Parsing jbpm multiline logs

Abdelrahman_Fahmy · January 21, 2019, 2:52pm

hi

I am trying to ship my jbpm logs to elasticsearch using logstash. but i am new and i dont know how to create the correct logstash config file
here is a sample of the logs

2019-01-14 05:26:27,979 FINE [com.infosys.finacle.FWI] (Thread-19 (ActiveMQ-client-global-threads-444632928)) childKeys len=1
2019-01-14 05:26:27,979 FINE [com.infosys.finacle.FWI] (Thread-19 (ActiveMQ-client-global-threads-444632928)) Request formed for httpBody is
<ExecuteFCRMCustServiceRequest>
<ExecuteFCRMCustServiceRq>
<fiIncidentInfo>
<businessChannelId>CRM</businessChannelId>
<origVersion>11.1</origVersion>
</fiIncidentInfo>
<sourceSystem>JBPM</sourceSystem>
<targetSystem>CRM</targetSystem>
<requestType>CORPCIFAPPROVAL</requestType>
<decision>APPROVE</decision>
<mC_Record_Status>AI</mC_Record_Status>
<corpKey>1000505</corpKey>
</ExecuteFCRMCustServiceRq>:
</ExecuteFCRMCustServiceRequest>
2019-01-14 05:26:27,979 FINE [com.infosys.finacle.FWI] (Thread-19 (ActiveMQ-client-global-threads-444632928)) Request formed for request Message is <?xml version="1.0" encoding="UTF-8"?>

how can I structure the config file to read the logs and parse it including the multiline logs

Badger · January 21, 2019, 3:21pm

I would try something like:

input {
    file {
        path => "/path/name.txt"
        sincedb_path => "/dev/null"
        start_position => "beginning" 
        mode => "tail" 
        codec => multiline {
            pattern => "^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3} "
            negate => true
            what => "previous"
            auto_flush_interval => 1
        }
    }
}

Abdelrahman_Fahmy · January 23, 2019, 9:53am

thanks i used the below and it looks fine

input {
file {
type => "jbpm"
path => "/logs/*"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => "previous"
}
start_position => beginning
sincedb_path => "/dev/null" # for testing; allows reparsing
add_field => {
"server" => "server1"
"app" => "JBPM"
}
}

filter {
if [type] == "jbpm" {

     grok {
       match => [ "message", "(?m)%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:level}\s+\[%{DATA:className}\]%{SPACE}%{GREEDYDATA:message}" ]
       overwrite => [ "message" ]
          }
                   }
   }

system · February 20, 2019, 9:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.