logstash filter for Java logs

Question

I am trying to write a logstash filter for my Java logs so that I can insert them into my database cleanly.

Below is an example of my log format:

FINE  2016-01-28 22:20:42.614+0000  net.myorg.crypto.CryptoFactory:getInstance:73:v181328
AppName   : MyApp  AssocAppName:
Host      : localhost  127.000.000.001  AssocHost:
Thread    : http-bio-8080-exec-5[23]
SequenceId: -1
Logger    : net.myorg.crypto.CryptoFactory
Message   : ENTRY
---
FINE  2016-01-28 22:20:42.628+0000  net.myorg.crypto.CryptoFactory:getInstance:75:v181328
AppName   : MyApp  AssocAppName:
Host      : localhost  127.000.000.001  AssocHost:
Thread    : http-bio-8080-exec-5[23]
SequenceId: -1
Logger    : net.myorg.crypto.CryptoFactory
Message   : RETURN
---

My logstash-forwarder is pretty simple. It just includes all logs in the directory (they all have the same format as above)

"files": [
    {
        "paths":  [ "/opt/logs/*.log" ],
        "fields": { "type": "javaLogs" }
    }
]

The trouble I'm having is on the logstash side. How can I write a filter in logstash to match this log format?

Using something like this, gets me close:

filter {

      if [type] == "javaLogs" {

          multiline {
              pattern => "^%{TIMESTAMP_ISO8601}"
              negate => true
              what => "previous"
          }
      }
}

But I want to break each line in the log down to its own mapping in logstash. For example, creating fields like AppName, AssocHost, Host, Thread, etc.

I think the answer is using grok.

Answer 1

Joining them with multiline (the codec or filter, depending on your needs) is a great first step.

Unfortunately, your pattern says "If the log entry doesn't start with a timestamp, join it with the previous eentry".

Note that none of your log entries start with a timestamp.