Develop Reference

Logstash mixed logs - multiline and normal

I use input file to get logs like this:
input {
file {
path => "/home/ec2-user/*.log"
}
}
In one of the log files some events are loging with 1 line:
2018-12-10 10:01:30.1097|0|Services.Services|INFO| Message: test
Another are multilines like this one :
2018-12-10 10:01:30.1097|0|Services.Services|INFO| Message: {
"account_id": "ec812648-3857-4625-9d9a-fc8ce1835493",
"name": "Player_539017",
"creation_time": "10/12/2018 10:52:52",
"hq_level": 2,
"force": 2570
} successfully dequeued |url: |action:
How can I capture both of the messages with logstash filter:

Below is an example from this page which uses the multiline codec to capture log lines starting with a date timestamp as single event. This will work for both of the log events mentioned above.
file {
path => "/home/ec2-user/*.log"
codec => multiline {
# Grok pattern names are valid
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => "previous"
}
}

Logstash not printing anything

I am using logstash for the first time and trying to setup a simple pipeline for just printing the nginx logs. Below is my config file
input {
file {
path => "/var/log/nginx/*access*"
}
}
output {
stdout { codec => rubydebug }
}
I have saved the file as /opt/logstash/nginx_simple.conf
And trying to execute the following command
sudo /opt/logstash/bin/logstash -f /opt/logstash/nginx_simple.conf
However the only output I can see is:
Logstash startup completed
Logstash shutdown completed
The file is not empty for sure. As per my understanding I should be seeing the output on my console. What am I doing wrong ?

Make sure that the character encoding of your logfile is UTF-8. If it is not, try to change it and restart the Logstash.

Please try this code as your Logstash configuration, in order to setup a simple pipeline for just printing the nginx logs.
input {
file {
path => "/var/log/nginx/*.log"
type => "nginx"
start_position => "beginning"
sincedb_path=> "/dev/null"
}
}
filter {
if [type] == "nginx" {
grok {
patterns_dir => "/home/krishna/Downloads/logstash-2.1.0/pattern"
match => {
"message" => "%{NGINX_LOGPATTERN:data}"
}
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
}
stdout { codec => rubydebug }
}

logstash grok multiline - how to merge to previous line any line that doesn't start with timestamp

sometimes I print to log indented pretty jsons which printed in multiple lines. so I need to be able to tell logstash to append these prints to the original line of the original event.
example:
xxx p:INFO d:2015-07-21 11:11:58,906 sourceThread:3iMind-Atlas-akka.actor.default-dispatcher-2 queryUserId: queryId: hrvJobId:6c1a4d60-e5e6-40d8-80aa-a4dc00e9f0c4 etlStreamId:70 etlOmdId: etlDocId: logger:tim.atlas.module.etl.mq.MQConnectorEtl msg:(st:Consuming) received NotifyMQ. sending to [openmind_exchange/job_ack] message:
{
"JobId" : "6c1a4d60-e5e6-40d8-80aa-a4dc00e9f0c4",
"Time" : "2015-07-21T11:11:58.904Z",
"Errors" : [ ],
"FeedItemSchemaCounts" : {
"Document" : 1,
"DocumentMetadata" : 1
},
"OtherSchemaCounts" : { }
}
Since I've set a special log4j appender to function solely as logstash input, this task should be quiet easy. I control the layout of the log, so I can add as many prefix/suffix indicators as I please.
here's how my appender look like:
log4j.appender.logstash-input.layout.ConversionPattern=xxx p:%p d:%d{yyyy-MM-dd HH:mm:ss,SSS}{UTC} sourceThread:%X{sourceThread} queryUserId:%X{userId} queryId:%X{queryId} hrvJobId:%X{hrvJobId} etlStreamId:%X{etlStreamId} etlOmdId:%X{etlOmdId} etlDocId:%X{etlDocId} logger:%c msg:%m%n
as you can see I've prefixed every message with 'xxx' so I could tell logstash to append any line which doesn't start with 'xxx' to the previous line
here's my logstash configuration:
if [type] == "om-svc-atlas" {
grok {
match => [ "message" , "(?m)p:%{LOGLEVEL:loglevel} d:%{TIMESTAMP_ISO8601:logdate} sourceThread:%{GREEDYDATA:sourceThread} queryUserId:%{GREEDYDATA:userId} queryId:%{GREEDYDATA:queryId} hrvJobId:%{GREEDYDATA:hrvJobId} etlStreamId:%{GREEDYDATA:etlStreamId} etlOmdId:%{GREEDYDATA:etlOmdId} etlDocId:%{GREEDYDATA:etlDocId} logger:%{GREEDYDATA:logger} msg:%{GREEDYDATA:msg}" ]
add_tag => "om-svc-atlas"
}
date {
match => [ "logdate" , "YYYY-MM-dd HH:mm:ss,SSS" ]
timezone => "UTC"
}
multiline {
pattern => "<please tell me what to put here to tell logstash to append any line which doesnt start with xxx to the previous line>"
what => "previous"
}
}

