How to parse a few log files

MrAV · June 10, 2015, 8:49am

Hi,

I'm trying to parse a two log files. Unfortunately, at Logstash output I've seen that only first log file (events.log) has been parsed and output do not contain any data from the second log-file algotw.log.
Please advise how to correctly parse more than one log file.

My logstash.conf is below:

input {
file {
   path => ["C:\QUIK\Server\events.log"]
   type => "QUIKServ-log"
   codec => plain { charset => "UTF-8" }
   start_position => "beginning"
   sincedb_path => "C:\Progra~1\logstash\sincedb"
}
file {
  path => ["C:\QUIK\AlgoTW\Import\algotw.log"]
  type => "AlgoTW-log"
  codec => plain { charset => "CP1251" }
  start_position => "beginning"
  sincedb_path => "C:\Progra~1\logstash\sincedb"
}
}

filter {

if [type] == "QUIKServ-log"  and [message] !~ /Error|Exit|disconnect|reset by peer/ {
	drop { }
	}
	mutate {
		add_field => { "[@metadata][zabbix_key_quikserv]" => "quiksrv.lst" }
}
if [type] == "AlgoTW-log"  and [message] !~ /Error|Critical/ {
	
drop { }
	}
	mutate {
		add_field => { "[@metadata][zabbix_key_algotw]" => "algotw.lst" }
	}
}
output {
if [type] == "QUIKServ-log" {
zabbix {
	zabbix_host => "host"
	zabbix_key => "[@metadata][zabbix_key_quikserv]"
	zabbix_server_host => "10.1.110.71"
	zabbix_value => "message"
}
}
if [type] == "AlgoTW-log" {
zabbix {
	zabbix_host => "host"
	zabbix_key => "[@metadata][zabbix_key_algotw]"
	zabbix_server_host => "10.1.110.71"
	zabbix_value => "message"
}
}
stdout { codec => rubydebug }
}

A small part of Logstash output is below:

{
   "message" => "E: 10 Jun 15 (Wed) 07:05:17.837 (7912:6420:DWUSND): Running        C:\\QUIK\\Server\\quik.exe: Error: User 50 already work in the system.\r",
  "@version" => "1",
"@timestamp" => "2015-06-10T07:51:09.382Z",
      "type" => "QUIKServ-log",
      "host" => "S-MSK11-TST01",
      "path" => "C:\\QUIK\\Server\\events.log"
}
{
   "message" => "E: 10 Jun 15 (Wed) 07:05:17.837 (7912:6420:DWUSND): Running C:\\QUIK\\Server\\quik.exe: Error: Error: 'You are already working in the syste m.' while registering new user id 50\r",
  "@version" => "1",
"@timestamp" => "2015-06-10T07:51:09.382Z",
      "type" => "QUIKServ-log",
      "host" => "S-MSK11-TST01",
      "path" => "C:\\QUIK\\Server\\events.log"
}

My Logstash version is 1.5.0

magnusbaeck · June 10, 2015, 8:53am

Are new log entries being added to algotw.log? Keep in mind that Logstash only cares about start_position => beginning for previously unseen files, and while you were testing it's totally possible that Logstash "saw" algotw.log.

MrAV · June 11, 2015, 11:12am

Thank you for clarifying! You are right, Logstash already "saw" algotw.log.
In addition, I've added additional log files to my configuration and everything works correctly.

Topic		Replies	Views
Read multiple log Logstash	3	411	July 27, 2017
How to parse two different kind of format of log files at same time? Logstash	5	13600	July 6, 2017
Logstash input multiple files output one index elasticsearch failure Logstash	3	2741	February 24, 2017
Want to Process Multiple Files that exist in One Folder Logstash	10	40072	July 6, 2017
Unable to parse multiple format logs Logstash	4	325	June 25, 2018

How to parse a few log files

Related topics