Windows Log4日志发送到ElasticSearch

处理多行数据到elasticsearch

   

Nxlog 配置

   

<Input in>

Module im_file

File "E:\log\webapi\err.log"

SavePos TRUE

</Input>

   

<Output out>

Module om_tcp

Host 127.0.0.1

Port 5544

</Output>

   

<Route 1>

Path in => out

</Route>

   

   

Logstash 配置

   

input {

tcp {

port => 5544

codec => multiline {

charset =>"locale"

pattern => "^d{4}-d{2}-d{2} d{2}:d{2}:d{2}\,d{3}"

negate => true

what => "previous"

}

type => "log4-input"

}

   

}

   

filter {

if [type]=="log4-input"{

grok {

match => {

"message" => "(?m)%{TIMESTAMP_ISO8601:logtime} [%{NUMBER:priority:int}] %{DATA:level} [(null)]"

}

}

ruby {

code => "event['readtime'] = event['@timestamp']"

}

date {

#locale => "en"

match => ["logtime", "YYYY-MM-dd HH:mm:ss"]

#timezone => "UTC"

#target => "logtimestamp"

remove_field => [ "logtime"]

}

}

   

}

   

   

if [type]=="log4-input"{

elasticsearch {

hosts => ["localhost:9200"]

}

}

   

   

日志格式

2016-03-02 00:01:12,315 [34] ERROR [(null)] - Messagefdsa

Fdsadfsa

2016-03-02 00:01:12,315 [34] ERROR [(null)] - Message1