Processing logs from Jersey JAX-RS

Elastic Stack Logstash
1

Hi guys,

First of all, thanks a lot for such an amazing work!!

In our webapps, jersey is generating two entries in the log file, one for the HTTP request and one for the reponse. The problem is that this entries are non-adjacent:

237381 * Server in-bound request
237381 > GET http://ujiapps.uji.es/upo/rest/contenido/73851657/raw?idioma=CA
237381 > host: ujiapps.uji.es
237381 > accept-encoding: gzip, deflate
237381 > user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13A452
237381 > accept-language: es-es
237381 > accept: /
237381 > x-forwarded-proto: http
237381 > x_forwarded_protocol: http
237381 > via: 1.1 ujiapps.uji.es
237381 > x-forwarded-for: 77.228.45.125
237381 > x-forwarded-host: ujiapps.uji.es
237381 > x-forwarded-server: ujiapps.uji.es
237381 > connection: Keep-Alive
237381 >

...
more stuff here
...

237381 * Server out-bound response
237381 < 200
237381 < Content-Type: image/jpeg
237381 < Content-Disposition: inline; filename="index.jpg"
237381 <

As you can see, all the lines have the same "requestid".
I was messing up with the "multiline" options, but i was unable to merge both message and have a single entry with the request URL and the HTTP response code as attributes :frowning:

Sometimes, i get other messages arround:

237381 * Server in-bound request
237381 > GET http://ujiapps.uji.es/upo/rest/contenido/73851657/raw?idioma=CA
237381 > host: ujiapps.uji.es
237381 > accept-encoding: gzip, deflate
237381 > user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13A452
237381 > accept-language: es-es
237381 > accept: /
237381 > x-forwarded-proto: http
237381 > x_forwarded_protocol: http
237381 > via: 1.1 ujiapps.uji.es
237381 > x-forwarded-for: 77.228.45.125
237381 > x-forwarded-host: ujiapps.uji.es
237381 > x-forwarded-server: ujiapps.uji.es
237381 > connection: Keep-Alive
237381 >

237380 * Server out-bound response
237380 < 200
237380 < Content-Type: image/jpeg
237380 < Content-Disposition: inline; filename="index.jpg"
237380 <

237381 * Server out-bound response
237381 < 200
237381 < Content-Type: image/jpeg
237381 < Content-Disposition: inline; filename="index.jpg"
237381 <

Thanks a lot. Your help is very apreciated :slight_smile:

Best regards,
Ricardo

2

https://www.elastic.co/guide/en/logstash/current/plugins-filters-aggregate.html should help you.

3

Hi Mark,

Thanks a lot for your valuable help.
Finally, using aggregate i have solved my problem and now i have one log
entry with all information abaout the request and the response.

Have a nice holydays :slight_smile: