AKSarav/logstash-tomcat.conf

## logstash-tomcat.conf
input {
  file {
    path => "/path/to/tomcat/logs/localhost_access_log*.txt"
  }
}

filter {
  grok {
    match => {
      "message" => "%{COMBINEDAPACHELOG} %{IPORHOST:serverip} %{NUMBER:serverport} %{NUMBER:elapsed_millis} %{NOTSPACE:sessionid} %{QS:proxiedip} %{QS:loginame}"
    }
    overwrite => [ "message" ]
    remove_field => [ "ident", "auth" ]
  }
  useragent {
    source => "agent"
    target => "ua"
    remove_field => [ "agent" ]
  }
  mutate {
    gsub => [
        "request", "\?.+", "",
        "proxiedip", "(^\"|\"$)", "",
        "loginame", "(^\"|\"$)" , "",
        "referrer",  "(^\"|\"$)" , ""
    ]
  }
  if [proxiedip] != "-" {
    mutate {
      replace => {
        "clientip" => "%{proxiedip}"
      }
    }
  }
  if ![bytes] {
    mutate {
      add_field => {
        "bytes" => "0"
      }
    }
  }
  mutate {
    remove_field => ["proxiedip"]
  }
  mutate {
    convert => {
      "bytes" => "integer"
      "elapsed_millis" => "integer"
      "serverport" => "integer"
    }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}

output {
  if "_grokparsefailure" not in [tags] {
    stdout {
      codec => rubydebug
    }
    elasticsearch {
      protocol => "http"
      host => "localhost"
    }
  }
}

## server.xml
        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common"
             combined + %A + %p + %D + %S + 真实IP + 用户名

             %h - Remote host name (or IP address if enableLookups for the connector is false)
             %l - Remote logical username from identd (always returns '-')
             %u - Remote user that was authenticated (if any), else '-'
             %t - Date and time, in Common Log Format
             %r - First line of the request (method and request URI)
             %s - HTTP status code of the response
             %b - Bytes sent, excluding HTTP headers, or '-' if zero
             Referer
             User-Agent

             %A - Local IP address
             %p - Local port on which this request was received. See also %{xxx}p below.
             %D - Time taken to process the request, in millis
             %S - User session ID
             X-Forwarded-For
             SECURITY_LOGIN_NAME
         -->
        <Valve className="org.apache.catalina.valves.AccessLogValve"
               directory="logs"
               prefix="localhost_access_log"
               suffix=".txt"
               encoding="utf8"
               pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; %A %p %D %S &quot;%{X-Forwarded-For}i&quot; &quot;%{SECURITY_LOGIN_NAME}s&quot;" />
	input {
	file {
	path => "/path/to/tomcat/logs/localhost_access_log*.txt"
	}
	}

	filter {
	grok {
	match => {
	"message" => "%{COMBINEDAPACHELOG} %{IPORHOST:serverip} %{NUMBER:serverport} %{NUMBER:elapsed_millis} %{NOTSPACE:sessionid} %{QS:proxiedip} %{QS:loginame}"
	}
	overwrite => [ "message" ]
	remove_field => [ "ident", "auth" ]
	}
	useragent {
	source => "agent"
	target => "ua"
	remove_field => [ "agent" ]
	}
	mutate {
	gsub => [
	"request", "\?.+", "",
	"proxiedip", "(^\"\|\"$)", "",
	"loginame", "(^\"\|\"$)" , "",
	"referrer", "(^\"\|\"$)" , ""
	]
	}
	if [proxiedip] != "-" {
	mutate {
	replace => {
	"clientip" => "%{proxiedip}"
	}
	}
	}
	if ![bytes] {
	mutate {
	add_field => {
	"bytes" => "0"
	}
	}
	}
	mutate {
	remove_field => ["proxiedip"]
	}
	mutate {
	convert => {
	"bytes" => "integer"
	"elapsed_millis" => "integer"
	"serverport" => "integer"
	}
	}
	date {
	match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
	}
	}

	output {
	if "_grokparsefailure" not in [tags] {
	stdout {
	codec => rubydebug
	}
	elasticsearch {
	protocol => "http"
	host => "localhost"
	}
	}
	}
	<!-- Access log processes all example.
	Documentation at: /docs/config/valve.html
	Note: The pattern used is equivalent to using pattern="common"
	combined + %A + %p + %D + %S + 真实IP + 用户名

	%h - Remote host name (or IP address if enableLookups for the connector is false)
	%l - Remote logical username from identd (always returns '-')
	%u - Remote user that was authenticated (if any), else '-'
	%t - Date and time, in Common Log Format
	%r - First line of the request (method and request URI)
	%s - HTTP status code of the response
	%b - Bytes sent, excluding HTTP headers, or '-' if zero
	Referer
	User-Agent

	%A - Local IP address
	%p - Local port on which this request was received. See also %{xxx}p below.
	%D - Time taken to process the request, in millis
	%S - User session ID
	X-Forwarded-For
	SECURITY_LOGIN_NAME
	-->
	<Valve className="org.apache.catalina.valves.AccessLogValve"
	directory="logs"
	prefix="localhost_access_log"
	suffix=".txt"
	encoding="utf8"
	pattern="%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i" %A %p %D %S "%{X-Forwarded-For}i" "%{SECURITY_LOGIN_NAME}s"" />