Logstash conditional filter doesn't work on Linux (on Windows it's OK)


(Victor M ) #1

I have two input sources in logstash: one is log from java application, and it is json formatted

source message (json):

  {
    "@timestamp": "2018-12-07T10:15:19.244Z",
    "offset": 312710,
    "line_number": "-1",
    "thread_name": "default task-65",
    "file": "<unknown>",
    "ndc": "",
    "message": "{\"source_host\":\"localhost\",\"method\":\"<unknown>\",\"level\":\"WARN\",\"ndc\":\"\",\"mdc\":{},\"@timestamp\":\"2018-12-07T10:15:16.888Z\",\"file\":\"<unknown>\",\"line_number\":\"-1\",\"thread_name\":\"default task-65\",\"@version\":1,\"log_message\":\"REQUESTED URI \\/inbound-core\\/offer\\/submit\",\"logger_name\":\"com.server.authentication.AuthorizationFilter\",\"class\":\"<unknown>\"}",
    "class": "<unknown>",
    "source": "C:\\wildfly-8.2.0.Final\\standalone\\log\\application_log.log",
    "input": {
      "type": "log"
    },
    "method": "<unknown>",
    "prospector": {
      "type": "log"
    },
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "source_host": "localhost",
    "type": "log4j",
    "@version": 1,
    "fields": {
      "environment": "QA1"
    },
    "mdc": {},
    "level": "WARN",
    "host": {
      "name": "PL-L-R90HDHP7"
    },
    "log_message": "REQUESTED URI /inbound-core/rest/offer/submit",
    "beat": {
      "name": "PL-L-R90HDHP7",
      "hostname": "PL-L-R90HDHP7",
      "version": "6.5.1"
    },
    "logger_name": "com.server.authentication.AuthorizationFilter"
  }

another is from Jboss and the input is text

    2018-12-07 14:21:16,638 INFO  [stdout] (AsyncAppender-Dispatcher-Thread-99) 14:21:16,637 WARN  [org.hibernate.mapping.RootClass] HHH000038: Composite-id class does not override equals(): com.server.entities.jpa.AwardsVEntity

I want to apply grok filter conditionally, only to text log entries.

On Windows machine it works perfectly, but on Linux it doesn't. the IF condition never matched. So, grok applied to json log entry, and it is corrupted in the output as result.

Both have Java 1.8.0091 installed, but on Windows it is HotSpot , on Linux it's OpenJDK by default. Both environments have Elastic 6.5.1 installed.

this condition doesn't work
if [message] !~ "source_host"

this either

 if [source] != "application_log.log"

logstash config

# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
input {
  beats {
    port => 5044
    type => "log4j"
  }


}

# parse JBOSS log in text format to JSON fields
filter {
# if message DOES NOT contain source_host -> apply grok filter
  if [message] !~ "source_host" {
     grok {
         match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} +\[%{DATA:logger_name}\] +\(%{DATA:thread_name}\) %{GREEDYDATA:log_message}" }
         add_field => [ "received_at", "%{@timestamp}" ]
         add_field => [ "received_from", "%{host}" ]
         add_field => [ "fields.environment", "JBOSS" ]
    } 
  }
}


output {
  stdout { codec => json_lines }

  elasticsearch {
    # point to your elasticsearch host
    hosts => ["localhost:9200"]
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}