How to parse a few log files

MrAV · June 10, 2015, 8:49am

Hi,

I'm trying to parse a two log files. Unfortunately, at Logstash output I've seen that only first log file (events.log) has been parsed and output do not contain any data from the second log-file algotw.log.
Please advise how to correctly parse more than one log file.

My logstash.conf is below:

input {
file {
   path => ["C:\QUIK\Server\events.log"]
   type => "QUIKServ-log"
   codec => plain { charset => "UTF-8" }
   start_position => "beginning"
   sincedb_path => "C:\Progra~1\logstash\sincedb"
}
file {
  path => ["C:\QUIK\AlgoTW\Import\algotw.log"]
  type => "AlgoTW-log"
  codec => plain { charset => "CP1251" }
  start_position => "beginning"
  sincedb_path => "C:\Progra~1\logstash\sincedb"
}
}

filter {

if [type] == "QUIKServ-log"  and [message] !~ /Error|Exit|disconnect|reset by peer/ {
	drop { }
	}
	mutate {
		add_field => { "[@metadata][zabbix_key_quikserv]" => "quiksrv.lst" }
}
if [type] == "AlgoTW-log"  and [message] !~ /Error|Critical/ {
	
drop { }
	}
	mutate {
		add_field => { "[@metadata][zabbix_key_algotw]" => "algotw.lst" }
	}
}
output {
if [type] == "QUIKServ-log" {
zabbix {
	zabbix_host => "host"
	zabbix_key => "[@metadata][zabbix_key_quikserv]"
	zabbix_server_host => "10.1.110.71"
	zabbix_value => "message"
}
}
if [type] == "AlgoTW-log" {
zabbix {
	zabbix_host => "host"
	zabbix_key => "[@metadata][zabbix_key_algotw]"
	zabbix_server_host => "10.1.110.71"
	zabbix_value => "message"
}
}
stdout { codec => rubydebug }
}

A small part of Logstash output is below:

{
   "message" => "E: 10 Jun 15 (Wed) 07:05:17.837 (7912:6420:DWUSND): Running        C:\\QUIK\\Server\\quik.exe: Error: User 50 already work in the system.\r",
  "@version" => "1",
"@timestamp" => "2015-06-10T07:51:09.382Z",
      "type" => "QUIKServ-log",
      "host" => "S-MSK11-TST01",
      "path" => "C:\\QUIK\\Server\\events.log"
}
{
   "message" => "E: 10 Jun 15 (Wed) 07:05:17.837 (7912:6420:DWUSND): Running C:\\QUIK\\Server\\quik.exe: Error: Error: 'You are already working in the syste m.' while registering new user id 50\r",
  "@version" => "1",
"@timestamp" => "2015-06-10T07:51:09.382Z",
      "type" => "QUIKServ-log",
      "host" => "S-MSK11-TST01",
      "path" => "C:\\QUIK\\Server\\events.log"
}

My Logstash version is 1.5.0

magnusbaeck · June 10, 2015, 8:53am

Are new log entries being added to algotw.log? Keep in mind that Logstash only cares about start_position => beginning for previously unseen files, and while you were testing it's totally possible that Logstash "saw" algotw.log.

MrAV · June 11, 2015, 11:12am

Thank you for clarifying! You are right, Logstash already "saw" algotw.log.
In addition, I've added additional log files to my configuration and everything works correctly.