Passing JSON application log to remote LogStash via NXLog on Windows Announcing the arrival of...
What is the difference between globalisation and imperialism?
How much damage would a cupful of neutron star matter do to the Earth?
Project Euler #1 in C++
Why do early math courses focus on the cross sections of a cone and not on other 3D objects?
What initially awakened the Balrog?
What do you call the main part of a joke?
How to compare two different files line by line in unix?
How often does castling occur in grandmaster games?
Dating a Former Employee
What was the first language to use conditional keywords?
Is it possible for SQL statements to execute concurrently within a single session in SQL Server?
How to install press fit bottom bracket into new frame
Should I use a zero-interest credit card for a large one-time purchase?
Is there any word for a place full of confusion?
Take 2! Is this homebrew Lady of Pain warlock patron balanced?
How to write this math term? with cases it isn't working
How does Python know the values already stored in its memory?
Denied boarding although I have proper visa and documentation. To whom should I make a complaint?
What's the meaning of "fortified infraction restraint"?
How does the secondary effect of the Heat Metal spell interact with a creature resistant/immune to fire damage?
Using audio cues to encourage good posture
Did Deadpool rescue all of the X-Force?
Amount of permutations on an NxNxN Rubik's Cube
How do I use the new nonlinear finite element in Mathematica 12 for this equation?
Passing JSON application log to remote LogStash via NXLog on Windows
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!IIS logs to Logstash with nxlogConfiguring LogStash properly w/ nxlogHow to include a server identifier in nxlog output and reference it in logstashHow to use om_exec with nxlog on WindowsLogstash: Failed to flush outgoing itemsNXLOG shipper and Logstash alert to NAGIOSForwarding Application Logs using nxlogELK: LogStash to read log files from remote Samba-mapped network drivesLogstash input log stream via portParsing JSON event in Logstash
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have been trying to pass logs from a windows application which are already formatted in JSON to logstash via NXlog.
When I have NXLOG send the file to Logstash, I get blasted with errors in the logstash.log:
:message=>"An error occurred. Closing connection",
:client=>"10.xxx.xxx.147:61047",
:exception=>#<IndexError: string not matched>
Full text of error:
{:timestamp=>"2015-04-25T15:15:37.084000-0900", :message=>"An error occurred. Closing connection", :client=>"10.xxx.xxx.147:61047", :exception=>#<IndexError: string not matched>, :backtrace=>["org/jruby/RubyString.java:3910:in `[]='", "/opt/logstash/lib/logstash/event.rb:62:in `initialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-0.1.6/lib/logstash/codecs/json_lines.rb:37:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-0.1.5/lib/logstash/codecs/line.rb:36:in `decode'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-0.1.5/lib/logstash/codecs/line.rb:35:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-0.1.6/lib/logstash/codecs/json_lines.rb:35:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:116:in `handle_socket'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:145:in `client_thread'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:143:in `client_thread'"], :level=>:error}
{:timestamp=>"2015-04-25T15:15:38.097000-0900", :message=>"JSON parse failure. Falling back to plain-text", :error=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for OBJECT (from [Source: [B@26f64966; line: 1, column: 2])
at [Source: [B@26f64966; line: 2, column: 5]>, :data=>" {rn", :level=>:info}
Here is my NXLOG configuration:
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:Program Files (x86)nxlog
Moduledir %ROOT%modules
CacheDir %ROOT%data
Pidfile %ROOT%datanxlog.pid
SpoolDir %ROOT%data
LogFile %ROOT%datanxlog.log
<Extension json>
Module xm_json
</Extension>
# Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Windows Event Log
<Input eventlog>
Module im_msvistalog
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
#Server Logs
<Input Selected_Directory>
Module im_file
File 'E:\ELK\logs\*.json'
SavePos False
</Input>
#EventLog Out
<Output out>
Module om_tcp
Host 10.xxx.xxx.127
Port 3515
</Output>
#<output perf_out>
