Configuring Logstash to Decode Its Own Event Format JSON

Question

I have a java log file for a webbapp that was created using SLF4J, Logback and the logstash-logback-encoder for use in logstash 1.4.2. While various configurations have succeeded from retrieving data from the logs, none has actually resulted in proper json being returned. Based on every guide I have read, the following configuration should work, but does not.

Sample of Log

{"@timestamp":"2015-02-04T00:03:43.178+00:00","@version":1,"message":"No token was found, creating new token.","logger_name":"com.company.ws.service.AuthService","thread_name":"ajp-nio-8009-exec-10","level":"INFO","level_value":20000,"HOSTNAME":"development.company.com"}
{"@timestamp":"2015-02-04T00:03:43.199+00:00","@version":1,"message":"5f8aaebd-4274-4f00-a2eb-7b2350231ef2","logger_name":"com.company.jaxrs.provider.ParamTest","thread_name":"ajp-nio-8009-exec-1","level":"INFO","level_value":20000,"HOSTNAME":"development.company.com"}
{"@timestamp":"2015-02-04T00:03:43.199+00:00","@version":1,"message":"36","logger_name":"com.company.jaxrs.provider.ParamTest","thread_name":"ajp-nio-8009-exec-1","level":"INFO","level_value":20000,"HOSTNAME":"development.company.com"}
{"@timestamp":"2015-02-04T00:03:43.218+00:00","@version":1,"message":"5f8aaebd-4274-4f00-a2eb-7b2350231ef2","logger_name":"com.company.jaxrs.provider.ParamTest","thread_name":"ajp-nio-8009-exec-3","level":"INFO","level_value":20000,"HOSTNAME":"development.company.com"}
{"@timestamp":"2015-02-04T00:03:43.218+00:00","@version":1,"message":"36","logger_name":"com.company.jaxrs.provider.ParamTest","thread_name":"ajp-nio-8009-exec-3","level":"INFO","level_value":20000,"HOSTNAME":"development.company.com"}
{"@timestamp":"2015-02-04T00:03:43.218+00:00","@version":1,"message":"135a2411-ac96-492b-94e9-df6b65974f9f","logger_name":"com.company.jaxrs.provider.ParamTest","thread_name":"ajp-nio-8009-exec-3","level":"INFO","level_value":20000,"HOSTNAME":"development.company.com"}
{"@timestamp":"2015-02-04T00:03:43.218+00:00","@version":1,"message":"36","logger_name":"com.company.jaxrs.provider.ParamTest","thread_name":"ajp-nio-8009-exec-3","level":"INFO","level_value":20000,"HOSTNAME":"development.company.com"}
{"@timestamp":"2015-02-04T00:03:43.219+00:00","@version":1,"message":"is string","logger_name":"com.company.jaxrs.parameter.RestParameterFactory","thread_name":"ajp-nio-8009-exec-3","level":"INFO","level_value":20000,"HOSTNAME":"development.company.com"}

/etc/logstash/conf.d/01-lumberjack-input.conf

input {

 lumberjack {
    port => 5000
    type => "logs"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }

}

/etc/logstash/conf.d/10-syslog.conf

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST$
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }

  else if [type] == "json" {

        source => "message"

  }

/etc/logstash/conf.d/30-lumberjack-output.conf

output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }
}

/etc/logstash-forwarder (other machine)

{
  "network": {
    "servers": [ "utility.company.com:5000" ],
    "timeout": 15,
    "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt"
  },
  "files": [
    {
      "paths": ["/company/apache-tomcat-8.0.9/logs/vhost1.log"],
      "fields": { "type": "json"  }

    }
   ]
}

---

The best returns I have been able to get back (if anything returns) in Kibana look something like this:

{
  "_index": "logstash-2015.02.04",
  "_type": "json",
  "_id": "8l1rDYTZSceBCklFxAuvAg",
  "_score": null,
  "_source": {
    "message": "{\"@timestamp\":\"2015-02-04T06:03:18.794+00:00\",\"@version\":1,\"message\":\"Attribute Count 1\",\"logger_name\":\"com.company.ws.service.ReportSearchService\",\"thread_name\":\"ajp-nio-8009-exec-1\",\"level\":\"INFO\",\"level_value\":20000,\"HOSTNAME\":\"development.company.com\"}",
    "@version": "1",
    "@timestamp": "2015-02-04T06:13:10.685Z",
    "type": "json",
    "file": "/company/apache-tomcat-8.0.9/logs/vhost1.log",
    "host": "development.company.com",
    "offset": "4907321"
  },
  "sort": [
    1423030390685,
    1423030390685
  ]
}

Obviously, the json conversion logic is not functioning properly, so what am I missing?

ELK stack was configured using this guide .

Answer 1

This looks very suspicious:

else if [type] == "json" {

      source => "message"

}

If this really is what's in your config file I don't understand why Logstash doesn't complain about it. This is what it should look like:

else if [type] == "json" {
  json {
    source => "message"
  }
}

Alternatively, if all messages received via the lumberjack protocol are JSON messages you can use the json codec for your lumberjack input.