How to parse logs in same order as in log files

yoga-sara · May 31, 2018, 6:57am

I configured my ELK setup with 1 index.It collects logs from 25 machines. The average log event count is 2.5 lacs/3 hrs. Every 5 min 5000 event parsing sometimes it increase.

My configuration like Filebeat => Logstash => Elasticsearch(single cluster with 1 node) => Kibana

I have event order mismatch problem.How to resolve it.
Thanks in advance.

This is my actual order of logs:

       [[0m^[[0m04:07:34,117 INFO  [com.  .knowledgebase.ejb.KnowledgeBaseSingleton] (ServerService Thread Pool -- 62) 1 of 3 KnowledgeBase::26_  _UI_WF Created in serverGroup::26_  _RRFW
    
      [[0m^[[0m04:07:36,101 INFO  [com.  .knowledgebase.ejb.KnowledgeBaseSingleton] (ServerService Thread Pool -- 62) 2 of 3 KnowledgeBase::26_  _FORMS Created in serverGroup::26_  _RRFW
   
       [[0m^[[0m04:07:39,238 INFO  [com.  .knowledgebase.ejb.KnowledgeBaseSingleton] (ServerService Thread Pool -- 62) 3 of 3 KnowledgeBase::26_  _RATE_RRF Created in serverGroup::26_  _RRFW

I have attached screenshot of my misaligned logs.

warkolm · May 31, 2018, 8:23am

You need to use the date filter in Logstash to make sure that the event timestamp is the main one in Elasticsearch.

yoga-sara · June 7, 2018, 10:23am

Hi warkolm,
can you please give me an example?
my logs time zone is different from my access location.

My event log separated by grok filter including time.

FYR,

  grok {
    match          => [
                      "message", "%{TIME:time} %{LOGLEVEL:level}\s+\[%{JAVACLASS:class}\] \((?<thread>[^)]+)\) %{GREEDYDATA:message}",
                      "message", "%{NUMBER:procsec:float} %{IP:clientip} %{DATA:logname} %{DATA:user} \[%{HTTPDATE:time}\] %{DATA:method} %{DATA:requestpath} %{DATA:httpversion} %{DATA:respstatus} %{DATA:bytesent} ((- %{GREEDYDATA:cookie})|(%{GREEDYDATA:cookie}))"
                      ]
    overwrite      => ["message"]
    tag_on_failure => ["JBOSSLG_grok"]
    add_tag => ["JBOSSLG"]
    }

warkolm · June 7, 2018, 6:06pm

Check out https://www.elastic.co/guide/en/logstash/6.2/plugins-filters-date.html, just make sure you set the target field to the time one you have groked out.

yoga-sara · June 8, 2018, 6:25am

Hi Warkolm,
My actual problem is I am not getting events with logs time order. It shows events with kibana UI's Timestamp.
After I groked out, I used date filter with target time.

date {
   match => ["time", "HH:mm:ss.SSS" ]
   target => "time"
      }

I have attached my logs. I marked my jboss logs timestamp with red which is in mismatched order.Suggest me to resolve this or give me an example for this.

system · July 6, 2018, 6:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.