# Module om_tcp
# Host 10.xxx.xxx.127
# Port 3517
#</Output>
#JSON Out
<Output out2>
Module om_tcp
Host 10.xxx.xxx.127
Port 3516
</Output>
<Route 1>
Path internal, eventlog => out
</Route>
<Route 2>
Path Selected_Directory => out2
</Route>
LogStash conf:
input {
tcp {
type => "eventlog"
port => 3515
codec => json_lines
}
tcp {
type => "log"
port => 3516
codec => json
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
Example of application's JSON file format:
[
{
"timestamp":"19:54:01.117_0005",
"type":"N",
"calllevel":0,
"thread":772,
"topic":"ExmpleTopic",
"level":61,
"file":"//blah/blah/blah.cpp",
"function":"functiontext",
"line":312,
"message":"Example Message Text",
"attributes":
{
"ThreadName":"1234"
}
},
{
"timestamp":"20:07:54.038_0691",
"type":"N",
"calllevel":0,
"thread":2324,
"topic":"ExampleTopic",
"level":61,
"file":"//blah/blah/blah.cpp",
"function":"ExampleFunction",
"line":2962,
"message":"Example Message Text",
"attributes":
{
"ThreadName":"1234"
}
}
]
I have two additional questions aside from the obvious "help me figure out this error"
- What is the difference between json_lines and json when it comes to logstash input? It was my understanding that json_lines was for streaming text, and json implied that I would send the entire file at one time.
- Do I need to add "exec to_json();" to my nxlog input named 'selected_directory'?
logstash json nxlog elk
asked Apr 26 '15 at 0:45
NoobixideNoobixide
101113
bumped to the homepage by Community♦ 6 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have been trying to pass logs from a windows application which are already formatted in JSON to logstash via NXlog.
When I have NXLOG send the file to Logstash, I get blasted with errors in the logstash.log:
:message=>"An error occurred. Closing connection",
:client=>"10.xxx.xxx.147:61047",
:exception=>#<IndexError: string not matched>
Full text of error:
{:timestamp=>"2015-04-25T15:15:37.084000-0900", :message=>"An error occurred. Closing connection", :client=>"10.xxx.xxx.147:61047", :exception=>#<IndexError: string not matched>, :backtrace=>["org/jruby/RubyString.java:3910:in `[]='", "/opt/logstash/lib/logstash/event.rb:62:in `initialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-0.1.6/lib/logstash/codecs/json_lines.rb:37:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-0.1.5/lib/logstash/codecs/line.rb:36:in `decode'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-0.1.5/lib/logstash/codecs/line.rb:35:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-0.1.6/lib/logstash/codecs/json_lines.rb:35:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:116:in `handle_socket'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:145:in `client_thread'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:143:in `client_thread'"], :level=>:error}
{:timestamp=>"2015-04-25T15:15:38.097000-0900", :message=>"JSON parse failure. Falling back to plain-text", :error=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for OBJECT (from [Source: [B@26f64966; line: 1, column: 2])
at [Source: [B@26f64966; line: 2, column: 5]>, :data=>" {rn", :level=>:info}
Here is my NXLOG configuration:
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:Program Files (x86)nxlog
Moduledir %ROOT%modules
CacheDir %ROOT%data
Pidfile %ROOT%datanxlog.pid
SpoolDir %ROOT%data
LogFile %ROOT%datanxlog.log
<Extension json>
Module xm_json
</Extension>
# Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Windows Event Log
<Input eventlog>
Module im_msvistalog
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
#Server Logs
<Input Selected_Directory>
Module im_file
File 'E:\ELK\logs\*.json'
SavePos False
</Input>
#EventLog Out
<Output out>
Module om_tcp
Host 10.xxx.xxx.127
Port 3515
</Output>
#<output perf_out>
# Module om_tcp
# Host 10.xxx.xxx.127
# Port 3517
#</Output>
#JSON Out
<Output out2>
Module om_tcp
Host 10.xxx.xxx.127
Port 3516
</Output>
<Route 1>
Path internal, eventlog => out
</Route>
<Route 2>
Path Selected_Directory => out2
</Route>
LogStash conf:
input {
tcp {
type => "eventlog"
port => 3515
codec => json_lines
}
tcp {
type => "log"
port => 3516
codec => json
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
Example of application's JSON file format:
[
{
"timestamp":"19:54:01.117_0005",
"type":"N",
"calllevel":0,
"thread":772,
"topic":"ExmpleTopic",
"level":61,
"file":"//blah/blah/blah.cpp",
"function":"functiontext",
"line":312,
