER:euid} Gid %{NUMBER:gid} Egid %{NUMBER:egid} Pset %{USERNAME}@%{IPORHOST:hostname}:%{NUMBER}\n%{DATA:data}\n%{DATA:skip2} "}
Gets me this output:
> {
> "date" => "2017-04-25",
> "gid" => "125",
> "euid" => "23707",
> "data" => "2017-04-25[08:03:24(UTC+06:00)]:E:pillase: user_type N language 2 user_name pillase locale ISO88591/NULL package_comb b61prod",
> "timezone" => "+06:00",
> "pid" => "32121",
> "program" => "/view/port9.1a.01.nlbaucc.ccadm.snapshot/vobs/tt/lib/al_1/al_fpath.c",
> "message" => "2017-04-25[08:03:24(UTC+06:00)]:E:pillase: ******* S T A R T of Error message *******\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Log message called from /view/port9.1a.01.nlbaucc.ccadm.snapshot/vobs/tt/lib/al_1/al_fpath.c: #279 keyword: sopen\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Pid 32121 Uid 23707 Euid 23707 Gid 125 Egid 125 Pset pillase@10.10.10.1:60090\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase: user_type N language 2 user_name pillase locale ISO88591/NULL package_comb b61prod\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase: session: \"ottstpbdeman \";object: \"ottstpbdeman\"; function: \"tgcomlogging.write\" seq.open; company number: 301\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Errno 13 (Permission denied) bdb_errno 0\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Log_mesg:\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase: Error during sopen(/ln/bse/log/log.ottst, /ln/bse/log/log.ottst)\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase: ******* E N D of Error message *******\n2017-04-25[08:03:24(UTC+06:00)]:E:pillase:",
> "tags" => [
> [0] "multiline"
> ],
> "path" => "/tmp/baan3.log",
> "uid" => "23707",
> "egid" => "125",
> "hostname" => "10.10.10.1",
> "@timestamp" => 2017-04-26T19:42:41.493Z,
> "skip2" => "2017-04-25[08:03:24(UTC+06:00)]:E:pillase:",
> "@version" => "1",
> "host" => "corp-vb1-rh19",
> "time" => "08:03:24",
> "keyword" => "sopen",
> "username" => "pillase"
> }
As I move further down the message trying to get session, object, errno etc. It is really slow or just times out.
Is there a better way to do this other than creating one big grok filter?