I have context my config logstash for tomcat
- filtertomcat
filter {
if [fileset][module] == "tomcat" {
if [fileset][name] == "tomcatcatalina" {
grok {
match => [ "message", "(?m)%{TOMCAT_DATESTAMP:timestamp} %{LOGLEVEL:severity} %{GREEDYDATA:message}" ]
overwrite => [ "message" ]
}mutate {
add_field => { "[@metadata][target_index]" => "tomcatcatalina-%{[host][hostname]}-%{+YYYY.MM.dd}" }}
mutate {
lowercase => [ "[@metadata][target_index]" ]
}date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
}
}
}
}
- Output
output {
if [service][type] == "system" {
if [fileset][name] == "syslog" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
else if [fileset][name] == "auth" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
}if [service][module] == "tomcat" {
if [fileset][name] == "tomcatcatalina" {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][target_index]}"
document_type => "%{[@metadata][type]}"
}
}
}else
{
file {
path => "/var/log/logstash/unknown_messages.log"
}
}
}
- tomcat modules:
Module: tomcat
Docs: Tomcat module | Filebeat Reference [8.6] | Elastic
module: tomcat
access:
enabled: trueSet which input to use between udp (default), tcp or file.
#var.input: file
#var.input: log
var.input: customvar.syslog_host: localhost
var.syslog_port: 9501
Set paths for the log files when file input is used.
#var.paths:
var.paths:
'- /home/tomcat/tomcat-telesale/logs/catalina.out'
var.type: localhost_logToggle output of non-ECS fields (default true).
var.rsa_fields: true
Set custom timezone offset.
"local" (default) for system timezone.
"+07:00" for GMT+07:00
var.tz_offset: +07:00
signatures:enabled: false
var.tomcat_host: localhost
var.tomcat_port: 8084
But is is seem is wrong context in the file configure. Please help me configure it completely and push it to the kibana index