[로그통합]JBOSS parsing

http://viriya.ca/2012/08/centralized-logging-for-oracle-fusion/

 

http://blog.monitis.com/index.php/2012/08/07/monitor-your-java-application-logs-in-4-easy-steps/?utm_expid=59697313-6&utm_referrer=http%3A%2F%2Fwww.google.co.kr%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26frm%3D1%26source%3Dweb%26cd%3D1%26ved%3D0CCwQmAEwAA%26url%3Dhttp%253A%252F%252Fblog.monitis.com%252Findex.php%252F2012%252F08%252F07%252Fmonitor-your-java-application-logs-in-4-easy-steps%252F%26ei%3Dj82ZUbylNYfniAfO34DoBA%26usg%3DAFQjCNF4PoiyEnesHfIqFdpyFAsDpmv1yw%26sig2%3D2S-_CLAwvGQ7WYHb0dqqfA%26bvm%3Dbv.46471029%2Cbs.1%2Cd.aGc%26cad%3Drjt

 

 

I am using the file input to tail the log that already exists. An entry in the log file is in this format:

2012-05-18 10:26:01,434 INFO  [com.xxxx.xxxx.server.singleton.ConnectionHASingleton] Summary (PSW Bucket: 1) 1 current(22ms), 0 shared(0ms), 0 static(0ms), 0 health(0ms) Total elapsed 26ms

I'm finding that the Severity in graylog2 is always 'Alert'. I'm using the following config file with the multiline, grok and mutate filters:

input {

  # Tail the JBoss server.log file

  file {

    type => "log4j"

    path => "/JBoss/server/all/log/server.log"

  }

}

filter {

  multiline {

    type => "log4j"

    pattern => "^\\s"

    what => "previous"

  }

  grok {

    type => "log4j"

    pattern => "%{DATESTAMP:timestamp} %{WORD:severity} %{GREEDYDATA:message}"

  }

  mutate {

    type => "log4j"

    replace => [ "@message", "%{message}" ]

  }

}

output {

  # Emit events to stdout for easy debugging of what is going through logstash

  stdout {

    debug => true

  }

  # Send Jboss log to graylog2

  gelf {

    facility => "jboss"

    host => "log01"

  }

}

Here's the logstash debug output for this log entry:

{

         "@source" => "file://stg-app01//JBoss/server/all/log/server.log",

           "@type" => "log4j",

           "@tags" => [],

         "@fields" => {

        "timestamp" => [

            [0] "2012-05-18 10:26:01,434"

        ],

         "severity" => [

            [0] "INFO"

        ],

          "message" => [

            [0] " [com.xxxx.xxxx.server.singleton.ConnectionHASingleton] Summary (PSW Bucket: 1) 1 current(22ms), 0 shared(0ms), 0 static(0ms), 0 health(0ms) Total elapsed 26ms"

        ]

    },

      "@timestamp" => "2012-05-18T10:26:01.601000Z",

    "@source_host" => "stg-app01",

    "@source_path" => "//JBoss/server/all/log/server.log",

        "@message" => " [com.xxxx.xxxx.server.singleton.ConnectionHASingleton] Summary (PSW Bucket: 1) 1 current(22ms), 0 shared(0ms), 0 static(0ms), 0 health(0ms) Total elapsed 26ms"

}

Finally, here's how graylog2 sees this entry:

From: stg-app01

Date: 2012-05-18 10:26:31 +0000

Severity: Alert

Facility: jboss

File: //JBoss/server/all/log/server.log:151

timestamp: 2012-05-18 10:26:01,434

severity: INFO

message: [com.xxxx.xxxx.server.singleton.ConnectionHASingleton] Summary (PSW Bucket: 1) 1 current(22ms), 0 shared(0ms), 0 static(0ms), 0 health(0ms) Total elapsed 26ms

Full message:

[com.xxxx.xxxx.server.singleton.ConnectionHASingleton] Summary (PSW Bucket: 1) 1 current(22ms), 0 shared(0ms), 0 static(0ms), 0 health(0ms) Total elapsed 26ms

It has two severity entries. Am I doing something wrong?

 

 

Have a look at the "level" flag in your output configuration. In your
case you'll want to change the naming in grok to something like
"jboss_severity" and then use this in your output:

gelf {
  level =>  [%{severity}, %{jboss_severity}]
  # rest of config
}