Last active
May 11, 2019 16:31
-
-
Save mmaassen/7820673 to your computer and use it in GitHub Desktop.
LogStash (1.2.2) WebLogic Server shipper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
## WebLogic Server Log | |
file { | |
type => "weblogic" | |
path => [ "/var/log/weblogic/domain/managedserver.log" ] | |
codec => multiline { | |
pattern => "^####" | |
negate => true | |
what => previous | |
} | |
tags => ["wlsserverlog"] | |
} | |
## WebLogic Server Http Access Log | |
file { | |
type => "weblogic-access" | |
path => [ "/var/log/weblogic/domain/managedserver.access" ] | |
add_field => { | |
application => "MPO" | |
} | |
tags => ["wlsaccesslog"] | |
} | |
} | |
filter { | |
## WebLogic Server Log | |
if "wlsserverlog" in [tags] { | |
grok { | |
match => [ "message", "####<%{DATA:timestamp}>%{SPACE}<%{LOGLEVEL:level}>%{SPACE}<%{DATA:wls_subsystem}>%{SPACE}<%{DATA:wls_host}>%{SPACE}<%{DATA:wls_server}>%{SPACE}<%{DATA:wls_thread}>%{SPACE}<([<>a-zA-Z ]*)>%{SPACE}<%{DATA:wls_transactionid}>%{SPACE}<%{DATA:wls_diagcontid}>%{SPACE}<%{DATA:wls_rawtime}>%{SPACE}<%{DATA:wls_beacode}>%{SPACE}<%{GREEDYDATA:message}" ] | |
} | |
} | |
## WebLogic Server Http Access Log | |
if "wlsaccesslog" in [tags] { | |
grok { | |
match => [ "message", "(?<timestamp>%{DATE}%{SPACE}%{TIME})%{SPACE}%{WORD:verb}%{SPACE}%{URIPATHPARAM:uri}%{SPACE}%{NUMBER:response}%{SPACE}%{NUMBER:time_taken}" ] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for posting this, I was importing some old logs into ELK, and this format didn't set the @timestamp properly, or match the log format used. I've posted my filter at: https://gist.github.com/a-h/602dc9c744583f60884f in case it's helpful for anyone.