Help with tomcat grok pattern

Elastic Stack Logstash
1

Hi all,
i have the following tomcat logs:

04-Oct-2017 14:27:51.457 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.5.8.0
04-Oct-2017 14:27:51.457 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 3.10.0-327.36.3.el7.x86_64
......

This is the beat multiline option:
multiline.pattern: '^[0-9]{2}-[[:alpha:]]{3}-[0-9]{4}'
multiline.negate: true
multiline.match: after

and it work.

I'm using the folllwing grok patter to pick the timestamp:
match => ["message", "%{BIND9_TIMESTAMP:timestamp} %{LOGLEVEL:level}"]
....
....
date {
match => [ "timestamp", "dd-MMM-yyyy HH:mm:ss.SSS" ]
timezone => "Europe/Rome"
target => "@timestamp"

But don't work.....can you help me to solve?

2

If I input that line into logstash with

input { stdin {} }
output { stdout { codec => rubydebug } }

filter {
  grok {
    match => ["message", "%{BIND9_TIMESTAMP:timestamp} %{LOGLEVEL:level}"]
  }
  date {
    match => [ "timestamp", "dd-MMM-yyyy HH:mm:ss.SSS" ]
    timezone => "Europe/Rome"
  }
}

then I get "@timestamp" => 2017-10-04T12:27:51.457Z, so the problem is not in the grok or the date. If you provide a reproducible example we might be able to diagnose the problem.

3

On my first post i already provided 2 rows of logs.....

4

Yes, and when I run those 2 lines through the config I included, which seems to me to match the partial config you showed, then the @timestamp on the resulting events is from 4th October, which to me means it worked just fine. How about you show a complete non-working configuration?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.