Skip to main content

Sending Jboss Server Logs to Logstash Using Filebeat with Multiline Support

In addition to sending system logs to logstash, it is possible to add a prospector section to the filebeat.yml for jboss server logs. Sometimes jboss server.log has single events made up from several lines of messages. In such cases Filebeat should be configured for a multiline prospector.

Filebeat takes lines do not start with a date pattern (look at pattern in the multiline section "^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}" and negate section is set to true) and combines them with the previous line that starts with a date pattern.

server.log file excerpt where DatePattern: '.'yyyy-MM-dd-HH and ConversionPattern: %d %-5p [%c] %m%n

2014-06-10 00:30:22,452 ERROR [MainDeployer] Could not initialise deployment: file:/Development/jboss-4.2.3.GA/server/default/deploy/jbossws.sar/
java.lang.NoClassDefFoundError: javax/ejb/Stateless
at org.jboss.ejb3.EJB3Util.isStateless(EJB3Util.java:42)
at org.jboss.ejb3.EJB3Deployer.hasEjbAnnotation(EJB3Deployer.java:219)
at org.jboss.ejb3.EJB3Deployer.accepts(EJB3Deployer.java:271)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

Logstash filter:



Comments

  1. Hello,
    I use your tutorial, i need to use some index pattern differente from filebeat-* ?

    Thanks

    ReplyDelete
  2. Hi, what do you mean by index pattern? is it elasticsearch index? If so, you can configure logstash's elasticsearch output section to change index pattern.

    ReplyDelete

Post a Comment

Popular posts from this blog