Loading...

Custom Logging

Setup log4j.properties

log4j.appender.es=org.apache.log4j.RollingFileAppender
log4j.appender.es.File=/var/log/RiskShield/ecom/dev/cur/server.log
log4j.appender.es.MaxFileSize=100MB
log4j.appender.es.MaxBackupIndex=10
log4j.appender.es.layout=org.apache.log4j.PatternLayout
log4j.appender.es.layout.ConversionPattern=%d{ISO8601} %m%n
log4j.logger.com.riskshield.server=INFO,es
log4j.additivity.com.riskshield.server=true

log4j.logger.com.riskshield.server.plugin.DebugPlugin=DEBUG,es
log4j.logger.com.riskshield.server.plugin.PrintPlugin=DEBUG,es

This will give you this exemplary log

2016-12-21 15:53:22,730 0 | STA9201 | I | 0 transactions since 2016-12-21 15:52:22, next statistical log at: 2016-12-21 15:54:22

Logstash

Example template

input {
    file {
        type => "decision-server"
        add_field => ["application","RiskShield"]
        add_field => ["channel","E-Commerce"]
        path => "/var/log/RiskShield/ecom/dev/cur/server.log"
        start_position => beginning
        codec => multiline {
            pattern => "^%{TIMESTAMP_ISO8601}"
            negate => true
            what => "previous"
        }
        sincedb_path => "/var/opt/RiskShield/logstash/sincedb/ecom-decision-server"
        #uncomment for debug
        #sincedb_path => "/dev/null"
    }
    file {
        type => "data-server"
        add_field => ["application","RiskShield"]
        add_field => ["channel","E-Commerce"]
        path => "/var/log/RiskShield/ecom/dev/cur/dataserver.log"
        start_position => beginning
        codec => multiline {
            pattern => "^%{TIMESTAMP_ISO8601}"
            negate => true
            what => "previous"
        }
        sincedb_path => "/var/opt/RiskShield/logstash/sincedb/ecom-data-server"
    }
}

grok pattern

filter {
    # if not daily log rotate
    grok {
            match => {
                    "message" => "%{TIMESTAMP_ISO8601:time}\s%{NUMBER}\s\| %{DATA:logger} \| %{WORD:level} \| (%{GREEDYDATA:logmessage})?"
            }
    }
    date {
        match => ["time", "yyyy-MM-dd HH:mm:ss,SSS", "HH:mm:ss,SSS", "ISO8601"]
        remove_field => [ "ISO8601_TIMEZONE", "message", "time" ]
    }
}