日志存储多行问题与java日志

时间:2022-06-01 01:42:57

I am installing logstash with tomcat and having issue to grab java stack trace call, following is my config

我正在用tomcat安装日志存储,并且在获取java堆栈跟踪调用时遇到了问题,以下是我的配置

input   {
 udp {
   type => "tomcat"
   port => "514"
   format => "plain"

 }

}

filter{
multiline {
            pattern => "(^.+Exception.*)|(^\s+at .+)|(^\s+... \d+ more)|(^\s*Caused by:.+)"
            what => "previous"
}
}

Here is sample logs of tomcat

这是tomcat的示例日志

2014-03-24 19:08:53,246 [thread-pool8] ERROR org.apache.catalina.core.ContainerBase.[engine].[localhost] - Exception Processing ErrorPage[errorCode=500, location=/error/error500.jsp]
org.apache.jasper.JasperException: java.lang.NullPointerException
        at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:549)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:470)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
        at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:489)
        at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:412)
        at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
        at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:467)
        at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:338)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:203)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1686)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.NullPointerException
        at org.apache.jsp.error.error500_jsp._jspService(error500_jsp.java:266)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
        ... 21 more

I have tired all combination and none of work :( i don't know how it works for other folks..

我已经厌倦了所有的组合和工作(我不知道这对其他人来说是怎样的)。

EDIT:

I have tried following and it didn't work too

我试过跟随,但也没用

pattern => "^%{TIMESTAMP_ISO8601}"
       negate => true

following is result

下面是结果

filter received {:event=>{"message"=>"<139>2014-03-24 21:07:58,908 [] [] [thread-pool4] ERROR org.apache.catalina.core.ContainerBase.[engine].[localhost] - Exception Processing ErrorPage[errorCode=500, location=/error/error500.jsp]\n", "@version"=>"1", "@timestamp"=>"2014-03-25T01:07:59.128Z", "type"=>"tomcat", "host"=>"10.3.68.22"}, :level=>:debug, :file=>"(eval)", :line=>"15"}
<139>2014-03-24 21:07:58,908 [] [] [thread-pool4] ERROR org.apache.catalina.core.ContainerBase.[engine].[localhost] - Exception Processing ErrorPage[errorCode=500, location=/error/error500.jsp]
 {:pattern=>"^%{TIMESTAMP_ISO8601} ", :match=>false, :negate=>true, :level=>:debug, :file=>"logstash/filters/multiline.rb", :line=>"160"}
filter received {:event=>{"message"=>"<139>org.apache.jasper.JasperException: java.lang.NullPointerException", "@version"=>"1", "@timestamp"=>"2014-03-25T01:07:59.131Z", "type"=>"tomcat", "host"=>"10.3.68.22"}, :level=>:debug, :file=>"(eval)", :line=>"15"}
<139>org.apache.jasper.JasperException: java.lang.NullPointerException {:pattern=>"^%{TIMESTAMP_ISO8601} ", :match=>false, :negate=>true, :level=>:debug, :file=>"logstash/filters/multiline.rb", :line=>"160"}
filter received {:event=>{"message"=>"<139>    at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:549)", "@version"=>"1", "@timestamp"=>"2014-03-25T01:07:59.134Z", "type"=>"tomcat", "host"=>"10.3.68.22"}, :level=>:debug, :file=>"(eval)", :line=>"15"}

UPDATE:

I ran logstash in debug mode with udp protocol and some strange number <139> coming in @messages see following output of debug, if i use nc command to send sample logs it works but somehow with tomcat syslog its not working

我使用udp协议在调试模式下运行了loghide, @messages中出现了一个奇怪的数字<139>,请参见下面的调试输出,如果我使用nc命令发送样例日志,它可以工作,但是tomcat syslog不能工作

{
       "message" => "<139>2014-03-28 13:52:25,548 [] [] [thread-pool2] ERROR org.apache.catalina.core.ContainerBase.[engine].[localhost] - Exception Processing ErrorPage[errorCode=500, location=/error/error500.jsp]\n",
      "@version" => "1",
    "@timestamp" => "2014-03-28T17:52:26.116Z",
          "host" => "10.3.68.22"
}
{
       "message" => "<139>org.apache.jasper.JasperException: java.lang.NullPointerException",
      "@version" => "1",
    "@timestamp" => "2014-03-28T17:52:26.134Z",
          "host" => "10.3.68.22"
}
{
       "message" => "<139>    at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:549)",
      "@version" => "1",
    "@timestamp" => "2014-03-28T17:52:26.151Z",
          "host" => "10.3.68.22"
}
{
       "message" => "<139>    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:470)",
      "@version" => "1",
    "@timestamp" => "2014-03-28T17:52:26.166Z",
          "host" => "10.3.68.22"
}
{
       "message" => "<139>    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)",
      "@version" => "1",
    "@timestamp" => "2014-03-28T17:52:26.183Z",
          "host" => "10.3.68.22"
}

1 个解决方案

#1

1  

Whether all the logs start with a date time?

是否所有日志都以日期时间开始?

You can use it as the pattern. For example,

你可以用它作为图案。例如,

input {
    stdin {
    }
}

filter {
    multiline {
       pattern => "^%{TIMESTAMP_ISO8601} "
       negate => true
       what => previous
    }
}

output {
    stdout {debug => true}
}

This filter is worked at me with your logs. Hope it can help you :)

这个过滤器是用你的圆木做的。希望它能对你有所帮助。

#1

1  

Whether all the logs start with a date time?

是否所有日志都以日期时间开始?

You can use it as the pattern. For example,

你可以用它作为图案。例如,

input {
    stdin {
    }
}

filter {
    multiline {
       pattern => "^%{TIMESTAMP_ISO8601} "
       negate => true
       what => previous
    }
}

output {
    stdout {debug => true}
}

This filter is worked at me with your logs. Hope it can help you :)

这个过滤器是用你的圆木做的。希望它能对你有所帮助。

标签:

相关文章