java异常的GROK模式

Question

I have a couple of questions :

1. I tried to use a custom tag like mentioned in https://discuss.elastic.co/t/logstash-configuration-with-custom-patterns/141352 but could not get much help.

2. I want to match for multiple patterns like one for normal log and one for exception log.

    ^%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level}\\s*%{JAVACLASS:class}\\.%{WORD:method}\\s-\\s%{GREEDYDATA:log}$

3. We also have java patterns that are inbuilt but i was unable to find them by search, so are they compiled and stored ? I wanted to add my patterns in the same file so that i don't get any issues.

Is there another way to get this done apart from writing in the patterns folder?

Answer 1

I'm working with Elastic Stack 7.6.2.

Concatenate stack trace lines into one log entry

I'm sending logs to Logstash through Filebeat. I have to configure Filebeat so it treats the whole stack trace as one entry. I'm using multiline as described in Examples of multiline configuration :

#filebeat.yml
filebeat:
  inputs:
    - type: log
      …
      multiline:
        pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
        match: after
output:
  logstash:
    hosts: ["logstash:5044"]

Handle two types of log entries

In my logstash.conf file I have a filter matching against:

• a regular Spring Boot log entry (not covered here) eg:

    2020-05-12 08:31:26.530  INFO 10197 --- [SpringContextShutdownHook] o.s.s.c.ThreadPoolTaskExecutor           : Shutting down ExecutorService 'applicationTaskExecutor'

• a Java exception eg:

    java.lang.IllegalArgumentException: Exception message
        at in.keepgrowing.springbootlog4j2scaffolding.SpringBootLog4j2ScaffoldingApplication.main(SpringBootLog4j2ScaffoldingApplication.java:14) [classes/:?]
        at com.example.myproject.Author.getBookIds(Author.java:38)
        at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
    Caused by: java.lang.NullPointerException
        at com.example.myproject.Book.getId(Book.java:22)
        at com.example.myproject.Author.getBookIds(Author.java:35)
        ... 1 more

Because I haven't listed multiple patterns in one match , every entry is being checked against both matches (I think the break_on_match is not working in this case). As a result the _grokparsefailure tag is added to all entries. To remove this tag I have to know that a particular entry was successfuly matched by one pattern - the stacktrace or spring_boot_log tag will be present in such a case. Therefore I can safely delete the _grokparsefailure tag for entries that have my tag:

# logstash.conf
…
filter {
    grok {
        match => { "message" => "%{JAVACLASS:exception}:\s%{GREEDYDATA:stacktrace}" }
        add_tag => [ "stacktrace" ]
        }
    grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp}…" }
        add_tag => [ "spring_boot_log" ]
        }
    if "stacktrace" in [tags] or "spring_boot_log" in [tags] {
            mutate {
                remove_tag => ["_grokparsefailure"]
                }
    }
}
…

Below you can see the screenshot from my ElasticHQ showing how an example stack trace was parsed. There are two parts: exception and stacktrace , and my custom tag in the tags array:

Useful links:

• https://grokdebug.herokuapp.com/patterns
• https://discuss.elastic.co/t/is-there-a-way-to-tag-for-different-grok-matches/52785
• https://stackoverflow.com/a/46589940/7995881
• https://discuss.elastic.co/t/logstash-7-grok-filter-plugin-break-on-match-appears-to-be-broken/176578/6
• https://sematext.com/blog/handling-stack-traces-with-logstash/
• https://dzone.com/articles/using-multiple-grok-statements