Menu
I have some log files generated by Log4J2. I am outputting the logs into a .json file using the JSONLayout in the log4j2.xml configuration file. My JSONLayout is defined like this:
<JSONLayout complete="false"></JSONLayout>
As logs get entered into the log file on my machine, they are appended, one-after-another, and look like this in logs.log:
{
"logger":"com.mycompany.myLogger",
"timestamp":"1396792374326",
"level":"ERROR",
"thread":"pool-2-thread-2",
"message":"System: unable to perform action",
"throwable":"java.lang.NullPointerException\\n\tat com.myCompany.MyClass $.java:432)\\n\tat java.lang.Thread.run(Thread.java:744)\\n"
},
I am trying to structure this JSON so that I can query it from ElasticSearch. During that process, I'm trying to add a custom field to ALL records. To do that, I'm using the following:
input {
file {
type => "json"
path => "/var/logs/myApp/logs.log"
}
}
filter {
json {
add_tag => [ "HardcodedTagName"]
source => "message"
}
}
output {
elasticsearch {
protocol => "http"
codec => "json"
host => "[myServerAddress]"
port => "9200"
}
}
Oddly, my custom tag NEVER seems to get added. At the same time, I'd really like to break out my JSON into fields that I can query in ElasticSearch. The things I'd like to query are clearly available. They are:
Yet, I can't seem to get this information out. When I see the JSON records in Kibana, I just see something like this:
{
"_index": "logstash-2014.04.07",
"_type": "json",
"_id": "tG-s6-5pSnq5HZwLhM6Dxg",
"_score": null,
"_source": {
"message": " \"message\":\"System: unable to perform action\"\r",
"@version": "1",
"@timestamp": "2014-04-07T18:01:38.739Z",
"type": "json",
"host": "ip-MyipAddress",
"path": "/var/logs/myApp/logs.log"
},
"sort": [
1396893698739,
1396893698739
]
}
What surprises me most is that the log level isn't even there. Neither is the thread information. I was surprised I couldn't find a blog post of a Log4J example that uses a filter. Any help is sincerely appreciated!
665
Logstash CodecsInput codecs provide a convenient way to decode your data before it enters the input. Output codecs provide a convenient way to encode your data before it leaves the output. Some common codecs: The default “plain” codec is for plain text with no delimitation between events.
You do not need to use the json filter. You can specify the codec format at your input.
input {
file {
type => "json"
path => "/var/logs/myApp/logs.log"
codec => json
}
}
Logstash will automatically parse your log to json format and add the corresponding field.
60
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
