处理多行数据到elasticsearch

Nxlog 配置

<Input in>

Module im_file

File "E:\\log\\webapi\\\err.log"

SavePos TRUE

</Input>

<Output out>

Module om_tcp

Host 127.0.0.1

Port 5544

</Output>

<Route 1>

Path in => out

</Route>

Logstash 配置

input {

tcp {

port => 5544

codec => multiline {

charset =>"locale"

pattern => "^\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}\,\d{3}"

negate => true

what => "previous"

}

type => "log4-input"

}

}

filter {

if [type]=="log4-input"{

grok {

match => {

"message" => "(?m)%{TIMESTAMP_ISO8601:logtime} \[%{NUMBER:priority:int}\] %{DATA:level} \[\(null\)\]"

}

}

ruby {

code => "event['readtime'] = event['@timestamp']"

}

date {

#locale => "en"

match => ["logtime", "YYYY-MM-dd HH:mm:ss"]

#timezone => "UTC"

#target => "logtimestamp"

remove_field => [ "logtime"]

}

}

}

if [type]=="log4-input"{

elasticsearch {

hosts => ["localhost:9200"]

}

}

日志格式

2016-03-02 00:01:12,315 [34] ERROR [(null)] - Messagefdsa

Fdsadfsa

2016-03-02 00:01:12,315 [34] ERROR [(null)] - Message1