Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ######### application.properties
- # trace and span taken from MDC context. Hostname could be redundant is using FileBeat on same host,
- # but maybe you are feeding logs to ES in another way. Including it in the log covers this possibility
- logging.pattern.file=%d{ABSOLUTE} [%X{traceId}-%X{spanId}] %-5p ${HOSTNAME} ${PID} [%t] [%C{2}] [%F:%L] - %m%n
- ######### pipeline/logstash.conf
- # There is an old saying. You had a problem. You solved it with regex. Now you have 2 problems.
- # Really, you can address this is a simpler way by using || or [] separators between each field,
- # but anyhow, where's the fun in that.
- # Note that if you do not add the date mutation, the timestamp in ES will be the time it was received from the FileBeat
- # as opposed to the timestamp of the log message. And that is bad.
- input {
- beats {
- port => 5044
- }
- }
- filter {
- grok {
- match => [ "message",
- "(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}) \[(?<traceid>[a-f0-9]*)-(?<spanid>[a-f0-9]*)\] %{LOGLEVEL:level}\s+(?<hostname>[a-zA-Z0-9.-]*)\s+%{NUMBER:pid}\s*\[(?<thread>[A-Za-z0-9-]+)\]\s*\[[A-Za-z0-9.]*\.(?<class>[A-Za-z0-9#_]+)\] \[(?<file>[A-Za-z0-9.]+)\:(?<line>[0-9]+)\]\s*\-\s*(?<logmessage>.*)" ]
- }
- date {
- locale => "en"
- timezone => "UTC"
- match => ["timestamp", "yyyy-MM-dd HH:mm:ss,SSS"]
- target => "@timestamp"
- remove_field => ["timestamp", "monthday", "year", "month", "day", "time"]
- }
- }
- output {
- elasticsearch {
- hosts => ["elasticsearch:9200"]
- user => elastic
- password => changeme
- index => "logstash-%{+YYYY.MM.dd}"
- }
- stdout {
- codec => rubydebug
- }
- }
Add Comment
Please, Sign In to add comment