-1

I'm having trouble to get the correct regex for filebeat when using tomcat and log4j. For this log:

21/10/2022 16:04:37 ERROR en Clase: ExceptionLogger - MSN: test
 Exception.Class: BUSINESS EXCEPTION
 ErrorCode: 0
 Usuario: test
 StackTrace:
    at ar.com.test.conf.Monitor.monitorTest(ImpBusCaja.java:1213)
    at ar.com.test.delegators.Monitor.m(Cajas.java:595)

I've configured this pattern: '^[[:space:]]' with negate=false and match=after (as the documentation says) but it doesn't work. Even if I use the go playground, it should work: https://go.dev/play/p/JGV8ZDPtHwt

dssof
  • 117
  • 6

1 Answers1

1

Here's what we have for configuration for log4j-based files with a slightly different pattern, but you should be able to adapt it to your situation:

multiline.type: pattern
multiline.pattern: '^\d{4}-\d{2}-'
multiline.negate: true
multiline.match: after

Here's an example standard log4j log line:

2022-10-22 13:55:34,932 [pool-8-thread-1] TRACE fully.qualified.class.Name- Here's the raw message

Here's an example exception message:

2022-10-21 20:14:42,442 [catalina-exec-6] ERROR fully.qualified.class.Name- Main error message
fully.qualified.exception.Type: Exception error message
    at stack.trace.class.method(Source.java:103)
    at stack.trace.class.method(Source.java:203)
    at stack.trace.class.method(Source.java:303)
    at stack.trace.class.method(Source.java:403)

So we are just looking for log lines starting with dddd-dd- and assuming that those are always "new log entries". We could certainly confuse things with a log line that was a continuation of something previous which started with that same pattern, but that's very rare.

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77