Hi There,
I am a newbie to logstash and working on a grok pattern as below. I am only able to partially achieve my goal. Please help with my issue as described below;
My logs look like;
[2018-06-28 11:49:41.257] INFO authentication [[appname].HTTP_Experience_Listener_Configuration.worker.01]: Basic Authentication Success For Partner.............
[2018-06-28 11:49:41.332] INFO Audit IN [[appname].HTTP_Experience_Listener_Configuration.worker.01]: {"transactionId": "e4f9d0oe99af7da2b639f5a8af001cbf","correlationId":"563c2ec1-76c9-11ej-af44-02cfdf6cebce","request": "POST /api/experience/member/product-status/cancel","timeStamp": "2018-06-28 17:19:41.303" ,"applicationName": "appname", "applicationVersion":"v1.0","environment":"dev", "sourceIP": "/137.226.212.183:20500", "partnerID": "partner"}
[2018-06-28 11:49:39.516] INFO com.mulesoft.agent.configuration.postconfigure.DefaultPostConfigureRunner [[appname].HTTP_Experience_Listener_Configuration.worker.01]: mule.agent.tracking.handler.cloudhub.source initialized successfully.
[2018-06-28 11:49:41.257] INFO authentication [[appname].HTTP_Experience_Listener_Configuration.worker.01]: Basic Authentication Success For Partner.............
[2018-06-28 11:49:41.332] INFO Audit IN [[appname].HTTP_Experience_Listener_Configuration.worker.01]: {"transactionId": "e4f9d0oe99af7da2b639f5a8af001cbf","correlationId":"563c2ec1-76c9-11ej-af44-02cfdf6cebce","request": "POST /api/experience/member/product-status/cancel","timeStamp": "2018-06-28 17:19:41.303" ,"applicationName": "appname", "applicationVersion":"v1.0","environment":"dev", "sourceIP": "/137.226.212.183:20500", "partnerID": "partner"}
[2018-06-28 11:49:39.516] INFO com.mulesoft.agent.configuration.postconfigure.DefaultPostConfigureRunner [[appname].HTTP_Experience_Listener_Configuration.worker.01]: mule.agent.tracking.handler.cloudhub.source initialized successfully.
[2018-06-28 11:49:43.220] INFO Audit OUT [[appname].HTTP_Experience_Listener_Configuration.worker.01]: {"transactionId": "e4f9d0be9ba64djebp19p2a8af001cbf", "responseCode": "200" ,"timeStamp": "2018-06-28 17:19:43.220", "partnerID": "partner"}[2018-06-28 11:49:43.220] INFO Audit OUT [[appname].HTTP_Experience_Listener_Configuration.worker.01]: {"transactionId": "e4f9d0be9ba64djebp19p2a8af001cbf", "responseCode": "200" ,"timeStamp": "2018-06-28 17:19:43.220", "partnerID": "partner"}
Now my logstash conf looks like below;
input
{
file
{
path => "C:\Users\M1045583\Downloads\mule-conf.log"
start_position => "beginning"
}
}
filter
{
if "Audit IN" in [message] or "Audit OUT" in [message]
{
grok
{
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] %{LOGLEVEL:loglevel}" %{WORD:text}: %{(?<JSON>\{.*\}):json-data}" }
}
date
{
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss.SSS Z" , "ISO8601", "yyyy-MM-dd HH:mm:ss.SSS" , "yyyy-MM-dd HH:mm:ss.S" ]
target => "@timestamp"
remove_field => "timestamp"
}
}
else { drop { } }
}
output
{
elasticsearch
{
hosts => ["localhost:9200"]
index => "mule-log"
}
}
Firstly I only need to get the events that have the string Audit IN and Audit OUT which i have successfully achieved through the if else condition.
Now, the issue i am facing is how to break the line in GROK, to get the timestamp, Loglevel, and the JSON fields into my Elastic index and Discover them accordingly in Kibana.
Please help. I have given above the lines of conf file i am using, but the Elastic is unable to read the log as required.
Also, when i delete the data of Elastic from console of Kibana i am again not able to push the logs with same index name. Please help!
Regards
Kaushik