"message":"Example Message Text",
"attributes":
{
"ThreadName":"1234"
}
},
{
"timestamp":"20:07:54.038_0691",
"type":"N",
"calllevel":0,
"thread":2324,
"topic":"ExampleTopic",
"level":61,
"file":"//blah/blah/blah.cpp",
"function":"ExampleFunction",
"line":2962,
"message":"Example Message Text",
"attributes":
{
"ThreadName":"1234"
}
}
]
I have two additional questions aside from the obvious "help me figure out this error"
- What is the difference between json_lines and json when it comes to logstash input? It was my understanding that json_lines was for streaming text, and json implied that I would send the entire file at one time.
- Do I need to add "exec to_json();" to my nxlog input named 'selected_directory'?
logstash json nxlog elk
asked Apr 26 '15 at 0:45
NoobixideNoobixide
101113
bumped to the homepage by Community♦ 6 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have been trying to pass logs from a windows application which are already formatted in JSON to logstash via NXlog.
When I have NXLOG send the file to Logstash, I get blasted with errors in the logstash.log:
:message=>"An error occurred. Closing connection",
:client=>"10.xxx.xxx.147:61047",
:exception=>#<IndexError: string not matched>
Full text of error:
{:timestamp=>"2015-04-25T15:15:37.084000-0900", :message=>"An error occurred. Closing connection", :client=>"10.xxx.xxx.147:61047", :exception=>#<IndexError: string not matched>, :backtrace=>["org/jruby/RubyString.java:3910:in `[]='", "/opt/logstash/lib/logstash/event.rb:62:in `initialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-0.1.6/lib/logstash/codecs/json_lines.rb:37:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-0.1.5/lib/logstash/codecs/line.rb:36:in `decode'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-0.1.5/lib/logstash/codecs/line.rb:35:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-0.1.6/lib/logstash/codecs/json_lines.rb:35:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:116:in `handle_socket'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:145:in `client_thread'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:143:in `client_thread'"], :level=>:error}
{:timestamp=>"2015-04-25T15:15:38.097000-0900", :message=>"JSON parse failure. Falling back to plain-text", :error=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for OBJECT (from [Source: [B@26f64966; line: 1, column: 2])
at [Source: [B@26f64966; line: 2, column: 5]>, :data=>" {rn", :level=>:info}
Here is my NXLOG configuration:
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:Program Files (x86)nxlog
Moduledir %ROOT%modules
CacheDir %ROOT%data
Pidfile %ROOT%datanxlog.pid
SpoolDir %ROOT%data
LogFile %ROOT%datanxlog.log
<Extension json>
Module xm_json
</Extension>
# Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Windows Event Log
<Input eventlog>
Module im_msvistalog
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
#Server Logs
<Input Selected_Directory>
Module im_file
File 'E:\ELK\logs\*.json'
SavePos False
</Input>
#EventLog Out
<Output out>
Module om_tcp
Host 10.xxx.xxx.127
Port 3515
</Output>
#<output perf_out>
# Module om_tcp
# Host 10.xxx.xxx.127
# Port 3517
#</Output>
#JSON Out
<Output out2>
Module om_tcp
Host 10.xxx.xxx.127
Port 3516
</Output>
<Route 1>
Path internal, eventlog => out
</Route>
<Route 2>
Path Selected_Directory => out2
</Route>
LogStash conf:
input {
tcp {
type => "eventlog"
port => 3515
codec => json_lines
}
tcp {
type => "log"
port => 3516
codec => json
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
Example of application's JSON file format:
[
{
"timestamp":"19:54:01.117_0005",
"type":"N",
"calllevel":0,
"thread":772,
"topic":"ExmpleTopic",
"level":61,
"file":"//blah/blah/blah.cpp",
"function":"functiontext",
"line":312,
"message":"Example Message Text",
"attributes":
{
"ThreadName":"1234"
}
},
{
"timestamp":"20:07:54.038_0691",
"type":"N",
"calllevel":0,
"thread":2324,
"topic":"ExampleTopic",
"level":61,
"file":"//blah/blah/blah.cpp",
"function":"ExampleFunction",
"line":2962,
"message":"Example Message Text",
"attributes":
{
"ThreadName":"1234"
}
}
]
I have two additional questions aside from the obvious "help me figure out this error"
- What is the difference between json_lines and json when it comes to logstash input? It was my understanding that json_lines was for streaming text, and json implied that I would send the entire file at one time.
