Wrong indexing if log is set to DEBUG

sbampa · January 10, 2018, 10:23am

Hi all, i have a jboss that produces logs as follow:
[2018-01-10 00:01:03,032 DEBUG] [csmf_37803-8AD3F44ACA4061B5F48ADF6851B4937E] [com.notio.report.web.ReportServlet] GetRemoteHost: 172.16.32.6
[2018-01-10 00:01:04,469 DEBUG] [csmf_37803-8AD3F44ACA4061B5F48ADF6851B4937E] [com.notio.report.web.ReportServlet] Referer: http://172.16.32.20:8080/backoffice/report?action=terminal_cash
[2018-01-10 00:01:04,469 DEBUG] [csmf_37803-8AD3F44ACA4061B5F48ADF6851B4937E] [com.notio.report.web.ReportServlet] GetRemoteHost: 172.16.32.6
[2018-01-10 00:01:04,469 INFO ] [csmf_37803-8AD3F44ACA4061B5F48ADF6851B4937E] [com.notio.report.facade.CsmfForLicenceFacade] Calling getCsmfList(37803) !
[2018-01-10 00:01:04,469 DEBUG] [csmf_37803-8AD3F44ACA4061B5F48ADF6851B4937E] [com.notio.back_office.server.ejb.web.WebLayerEJB] Using ProviderDBPool
[2018-01-10 00:01:04,469 INFO ] [csmf_37803-8AD3F44ACA4061B5F48ADF6851B4937E] [com.notio.back_office.server.ejb.db.DBStargateEJB] query() called

Problem is that line with INFO severity go in the correct index, index-2018-01-10
but line with DEBUG go every day in index-2018-01-01.

filebeat config:
...
multiline.pattern: '^['
multiline.negate: true
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
reload.period: 10s
output.logstash:
hosts: ["172.16.0.4:5043", "172.16.0.5:5043", "172.16.0.6:5043"]
loadbalance: true
compression_level: 0
username: "elastic"
password: "changeme"

LS config:
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} "]
match => ["message", "%{HTTPDERROR_DATE:timestamp} (%{NUMBER:bytes}) "]
match => ["message", "%{TIME:timestamp} %{LOGLEVEL:level}"]
match => ["message", "%{BIND9_TIMESTAMP:timestamp}"]
}
date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss,SSS", "HH:mm:ss,SSS", "EEE MMM dd HH:mm:ss YYYY", "dd-MMM-yyyy HH:mm:ss.SSS" ]
timezone => "Europe/Rome"
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp","offset","level","@version","input_type","beat","type","tags","sort"]
}

}
...
if [fields][log_type] == "backoffice-agenzie"{
elasticsearch {
hosts => [ "172.16.0.4:9200", "172.16.0.5:9200", "172.16.0.6:9200" ]
user => elastic
password => "changeme"
manage_template => false
index => "backoffice-agenzie-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"

Can somone help me?

murlin99 · January 10, 2018, 11:11am

This is a logstash question. Posting this to the logstash group will give a better chance of getting an answer.

system · February 7, 2018, 11:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.