Logstash records from a server being rejected by ElasticSearch due to malformed date
I am in the process of installing ELK including REDIS and have successfully got one server/process delivering its logs through to ElasticSearch(ES). Most happy with this. However, on updating an existing server/process to start using logstash I am seeing the logdate come through in the form yyyy-MM-dd HH:mm:ss,sss. Note the absence of the T between date and time. ES is not happy with this.
Log4j pattern in use by both servers is:
<PatternLayout pattern="~%d{ISO8601} [%p] [%t] [%c{1.}] %m%n"/>
Logstash config is identical with the exception of the path to the source log file
input{
file{
type => "log4j"
path => "/var/log/restapi/*.log"
add_field => {
"process" => "restapi"
"environment" => "DEVELOPMENT"
}
codec => multiline {
pattern => "^~%{TIMESTAMP_ISO8601} "
negate => "true"
what => "previous"
}
}
}
filter{
if [type] == "log4j"{
grok{
match => {
message => "~%{TIMESTAMP_ISO8601:logdate}%{SPACE}\[%{LOGLEVEL:level}\]%{SPACE}\[%{DATA:thread}\]%{SPACE}\[%{DATA:category}\]%{SPACE}%{GREEDYDATA:messagetext}"
}
}
}
}
output{
redis{
host => "sched01"
data_type => "list"
key => "logstash"
codec => json
}
stdout{codec => rubydebug}
}
The stdout line is for current debug purposes, whereby it is evident that on correctly working server that logdate is being correctly formed by the GROK filter.
compared to the incorrectly formed output.
The only difference from a high level is when the servers were built. Looking for ideas on what could be causing or a means to add the T into the field
A bug raised under DatePatternConverter ISO8601_PATTERN does not conform to ISO8601 https://issues.apache.org/jira/browse/LOG4J2-670 led me to check the version of the log4j2 library used in the older application. Found it was Beta. Updated to v2.3 and the dateTime value started to populate correctly. The value now being correctly formed, ElasticSearch is happy to accept it.
- Logstash install error: can't get unique system GID (no more available GIDs)
- how to remove /r from field value in logstash grok
- Logstash plugin installed but not found
- Logstash field is never shown after aggregation
- Observability in Laravel Applications
- Could not connect Logstash to Kafka via compose file
- How to convert a string field to array using Logstash
- How can I check nulls in Logstash pipeline in filter plugin?
- How to input a JSON file (array form) in Logstash?
- Log4J JsonTemplateLayout replacing message content
- logstash error: java.net.SocketException: Connection reset
- logstash keep both raw data and aggregated data
- Logstash Elasticsearch output plugin creates a single document index in Elasticsearch
- Index pattern is not showing up in Kibana management
- Problems with updating :sql_last_value
- Logstash stopped processing because of an error: (SystemExit) exit org.jruby.exceptions.SystemExit
- Logstash main class JvmOptionsParser not found / cannot load
- How to Send Structured Logs to ELK Stack with Custom Fields Using Python Logging?
- Querying keyword field in Logstash
- ELK index name doesn't change on rollover on the next day
- Grok pattern for [Mon Jan 04 08:36:12 2021]
- Ingesting SQL Server ErrorLog using Filebeat with the mssql module
- logstash unable to connect to elasticsearch
- How to discard the Duplicate values in ElasticSearch using DSL Query?
- Logstash Expected one of
- How can I manually trigger timing jdbc input in logstash?
- Error: exec /usr/local/bin/docker-entrypoint: permission denied for Logstash container on Podman
- Elasticsearch - Logstash Grok new field date formate is string and not date
- http.host: 0.0.0.0 - ERROR lookup logstash : no such host
- How to have an input of type MongoDB for Logstash