- Do I need to add "exec to_json();" to my nxlog input named 'selected_directory'?
logstash json nxlog elk
asked Apr 26 '15 at 0:45
NoobixideNoobixide
101113
I have been trying to pass logs from a windows application which are already formatted in JSON to logstash via NXlog.
When I have NXLOG send the file to Logstash, I get blasted with errors in the logstash.log:
:message=>"An error occurred. Closing connection",
:client=>"10.xxx.xxx.147:61047",
:exception=>#<IndexError: string not matched>
Full text of error:
{:timestamp=>"2015-04-25T15:15:37.084000-0900", :message=>"An error occurred. Closing connection", :client=>"10.xxx.xxx.147:61047", :exception=>#<IndexError: string not matched>, :backtrace=>["org/jruby/RubyString.java:3910:in `[]='", "/opt/logstash/lib/logstash/event.rb:62:in `initialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-0.1.6/lib/logstash/codecs/json_lines.rb:37:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-0.1.5/lib/logstash/codecs/line.rb:36:in `decode'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-line-0.1.5/lib/logstash/codecs/line.rb:35:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-json_lines-0.1.6/lib/logstash/codecs/json_lines.rb:35:in `decode'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:116:in `handle_socket'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:145:in `client_thread'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-0.1.3/lib/logstash/inputs/tcp.rb:143:in `client_thread'"], :level=>:error}
{:timestamp=>"2015-04-25T15:15:38.097000-0900", :message=>"JSON parse failure. Falling back to plain-text", :error=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for OBJECT (from [Source: [B@26f64966; line: 1, column: 2])
at [Source: [B@26f64966; line: 2, column: 5]>, :data=>" {rn", :level=>:info}
Here is my NXLOG configuration:
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:Program Files (x86)nxlog
Moduledir %ROOT%modules
CacheDir %ROOT%data
Pidfile %ROOT%datanxlog.pid
SpoolDir %ROOT%data
LogFile %ROOT%datanxlog.log
<Extension json>
Module xm_json
</Extension>
# Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Windows Event Log
<Input eventlog>
Module im_msvistalog
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
#Server Logs
<Input Selected_Directory>
Module im_file
File 'E:\ELK\logs\*.json'
SavePos False
</Input>
#EventLog Out
<Output out>
Module om_tcp
Host 10.xxx.xxx.127
Port 3515
</Output>
#<output perf_out>
# Module om_tcp
# Host 10.xxx.xxx.127
# Port 3517
#</Output>
#JSON Out
<Output out2>
Module om_tcp
Host 10.xxx.xxx.127
Port 3516
</Output>
<Route 1>
Path internal, eventlog => out
</Route>
<Route 2>
Path Selected_Directory => out2
</Route>
LogStash conf:
input {
tcp {
type => "eventlog"
port => 3515
codec => json_lines
}
tcp {
type => "log"
port => 3516
codec => json
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
Example of application's JSON file format:
[
{
"timestamp":"19:54:01.117_0005",
"type":"N",
"calllevel":0,
"thread":772,
"topic":"ExmpleTopic",
"level":61,
"file":"//blah/blah/blah.cpp",
"function":"functiontext",
"line":312,
"message":"Example Message Text",
"attributes":
{
"ThreadName":"1234"
}
},
{
"timestamp":"20:07:54.038_0691",
"type":"N",
"calllevel":0,
"thread":2324,
"topic":"ExampleTopic",
"level":61,
"file":"//blah/blah/blah.cpp",
"function":"ExampleFunction",
"line":2962,
"message":"Example Message Text",
"attributes":
{
"ThreadName":"1234"
}
}
]
I have two additional questions aside from the obvious "help me figure out this error"
- What is the difference between json_lines and json when it comes to logstash input? It was my understanding that json_lines was for streaming text, and json implied that I would send the entire file at one time.
