How to implement to store Spring-boot embedded tomcat access logs?

Hi. I am trying to store spring boot tomcat access log to logstash.

So I implement org.springframework.boot.context.embedded.EmbeddedServletContainerCustomizer like below. It works fine, I can see the access-* logs in Kibana. However It does not looks different with catalina logs.

As far as I know, if I use LogstashAccessTcpSocketAppender, I would able to get access log.
I would like to know how to set logstash to store embedded tomcat access logs.

Here is the code that I have implemented.

1. At Spring boot project ...

    @Configuration
        public class EmbeddedTomcatConfig implements EmbeddedServletContainerCustomizer {
            private Logger logger = Logger.getLogger(EmbeddedTomcatConfig.class);
            private boolean useLogbackValve = true;

            public void ableLogbackValve(boolean use){
                this.useLogbackValve = use;
            }

            @Override
            public void customize(ConfigurableEmbeddedServletContainer container) {
                try{
                    if (container instanceof TomcatEmbeddedServletContainerFactory) {
                        TomcatEmbeddedServletContainerFactory factory = (TomcatEmbeddedServletContainerFactory) container;
                        if(useLogbackValve) {
                            LogbackValve logbackValve = new LogbackValve();
                            LogstashAccessTcpSocketAppender logstashAccessAppender = new LogstashAccessTcpSocketAppender();
                            logstashAccessAppender.addDestination("ABC.DEF.GH.IJK:5001");
                            LogstashAccessEncoder lae = new LogstashAccessEncoder();
                            lae.setWriteVersionAsString(true);
                            logstashAccessAppender.setEncoder(lae);
                            logbackValve.addAppender(logstashAccessAppender);
                            logbackValve.setAsyncSupported(true);

                            factory.addContextValves(logbackValve);
                        }

                        AccessLogValve accessLogValve = new AccessLogValve();
                        accessLogValve.setDirectory("/resource/ice2/tomcat/access-logs");
                        accessLogValve.setPattern("common");
                        accessLogValve.setSuffix(".log");
                        factory.addContextValves(accessLogValve);


                        // debugging

                        logger.info("============================================================");
                        logger.info("==================== Context Valves ========================");
                        logger.info("============================================================");
                        factory.getContextValves().stream().forEach(v -> {
                            logger.info("context valve :: " + v.getClass().getName());
                        });
                        logger.info("============================================================");
                        logger.info("============================================================");
                        logger.info("============================================================");



                    } else {
                        logger.error("WARNING! this customizer does not support your configured container");
                    }

                } catch (Exception e) {
                    logger.error("Access Log Activation failed :: ", e);
                }
            }
    }

And Here is my logstash io configurations...

input {
  tcp {
    port => 5001
    codec => multiline {
      pattern => "^{"
      negate => "true"
      what => "previous"
    }
  }
}

filter {
  json {
    source => "message"
  }
}

output {
  elasticsearch {
    hosts => ['localhost:9200']
    index => 'access-%{+YYYY.MM.dd}'
  }
  stdout { codec => rubydebug }
}

I can see the index access-2017.06.23 in elastic search, so I guess storing log works fine, but that does not looks different with catalina.(I want access logs like 0:0:0:0:0:0:0:1 - - [23/Jun/2017:11:14:53 +0900] "GET / HTTP/1.1" 200 56135)

Thanks for helping me.

FYI, below is logstash setting for catalina

In Spring, I used xml setting file like ...

    <appender name="STASH" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
         <destination>ABC.DEF.GH.IJK:5000</destination>
         <encoder class="net.logstash.logback.encoder.LogstashEncoder" />
         <reconnectionDelay>1 second</reconnectionDelay>
     </appender>

     <root level="INFO">
         <appender-ref ref="STASH" />
     </root>

AND logstash io like almost same with other one

input {
  tcp {
    port => 5000
    codec => multiline {
      pattern => "^{"
      negate => "true"
      what => "previous"
    }
  }
}

filter {
  json {
    source => "message"
  }
}

output {
  elasticsearch {
    hosts => ['localhost:9200']
    index => 'logstash-%{+YYYY.MM.dd}'
  }
  stdout { codec => rubydebug }
}

So what are you currently getting in your Elasticsearch index?

Here is my index list('_cat/indices?v')

yellow open   stagemonitor-metrics-2017.06.26 I7cFefFMSlmsEcUI2lUr_w   5   1      87500            0      8.9mb          8.9mb
yellow open   catalina-2017.06.27             3PXY0K88Qf2uJg8WGM8v4Q   5   1      10895            0      5.8mb          5.8mb
yellow open   stagemonitor-metrics-2017.06.27 WvJWkW90Rd2igu7NMc78eg   5   1      85059            0      8.3mb          8.3mb
yellow open   .kibana                         j6568zU5RWu9uOb2BfCGhA   1   1         33            0     66.8kb         66.8kb
yellow open   catalina-2017.06.26             grdm0gAmQ_SuL9DZL3qJVg   5   1       4793            0      2.5mb          2.5mb

If I access port 5001 with browser, it generates access-2017.06.27 index. I think java class setting got some problem.

Yes, but I want to see an example of a document that you're unhappy with.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.