Weblogic access log lines being merged into a single event/message

Elastic Stack Beats
1

Hello guys, i'm new to ELK Stack and i am having some troubles trying to parse weblogic access log files. In short, my problem is:

log sample i need to parse (2 different events):

10.153.236.90	-	2017-07-14	-	16:48:14	-	POST	-	200	-	/EBS/ListarProdutosDisponiveisResgatev1	-	1102	-	3.648
10.153.228.161	-	2017-07-14	-	16:48:16	-	POST	-	200	-	/EBS/ConsultarParticipantev1	-	7354	-	1.024

Filebeat prospector config:

paths:
  - /path/to/log/file.log
  document_type: access_logs
  clean_removed: true
  scan_frequency: 10s
  tags: ["wls_access_logs"]
  tail_files: true
  exclude_lines: ["^#"]

Logstash filter:

if "wls_access_logs" in [tags]
  {
    grok
    {
      patterns_dir => ["/path/to/patterns"]
      match => { "message" => "%{ACCESS_PATTERN}" }
      remove_field => "offset"
    }
  }

ACCESS_PATTERN:
ACCESS_PATTERN %{IPV4:IP}\t-\t%{YEAR:Year}-%{MONTHNUM:Month}-%{MONTHDAY:Day}\t-\t%{HOUR:Hour}:%{MINUTE:Minute}:%{SECOND:Second}\t-\t%{WORD:Method}\t-\t%{BASE16FLOAT:HTTP_Status}\t-\t%{URIPATHPARAM:URI}\t-\t%{BASE16NUM:Bytes}\t-\t%{BASE16FLOAT:Response_Time}

The filter works fine, but in Kibana i eventually see two log lines being merged into a single message, as follows in the screenshots below:

Screenshot from 2017-07-14 17:09:29.png926×89 10.3 KB

Screenshot from 2017-07-14 17:25:36.png938×89 10.3 KB

Any hint about what am i doing wrong?
Thanks a lot.

2

Solved by removing the --> tail_files: true <-- from the prospector config.
Thanks.

3

Removing the tail_files: true didn't work. Still testing...

4

you don't have multiline configured. That is, filebeat will split the lines on \n (newline) and push those to logstash. do you have multiline configured (maybe in the beats input?)?

5

This topic was automatically closed after 21 days. New replies are no longer allowed.