I want to send logs from Java app using Log4j to my logstash server over TCP. Communication between two servers works great but When I receive logs from my Java app, I have an error into logstash's logs file:
[2017-04-19T09:15:18,549][WARN ][logstash.outputs.elasticsearch] Failed action. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"hadoopws_log-2017.04.19", :_type=>"[\"log4j\", \"001\"]", :_routing=>nil}, 2017-04-19T07:15:18.486Z 10.10.2.100:60283 "ROUM" 8962 001 2 3136 109 3245], :response=>{"index"=>{"_index"=>"hadoopws_log-2017.04.19", "_type"=>"[\"log4j\", \"001\"]", "_id"=>"AVuFEL1uRiFXDsNz9hxO", "status"=>400, "error"=>{"type"=>"invalid_type_name_exception", "reason"=>"mapping type name [[\"log4j\", \"001\"]] should not include ',' in it"}}}}
My logstash's config file:
input {
log4j {
mode => "server"
host => "hadoopmasterdev"
port => 3456
type => "log4j"
}
}
filter {
grok {
match => { "message" => "%{DATA:request} %{WORD:idgroup} %{WORD:type} %{NUMBER:nb} %{NUMBER:process_time} %{NUMBER:render_time} %{NUMBER:total_time}" }
}
}
output {
elasticsearch {
hosts => ["hadoopmasterdev:9200"]
index => "hadoopws_log-%{+YYYY.MM.dd}"
}
}
Then, I send those logs:
"test 1" 28 001 26 33 116 149
When I try to validate my Grok pattern using GrokDebug, it works well...
Thank you so much :)
You need to change the third field name from type
to something else, because that interferes with the type: log4j
field defined in your log4j
input. As a result, the type
field becomes an array that contains two values, namely log4j
and 001
and that cannot be used to define the mapping type in the elasticsearch output.
Simply change your grok
pattern to this and it will work.
grok {
match => { "message" => "%{DATA:request} %{WORD:idgroup} %{WORD:datatype} %{NUMBER:nb} %{NUMBER:process_time} %{NUMBER:render_time} %{NUMBER:total_time}" }
}