Need help with Parsing Multiline StackTrace

Elastic Stack Logstash
1

Hello everyone, I am trying to parse multiline stack trace log file through logstash and am trying to figure out how to get this log file to load properly in elastic search.

My logstash.conf file:

input{

   file{

        path => "/home/Desktop/LogFiles/test_logs.log"

        sincedb_path => "/dev/null"

        start_position => "beginning"

        codec => multiline {

                pattern => "^\s"

                negate => true

                what => "previous"

        }

 }

}

filter{

if "server_crash" in [tag]{

        grok{

         break_on_match => false

         #Server_crash log parsing

         match => { "message" => "(?m)(?<ErrorMessage>[a-zA-Z$_0-9 \S]*)\s*(?<StackTrace>(.|\r|\n)*)"}

         match => { "message" => "(?m)(?<ErrorMessage>[a-zA-Z$_0-9 \S]*)\s*(?<StackTrace>(.|\r|\n)*)\n(?<Caused By>.*?Exception: .*+\n(\sat.*+\n)*+)"}

        }

        date{

         match => ["Timestamp", "UNIX_MS"]

         target => "@time"

        }

        }

}

Here is how my log file looks like:

util$failure: Exception thrown during the process{f6d4402 4777/u0a125}
	at util.Log(Log.java:295)
	at util.Slow(java:116)
	at com.attachApplicationLocked(java:6729)
	at com.Application(java:6821)
	at onTransact(java:539)
	at com.Transact(java:2844)
	at execTrans(565)
Caused by: DeadObjectException
	at transactNative(Native Method)
	at java:615
	at caution(Application.java)
	at com.Locked(ice.java)
	... 1 more​

With this, I restarted logstash service but data got ingested in the elasticsearch not as multiline but every line independently. How can I make it multiline? Am I missing something in the config file? Please advise.

2

Change negate=> true to negate => false. If you add auto_flush_interval then you will get 2 events

   "message" => "util$failure: Exception thrown during the process{f6d4402 4777/u0a125}\n    at util.Log(Log.java:295)\n    at util.Slow(java:116)\n    at com.attachApplicationLocked(java:6729)\n    at com.Application(java:6821)\n    at onTransact(java:539)\n    at com.Transact(java:2844)\n    at execTrans(565)",
   "message" => "Caused by: DeadObjectException\n    at transactNative(Native Method)\n    at java:615\n    at caution(Application.java)\n    at com.Locked(ice.java)\n    ... 1 more​",

If you do not have auto_flush_interval you will never see the second event, because flushing an event to the pipeline is triggered by a line that does not start with whitespace.

3

Thanks Badger...Exactly what I was looking for.

4

One quick question:
I want to parse not only multiline stack trace logs files but also regular log files with single line parsing. I have changed path form input file as *.log.

So now my one log file looks like:

util$failure: Exception thrown during the process{f6d4402 4777/u0a125}
	at util.Log(Log.java:295)
	at util.Slow(java:116)
	at com.attachApplicationLocked(java:6729)
	at com.Application(java:6821)
	at onTransact(java:539)
	at com.Transact(java:2844)
	at execTrans(565)
Caused by: DeadObjectException
	at transactNative(Native Method)
	at java:615
	at caution(Application.java)
	at com.Locked(ice.java)
	... 1 more​

and other log file looks like:

08-31 11:11:23 I/setupconnection( 352233): connecting...
08-31 11:11:12.129 I/setupconnection( 393221): disconnecting...
08-31 11:11:33.345 I/serveside(29203): system server!
08-31 11:11:33.472 D/callback(29203): callbutInstance: null
08-31 11:11:33.489 I/manager(29203): Starting Installer
08-31 11:11:33.494 I/caretaker(29203): Waiting for server to be ready

If I use below mentioned input, then only some of the multiline log files are parsed but now its ignoring regular log file. What am I doing wrong?

input{

   file{

        path => "/home/Desktop/LogFiles/*.log"

        sincedb_path => "/dev/null"

        start_position => "beginning"

        codec => multiline {

                pattern => "^\s"

                negate => false

                what => "previous"
                auto_flush_interval => 1

        }

 }

}
5

I would expect that to work just fine with the log file that does not have leading whitespace.

Can you enable '--log.level trace' on the command line and see what filewatch says about that file?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.