Weblogic access log lines being merged into a single event/message

flasantos19 · July 14, 2017, 8:26pm

Hello guys, i'm new to ELK Stack and i am having some troubles trying to parse weblogic access log files. In short, my problem is:

log sample i need to parse (2 different events):

10.153.236.90	-	2017-07-14	-	16:48:14	-	POST	-	200	-	/EBS/ListarProdutosDisponiveisResgatev1	-	1102	-	3.648
10.153.228.161	-	2017-07-14	-	16:48:16	-	POST	-	200	-	/EBS/ConsultarParticipantev1	-	7354	-	1.024

Filebeat prospector config:

paths:
  - /path/to/log/file.log
  document_type: access_logs
  clean_removed: true
  scan_frequency: 10s
  tags: ["wls_access_logs"]
  tail_files: true
  exclude_lines: ["^#"]

Logstash filter:

if "wls_access_logs" in [tags]
  {
    grok
    {
      patterns_dir => ["/path/to/patterns"]
      match => { "message" => "%{ACCESS_PATTERN}" }
      remove_field => "offset"
    }
  }

ACCESS_PATTERN:
ACCESS_PATTERN %{IPV4:IP}\t-\t%{YEAR:Year}-%{MONTHNUM:Month}-%{MONTHDAY:Day}\t-\t%{HOUR:Hour}:%{MINUTE:Minute}:%{SECOND:Second}\t-\t%{WORD:Method}\t-\t%{BASE16FLOAT:HTTP_Status}\t-\t%{URIPATHPARAM:URI}\t-\t%{BASE16NUM:Bytes}\t-\t%{BASE16FLOAT:Response_Time}

The filter works fine, but in Kibana i eventually see two log lines being merged into a single message, as follows in the screenshots below:

Any hint about what am i doing wrong?
Thanks a lot.

flasantos19 · July 15, 2017, 4:03am

Solved by removing the --> tail_files: true <-- from the prospector config.
Thanks.

flasantos19 · July 17, 2017, 8:39pm

Removing the tail_files: true didn't work. Still testing...

steffens · July 17, 2017, 11:18pm

you don't have multiline configured. That is, filebeat will split the lines on \n (newline) and push those to logstash. do you have multiline configured (maybe in the beats input?)?

system · August 4, 2017, 8:26pm

This topic was automatically closed after 21 days. New replies are no longer allowed.