input {
file {
type => "java-err"
path => "/fsmeeting/tomcat-service/logs/catalina.out"
tags => "java-err"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}
}
filter {
if [type] == "java-err" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:date} \[(?<thread_name>.+?)\]-\[(?<log_level>\w+)\]\s*(?<content>.*)"}
}
mutate {
remove_field => "content"
}
if [log_level] != "ERROR" {
drop {}
}
}
}
output {
elasticsearch {
host => "192.168.5.231"
protocol => "http"
index => "java-err-%{+YYYY.MM.dd}"
}
email {
body => "%{message}"
from => "xxxxxxx"
contenttype => "text/plain; charset=UTF-8"
options => [
"smtpIporHost", "smtp.sina.com",
"userName", "xxxxxxx",
"password", "*********",
"authenticationType", "login"
]
subject => "服务器%{host} %{type}日志异常"
to => "xxxxxxxx"
}
}去重发日志:
input {
file {
type => "java-err"
path => "/fsmeeting/tomcat-service/logs/catalina.out"
tags => "java-err"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}
}
filter {
if [type] == "java-err" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:date} \[(?<thread_name>.+?)\]-\[(?<log_level>\w+)\]\s*(?<content>.*)"}
}
mutate {
remove_field => "content"
}
if [log_level] == "ERROR" {
throttle {
after_count => 2
key => "%{content}"
add_tag => "throttled"
}
}
if [log_level] != "ERROR" {
drop {}
}
}
}
output {
elasticsearch {
host => "192.168.5.231"
protocol => "http"
index => "java-err-%{+YYYY.MM.dd}"
}
if "throttled" not in [tags] and [type] == "java-err" and [log_level] == "ERROR"
email {
body => "%{message}"
from => "xxxxxxx"
contenttype => "text/plain; charset=UTF-8"
options => [
"smtpIporHost", "smtp.sina.com",
"userName", "xxxxxxx",
"password", "*********",
"authenticationType", "login"
]
subject => "服务器%{host} %{type}日志异常"
to => "xxxxxxxx"
}
}
}
