How to grok catalina log file

Elastic Stack Logstash
1

I have context my config logstash for tomcat

  • filtertomcat

filter {
if [fileset][module] == "tomcat" {
if [fileset][name] == "tomcatcatalina" {
grok {
match => [ "message", "(?m)%{TOMCAT_DATESTAMP:timestamp} %{LOGLEVEL:severity} %{GREEDYDATA:message}" ]
overwrite => [ "message" ]
}

mutate {
add_field => { "[@metadata][target_index]" => "tomcatcatalina-%{[host][hostname]}-%{+YYYY.MM.dd}" }

    }

mutate {
lowercase => [ "[@metadata][target_index]" ]
}

date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
}
}
}
}

  • Output

output {
if [service][type] == "system" {
if [fileset][name] == "syslog" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
else if [fileset][name] == "auth" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
}

if [service][module] == "tomcat" {
if [fileset][name] == "tomcatcatalina" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
}

else
{
file {
path => "/var/log/logstash/unknown_messages.log"
}
}
}

  • tomcat modules:

Module: tomcat

Docs: Tomcat module | Filebeat Reference [8.6] | Elastic

  • module: tomcat
    access:
    enabled: true

    Set which input to use between udp (default), tcp or file.

    #var.input: file
    #var.input: log
    var.input: custom

    var.syslog_host: localhost

    var.syslog_port: 9501

    Set paths for the log files when file input is used.

    #var.paths:
    var.paths:
    '- /home/tomcat/tomcat-telesale/logs/catalina.out'
    var.type: localhost_log

    Toggle output of non-ECS fields (default true).

    var.rsa_fields: true

    Set custom timezone offset.

    "local" (default) for system timezone.

    "+07:00" for GMT+07:00

    var.tz_offset: +07:00

    signatures:enabled: false

    var.tomcat_host: localhost
    var.tomcat_port: 8084

But is is seem is wrong context in the file configure. Please help me configure it completely and push it to the kibana index

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.