- Do I need to add "exec to_json();" to my nxlog input named 'selected_directory'?
logstash json nxlog elk
logstash json nxlog elk
asked Apr 26 '15 at 0:45
NoobixideNoobixide
101113
asked Apr 26 '15 at 0:45
NoobixideNoobixide
101113
asked Apr 26 '15 at 0:45
NoobixideNoobixide
101113
asked Apr 26 '15 at 0:45
NoobixideNoobixide
101113
asked Apr 26 '15 at 0:45
NoobixideNoobixide
101113
101113
bumped to the homepage by Community♦ 6 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 6 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I would suggest trying the tcp input, forget about defining the codec in your input, it's generally a bad idea I have found:
input {
tcp {
type => "eventlog"
port => 3515
}
}
filter {
multiline {
pattern => "^s"
what => "previous"
}
json {
"source" => "message"
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
So in this config, it will accept the traffic on the tcp port defined, not setting a codec, then pass the input to a multiline filter, which will look for lines which start with whitespace, and if it finds any it will join them to the previous line. That new line created by muliline will then be passed to the json filter, which should be able to parse the entry.
answered Apr 29 '15 at 14:37
RumblesRumbles
620726
Thank you VERY much for this idea. I will give it a shot later tonight!
– Noobixide
Apr 29 '15 at 19:35
add a comment |
I was also getting an error when using the json_lines codec that said:
IndexError: string not matched
and solved it by making sure the JSON string I was generating did not contain any newline characters (ie: "n") except for immediately following the JSON object, as a delimiter.
answered Oct 2 '16 at 0:45
cessationoftimecessationoftime
1011
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f685613%2fpassing-json-application-log-to-remote-logstash-via-nxlog-on-windows%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I would suggest trying the tcp input, forget about defining the codec in your input, it's generally a bad idea I have found:
input {
tcp {
type => "eventlog"
port => 3515
}
}
filter {
multiline {
pattern => "^s"
what => "previous"
}
json {
"source" => "message"
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
So in this config, it will accept the traffic on the tcp port defined, not setting a codec, then pass the input to a multiline filter, which will look for lines which start with whitespace, and if it finds any it will join them to the previous line. That new line created by muliline will then be passed to the json filter, which should be able to parse the entry.
answered Apr 29 '15 at 14:37
RumblesRumbles
620726
Thank you VERY much for this idea. I will give it a shot later tonight!
– Noobixide
Apr 29 '15 at 19:35
add a comment |
I would suggest trying the tcp input, forget about defining the codec in your input, it's generally a bad idea I have found:
input {
tcp {
type => "eventlog"
port => 3515
}
}
filter {
multiline {
pattern => "^s"
what => "previous"
}
json {
"source" => "message"
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
So in this config, it will accept the traffic on the tcp port defined, not setting a codec, then pass the input to a multiline filter, which will look for lines which start with whitespace, and if it finds any it will join them to the previous line. That new line created by muliline will then be passed to the json filter, which should be able to parse the entry.
answered Apr 29 '15 at 14:37
RumblesRumbles
620726
Thank you VERY much for this idea. I will give it a shot later tonight!
