Hi , I have the following logstash configuration file to read catalina log files:-
input {
file {
type => "tomcat"
path => [ "D:/krushnat/catalina.2016-03-16.log" ]
codec => multiline {
negate => true
pattern => "(^%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM))"
what => "previous"
}
}
}
filter {
if [type] == "tomcat" {
grok{
match => [ "message", "%{CATALINA_DATESTAMP:timestamp} %{NOTSPACE:className} %{WORD:methodName}\r\n%{LOGLEVEL: logLevel}: %{GREEDYDATA:message}" ]
overwrite => [ "message" ]
}
date{
match=>["timestamp","MMM dd, yyyy HH:mm:ss a"]
}
}
}
output {
stdout { codec=>rubydebug }
elasticsearch{
hosts=>"localhost"
index=>"catalina_logs_20160316"
}
}
- Every time I check kibana all the records are read except last record in each and every catalina file.
- So I add one more record at the end of the catalina file.
- In Kibana, now previous unread record is now read and new record which I have added is not read.
What is this behaviour of Logstash which I am failing to understand ??