I need to parse this log message format

Tanya_Sharma · March 4, 2019, 4:58pm

Hello everyone,

The message format of the logs is:
< [2019-03-04T12:29:49,990][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600} />

I have to skip the square brackets and parse this message.
I tried this
< filter {
grok{
match => { "message" => "[%{TIMESTAMP_ISO8601:logdate}[%{LOGLEVEL:LEVEL}][%{GREEDYDATA:errormsg}]" }
}
}
/>
but its not working.
I debugged it and it is parsing only the date. but [info ] is not getting parsed because of the brackets maybe. There's no such familiar patterns in any of the answers.

Please help!

A_B · March 4, 2019, 5:09pm

Do you use Filebeat? Then you could use https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-logstash.html

For the Grok pattern, it looks like there is a space after INFO which I do not see in your pattern...

Tanya_Sharma · March 4, 2019, 5:18pm

No, i use graylog .. I mean i have to filter some logs and the logs are in the pattern mentioned in my post.

A_B · March 4, 2019, 5:19pm

Try something like

filter {
  grok{
    match => { "message" => "\<%{SPACE}\[%{TIMESTAMP_ISO8601:logdate}\]\[%{LOGLEVEL:LEVEL}%{SPACE}\]\[%{GREEDYDATA:foo}%{SPACE}\]%{SPACE}%{GREEDYDATA:errormsg} \/\>$" }
  }
}

A_B · March 5, 2019, 10:02am

did you actually get Logstash to start with that config? Logstash is usually very picky about config file syntax (well, which program isn't). The special character </> need to be within a filer definition. You can see my example above

Ganesh2303 · March 5, 2019, 10:40am

Try this filter you will get the match and output

< [%{TIMESTAMP_ISO8601:date}][%{LOGLEVEL:LEVEL} ]%{GREEDYDATA:errormsg}

Tanya_Sharma · March 5, 2019, 10:41am

I just started working on this so i haven't had any idea about the logs or how to parse them.
Can you please tell me how do filter the logs that's already in JSON format because i used type => json in my input block of logstash.conf.

<{
            "repo" => "feature/3.0.2_DeviceServices",
           "build" => 2,
   "short_message" => "BUILD_FINISHED",
        "duration" => 829193,
        "@version" => "1",
         "message" => [
       [    0] "Branch indexing",
       [    ].................../>

This is the format in which the logs appear.

Ganesh2303 · March 5, 2019, 10:47am

Just provide your full log with what all data you need to parse into ES

Tanya_Sharma · March 5, 2019, 11:05am

I need to send this data to graylog after filtering the errormsg. How to i do that?

A_B · March 5, 2019, 11:20am

I have not done that but sounds like you would have to use https://www.elastic.co/guide/en/logstash/6.6/plugins-outputs-gelf.html

A_B · March 5, 2019, 11:29am

Tanya_Sharma:

I just started working on this so i haven't had any idea about the logs or how to parse them.
Can you please tell me how do filter the logs that's already in JSON format because i used type => json in my input block of logstash.conf.
<{
            "repo" => "feature/3.0.2_DeviceServices",
           "build" => 2,
   "short_message" => "BUILD_FINISHED",
        "duration" => 829193,
        "@version" => "1",
         "message" => [
       [    0] "Branch indexing",
       [    ].................../>
This is the format in which the logs appear.

That does not look like the source is in JSON. Logstash does not convert log formats into JSON by using type => json it is just told to expect JOSN on the input so it knows how to tokenise/parse it correctly. Are you feeding Logstash JSON or the original format you posted (which is)?

< [2019-03-04T12:29:49,990][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600} />

system · April 2, 2019, 11:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.