yes it was easy indeed :
if [type] == "om-svc-atlas" {
grok {
match => [ "message" , "(?m)p:%{LOGLEVEL:loglevel} d:%{TIMESTAMP_ISO8601:logdate} sourceThread:%{GREEDYDATA:sourceThread} queryUserId:%{GREEDYDATA:userId} queryId:%{GREEDYDATA:queryId} hrvJobId:%{GREEDYDATA:hrvJobId} etlStreamId:%{GREEDYDATA:etlStreamId} etlOmdId:%{GREEDYDATA:etlOmdId} etlDocId:%{GREEDYDATA:etlDocId} logger:%{GREEDYDATA:logger} msg:%{GREEDYDATA:msg}" ]
add_tag => "om-svc-atlas"
}
date {
match => [ "logdate" , "YYYY-MM-dd HH:mm:ss,SSS" ]
timezone => "UTC"
}
multiline {
pattern => "^(?!xxx).+"
what => "previous"
}
}

Collect Data from log files with logstash

I'm trying with logstash to collect data from a log file for a version of NETASQ Firewall which contains a lot of lines , but i can not collect correctly my data , I don't know if there is a standard to follow, but I started like this:
input {
stdin { }
file {
type => "FireWall"
path => "/var/log/file.log"
start_position => 'beginning'
}
}
filter {
grok {
match => [ "message", "%{SYSLOGTIMESTAMP:date} %{WORD:id}"]
}
}
output {
stdout { }
elasticsearch {
cluster => "logstash"
}
}
The first line of my file.log looks like this :
Feb 27 04:02:23 id=firewall time="2015-02-27 04:02:23" fw="GVGM-NEWYORK"
tz=+0200 startime="2015-02-27 04:02:22" pri=5 confid=01 slotlevel=2 ruleid=57
srcif="Vlan2" srcifname="SSSSS" ipproto=udp dstif="Ethernet0"
dstifname="out" proto=teredo src=192.168.21.12 srcport=52469
srcportname=ephemeral_fw_udp dst=94.245.121.253 dstport=3544
dstportname=teredo dstname=teredo.ipv6.microsoft.com.nsatc.net
action=block logtype="filter"#015
And finally How can I collect data from the others lines. Please give me a topic just to start. Thanks All.

Logstash - grok multiline

I tried using multiline in grok filters but its not working properly.
My Logs are
H3|15:55:04:760|exception|not working properly
message:space exception
at line number 25
My conf file is
input { file {
path => "logs/test.log"
start_position => beginning
sincedb_path => "/dev/null"
}}
filter{
multiline {
pattern => "^(\s|[A-Z][a-z]).*"
what => "previous"
}
if [message] =~ /H\d+/{
grok {
match => ["message", "(?m)%{USERNAME:level}\|%{TIME:timestamp}\|%{WORD:method}\|%{GREEDYDATA:error_Message}" ]
}
}
else {
grok {
match => ["message", "(?m)%{GREEDYDATA:error_Message}" ]
}
}
}
output {elasticsearch { host => "localhost" protocol => "http" port => "9200" }}
I am able to process the first line of log file, but second line of log file is not working where I would like to use multiline
Output i would like to have
{
"#timestamp" => "2014-06-19 00:00:00,000"
"path" => "logs/test.log"
"level"=>"H3"
"timestamp"=>15:55:04:760
"method"=>exception
"error_message"=>not working properly
},
{
"#timestamp" => "2014-06-19 00:00:00,000"
"path" => "logs/test.log"
"error_message" => "space exception at line 25"
}
Kindly help me to get required output.

Your multiline config says, "if I find this pattern, keep it with the previous line".
Your pattern "^(\s|[A-Z][a-z]).*" says "either a space, or a capital letter followed by a lowercase letter, then followed by other stuff".
So, " foo" or "California" would match, but "H3" wouldn't.
I would suggest a pattern that matches the start of your multiline expression, and use the 'negate' feature to have all lines that don't match that pattern join to the original line:
filter {
multiline {
pattern => "^[A-Z][0-9]\|"
negate => 'true'
what => 'previous'
}
}
}
This would take the "H3|" line as the beginning, and join all other lines to it. Depending on the range of values at the beginning of the line, you may need to edit the regexp.