How to grok catalina log file

I have context my config logstash for tomcat

  • filtertomcat

filter {
if [fileset][module] == "tomcat" {
if [fileset][name] == "tomcatcatalina" {
grok {
match => [ "message", "(?m)%{TOMCAT_DATESTAMP:timestamp} %{LOGLEVEL:severity} %{GREEDYDATA:message}" ]
overwrite => [ "message" ]
}

mutate {
add_field => { "[@metadata][target_index]" => "tomcatcatalina-%{[host][hostname]}-%{+YYYY.MM.dd}" }

    }

mutate {
lowercase => [ "[@metadata][target_index]" ]
}

date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
}
}
}
}

  • Output

output {
if [service][type] == "system" {
if [fileset][name] == "syslog" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
else if [fileset][name] == "auth" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
}

if [service][module] == "tomcat" {
if [fileset][name] == "tomcatcatalina" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
}

else
{
file {
path => "/var/log/logstash/unknown_messages.log"
}
}
}

  • tomcat modules:

Module: tomcat

Docs: Tomcat module | Filebeat Reference [8.6] | Elastic

  • module: tomcat
    access:
    enabled: true

    Set which input to use between udp (default), tcp or file.

    #var.input: file
    #var.input: log
    var.input: custom

    var.syslog_host: localhost

    var.syslog_port: 9501

    Set paths for the log files when file input is used.

    #var.paths:
    var.paths:
    '- /home/tomcat/tomcat-telesale/logs/catalina.out'
    var.type: localhost_log

    Toggle output of non-ECS fields (default true).

    var.rsa_fields: true

    Set custom timezone offset.

    "local" (default) for system timezone.

    "+07:00" for GMT+07:00

    var.tz_offset: +07:00

    signatures:enabled: false

    var.tomcat_host: localhost
    var.tomcat_port: 8084

But is is seem is wrong context in the file configure. Please help me configure it completely and push it to the kibana index

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.