Org.apache.cxf.services filtering in logstash

Primeval · March 4, 2019, 8:48am

I have logs looking like this:

Primeval:

I have logs looking like this:

2019-02-06 03:17:28,156 INFO [org.apache.cxf.services.xyz] (default task-30) Inbound Message

ID: 509
Address: http://xyz
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[text/xml], Cache-Control=[no-cache], connection=[keep-alive], Content-Length=[1410], content-type=[text/xml; charset=UTF-8], Host=[xyz], Pragma=[no-cache], SFDC_STACK_DEPTH=[1], SOAPAction=[""], User-Agent=[xyz], X-Forwarded-For=[xyz], X-Forwarded-Port=[443], X-Forwarded-Proto=[https]}
Payload: <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><env:Header />env:Body</env:Body></env:Envelope>

2019-02-06 03:17:30,718 INFO [org.apache.cxf.services.xyz] (default task-30) Outbound Message

ID: 509
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml
Headers: {}
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">soap:Bodyxyz</soap:Body></soap:Envelope>

I created very long multiline grok, and while it is working for few test messages, it is failing on bigger load.
Is there build in logstash filter or grok pattern defined for this type of logs? so I can filter this fields better than one by one, like this (for one of the event type):
match => { "message" => "(?m)%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+[%{DATA:class}]\s+(%{DATA:task})\s+%{GREEDYDATA:message1}((.|\r|\n))ID:%{SPACE}%{NUMBER:id}((.|\r|\n))Address:%{SPACE}%{GREEDYDATA:address}\nEncoding:%{SPACE}%{GREEDYDATA:encoding}\nHttp-Method:%{SPACE}%{DATA:http-method}((.|\r|\n))Content-Type:%{SPACE}%{DATA:content_type}((.|\r|\n))Headers: {Accept=[%{DATA:headers.accept}], Cache-Control=[%{DATA:headers.cache-control}], connection=[%{DATA:headers.connection}], Content-Length=[%{DATA:headers.content-length}], content-type=[%{DATA:headers.content-type}], Host=[%{DATA:headers.host}], Pragma=[%{DATA:headers.pragma}], SFDC_STACK_DEPTH=[%{DATA:headers.sfdc_stack_depth}], SOAPAction=[?%{DATA:headers.soap_action}], User-Agent=[%{DATA:headers.user-agent}], X-Forwarded-For=[%{DATA:headers.x-forwarded-for}], X-Forwarded-Port=[%{DATA:headers.x-forwarded-port}], X-Forwarded-Proto=[%{DATA:headers.x_forwarded-proto}]}\nPayload:%{SPACE}%{GREEDYDATA:payload}\n" }
I know it so not very efficient, but I had problem with resolve this better.

Badger · March 4, 2019, 1:26pm

You might be better off extracting one line in each grok pattern. Use a pattern that matches zero-or-more characters that are not newline followed by a newline.

    grok { match => { message => "^Headers: (?<Headers>[^
]*)
" } }

Then you can give the grok filter an array of patterns to match.

system · April 1, 2019, 1:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.