– Noobixide
Apr 29 '15 at 19:35
add a comment |
I would suggest trying the tcp input, forget about defining the codec in your input, it's generally a bad idea I have found:
input {
tcp {
type => "eventlog"
port => 3515
}
}
filter {
multiline {
pattern => "^s"
what => "previous"
}
json {
"source" => "message"
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
So in this config, it will accept the traffic on the tcp port defined, not setting a codec, then pass the input to a multiline filter, which will look for lines which start with whitespace, and if it finds any it will join them to the previous line. That new line created by muliline will then be passed to the json filter, which should be able to parse the entry.
answered Apr 29 '15 at 14:37
RumblesRumbles
620726
I would suggest trying the tcp input, forget about defining the codec in your input, it's generally a bad idea I have found:
input {
tcp {
type => "eventlog"
port => 3515
}
}
filter {
multiline {
pattern => "^s"
what => "previous"
}
json {
"source" => "message"
}
}
output {
elasticsearch {
cluster => "MyElkCluster"
host => "127.0.0.1"
}
}
So in this config, it will accept the traffic on the tcp port defined, not setting a codec, then pass the input to a multiline filter, which will look for lines which start with whitespace, and if it finds any it will join them to the previous line. That new line created by muliline will then be passed to the json filter, which should be able to parse the entry.
answered Apr 29 '15 at 14:37
RumblesRumbles
620726
answered Apr 29 '15 at 14:37
RumblesRumbles
620726
answered Apr 29 '15 at 14:37
RumblesRumbles
620726
answered Apr 29 '15 at 14:37
RumblesRumbles
620726
620726
Thank you VERY much for this idea. I will give it a shot later tonight!
– Noobixide
Apr 29 '15 at 19:35
add a comment |
Thank you VERY much for this idea. I will give it a shot later tonight!
– Noobixide
Apr 29 '15 at 19:35
Thank you VERY much for this idea. I will give it a shot later tonight!
– Noobixide
Apr 29 '15 at 19:35
Thank you VERY much for this idea. I will give it a shot later tonight!
– Noobixide
Apr 29 '15 at 19:35
add a comment |
I was also getting an error when using the json_lines codec that said:
IndexError: string not matched
and solved it by making sure the JSON string I was generating did not contain any newline characters (ie: "n") except for immediately following the JSON object, as a delimiter.
answered Oct 2 '16 at 0:45
cessationoftimecessationoftime
1011
add a comment |
I was also getting an error when using the json_lines codec that said:
IndexError: string not matched
and solved it by making sure the JSON string I was generating did not contain any newline characters (ie: "n") except for immediately following the JSON object, as a delimiter.
answered Oct 2 '16 at 0:45
cessationoftimecessationoftime
1011
add a comment |
I was also getting an error when using the json_lines codec that said:
IndexError: string not matched
and solved it by making sure the JSON string I was generating did not contain any newline characters (ie: "n") except for immediately following the JSON object, as a delimiter.
answered Oct 2 '16 at 0:45
cessationoftimecessationoftime
1011
I was also getting an error when using the json_lines codec that said:
IndexError: string not matched
and solved it by making sure the JSON string I was generating did not contain any newline characters (ie: "n") except for immediately following the JSON object, as a delimiter.
answered Oct 2 '16 at 0:45
cessationoftimecessationoftime
1011
answered Oct 2 '16 at 0:45
cessationoftimecessationoftime
1011
answered Oct 2 '16 at 0:45
cessationoftimecessationoftime
1011
answered Oct 2 '16 at 0:45
cessationoftimecessationoftime
1011
1011
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f685613%2fpassing-json-application-log-to-remote-logstash-via-nxlog-on-windows%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
