面向logstash中的錯誤

Question

當我在logstash中定義解析apache tomcat和應用程序日誌文件的模式時，我們得到以下錯誤。 樣品日誌文件是：

2014-08-20 12:35:26,037 INFO [routerMessageListener-74] PoolableRuleEngineFactory Executing the rule -->ECE Tagging Rule 

配置文件是：

filter{ 
    grok{ 
    type => "log4j" 
    #pattern => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:severity} \[\w+\[%    {GREEDYDATA:thread},.*\]\] %{JAVACLASS:class} - %{GREEDYDATA:message}" 
    pattern => "%{TIMESTAMP_ISO8601:logdate}" 

    #add_tag => [ "level_%{level}" ] 
} 



    date { 
     match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"] 
    } 
} 

未知設置 '時間戳' 日期{：水平=>：錯誤}

Answer 1

您的文章沒有顯示設置'日期過濾器的'時間戳'。我懷疑你已經開始使用時間戳設置的例子，這個設置曾經是舊版日期過濾器。你正確地修復了它的更新版本的logstash使用匹配設置，但可能沒有保存你的更改。使用上面的logstash-1.5.3過濾器我沒有問題。

這是我完整的配置文件。注意我仍在測試它，但它似乎正在導入一個帶有從現有日誌文件導入的Log4J日誌消息的JBoss日誌。

input { 
    tcp { 
    type => "log4j" 
    port => 4560 
    } 
    stdin { 
    type => "log4j" 
    } 
} 

filter { 
    grok{ 
    type => "log4j" 
    #pattern => "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:severity} \[\w+\[%{GREEDYDATA:thread},.*\]\] %{JAVACLASS:class} - %GREEDYDATA:message}" 
    pattern => "%{TIMESTAMP_ISO8601:logdate}" 

    #add_tag => [ "level_%{level}" ] 
} 

    date { 
    type => "log4j" 
    match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"] 
    exclude_tags => "_grokparsefailure" 
    } 

    # Catches normal space indented type things, probably could be removed b/c the other multiline should do everythign we need 
    multiline { 
    type => "log4j" 
    tags => ["_grokparsefailure"] # exclude anything we already handled 
    pattern => ".*" 
    what => "previous" 
    add_tag => "notgrok" 
    } 
} 


output { 
    gelf { 
    host => "localhost" 
    custom_fields => ["environment", "PROD", "service", "BestServiceInTheWorld"] 
    } 
    # Print each event to stdout. 
    stdout { 
    codec => json 
    } 
}