Logstash Grok filter reading wrong value - exception

I am currently trying to setup some data collections for our app using the full elk stack (Beats - Logstash - ElasticSearch-Kibana). So far everything is working as it should but I have a requirement to capture statistics on the exceptions thrown by the applications (e.g. java.lang.IllegalArgumentException)
I am not really interested in the stack trace itself so I went ahead and added a separate grok filter just for the exception.
Example of Message:
2016-11-15 05:19:28,801 ERROR [App-Initialisation-Thread] appengine.java:520 Failed to initialize external authenticator myapp Support Access || appuser#vm23-13:/mnt/data/install/assembly app-1.4.12#cad85b224cce11eb5defa126030f21fa867b0dad
java.lang.IllegalArgumentException: Could not check if provided root is a directory
at com.myapp.io.AbstractRootPrefixedFileSystem.checkAndGetRoot(AbstractRootPrefixedFileSystem.java:67)
at com.myapp.io.AbstractRootPrefixedFileSystem.<init>(AbstractRootPrefixedFileSystem.java:30)
at com.myapp.io.s3.S3FileSystem.<init>(S3FileSystem.java:32)
at com.myapp.io.s3.S3FileSystemDriver.loadFileSystem(S3FileSystemDriver.java:60)
at com.myapp.io.FileSystems.getFileSystem(FileSystems.java:55)
at com.myapp.authentication.ldap.S3LdapConfigProvider.initializeCloudFS(S3LdapConfigProvider.java:77)
at com.myapp.authentication.ldap.S3LdapConfigProvider.loadS3Config(S3LdapConfigProvider.java:51)
at com.myapp.authentication.ldap.S3LdapConfigProvider.getLdapConfig(S3LdapConfigProvider.java:42)
at com.myapp.authentication.ldap.DelegatingLdapConfigProvider.getLdapConfig(DelegatingLdapConfigProvider.java:45)
at com.myapp.authentication.ldap.LdapExternalAuthenticatorFactory.create(LdapExternalAuthenticatorFactory.java:28)
at com.myapp.authentication.ldap.LdapExternalAuthenticatorFactory.create(LdapExternalAuthenticatorFactory.java:10)
at com.myapp.frob.appengine.getExternalAuthenticators(appengine.java:516)
at com.myapp.frob.appengine.startUp(appengine.java:871)
at com.myapp.frob.appengine.startUp(appengine.java:754)
at com.myapp.jsp.KewServeInitContextListener$1.run(QServerInitContextListener.java:104)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.nio.file.NoSuchFileException: fh-ldap-config/
at com.upplication.s3fs.util.S3Utils.getS3ObjectSummary(S3Utils.java:55)
at com.upplication.s3fs.util.S3Utils.getS3FileAttributes(S3Utils.java:64)
at com.upplication.s3fs.S3FileSystemProvider.readAttributes(S3FileSystemProvider.java:463)
at com.myapp.io.AbstractRootPrefixedFileSystem.checkAndGetRoot(AbstractRootPrefixedFileSystem.java:61)
Example of grok statement:
grok {
patterns_dir => ["./patterns"]
match => ["message", "%{GREEDYDATA}\n%{JAVAFILE:exception}"]
}
Testing on the grok debugger shows correct results:
{
"GREEDYDATA": [
[
"2016-11-15 05:19:28,801 ERROR [App-Initialisation-Thread] appengine.java:520 Failed to initialize external authenticator myapp Support Access || appuser#vm23-13:/mnt/data/install/assembly app-1.4.12#cad85b224cce11eb5defa126030f21fa867b0dad"
]
],
"exception": [
[
"java.lang.IllegalArgumentException"
]
]
}
Problem
When I add the configuration to logstash it captures the Caused string instead of the exception name, even though the "Caused" string is after another new line character. However it works perfectly for other exception messages such as :
016-11-15 06:17:49,691 WARN [SCReplicationWorkerThread-2] ClientJob.java:207 50345 Error communicating to server `199.181.131.249':`80'. Waiting `10' seconds before retrying... If you see this message rarely, the sc will have recovered gracefully. || appuser#vm55-12:/mnt/deployment/install/app app-3.1.23#cad85b224cce11eb5defa126030f21fa867b0dad
java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:170)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at java.net.SocketInputStream.read(SocketInputStream.java:223)
at java.io.DataInputStream.readBoolean(DataInputStream.java:242)
at com.myapp.replication.client.ClientJob.passCheckRevision(ClientJob.java:279)
at com.myapp.replication.client.ClientJob.execute(ClientJob.java:167)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:534)
Any advice would be appreciated.
Thanks

Did you setting the mutiline in the input or filebeat input ,
like this to show the pattern start with ISO8601
I think maybe you mutiline not fetch the whole line
input {
beats {
port => 5044
codec => multiline {
pattern => "^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}[\.,][0-9]{3,7} "
negate => true
what => "previous"
}
}
}

Related

teiid doesn't connect to mysql datasource

I have a problem on connecting to a mysql datasource from JBoss EAP 6.3 with Teiid 8.10.1 copied over it. I need to mention that I've copied mysql connector driver as a module for using mysql datasource.
Also, when I try with JBoss EAP 6.3 without Teiid, the connection works.
Anybody that confronted the same problem?
This is the error message I receive in administration console of JBoss:
"Unknown error
Unexpected HTTP response: 500
Request {
"address" => [
("subsystem" => "datasources"),
("data-source" => "database")
],
"operation" => "test-connection-in-pool" }
Response
Internal Server Error {
"outcome" => "failed",
"failure-description" => "JBAS010440: failed to invoke operation: JBAS010447: Connection is not valid",
"rolled-back" => true }"
Need to mention that in logs I don't receive a more verbose message for the error, with all logs enabled(Trace, Debug, Error, etc).

yii2-advanced:how can i save image in backend and view that in backend and frontend?

hi i am save image in frontend and that show in frontend true and i test with many way to view that in backend but don't work.
please help me
my controller in backend
Yii::$app->params['uploadPath'] = Yii::getAlias('#frontend') .'/web/uploads/';
$path = Yii::$app->params['uploadPath'] . $model->image_web_filename;
$image->saveAs($path);
url my backend and frontend is seperate
backend:yii.com/:81
frontend:yii.com
i test these soloution but didn't work true:
https://stackoverflow.com/questions/23155428/how-to-get-root-directory-in-yii2
i inset two alias in aliases file in backend\config:
Yii::setAlias('#frontend', 'http://frontend.sample.dev');
Yii::setAlias('#backend', 'http://backend.sample.dev');
and use that in backend/web/index.php
require(__DIR__ . '/../config/aliases.php');
but i get this error:
An Error occurred while handling another error:
exception 'yii\base\InvalidRouteException' with message 'Unable to resolve the request "site/error".' in
/var/www/blog/vendor/yiisoft/yii2/base/Module.php:532
Stack trace:
#0 /var/www/blog/vendor/yiisoft/yii2/web/ErrorHandler.php(95):
yii\base\Module->runAction('site/error')
#1 /var/www/blog/vendor/yiisoft/yii2/base/ErrorHandler.php(111):
yii\web\ErrorHandler->renderException(Object(yii\web\NotFoundHttpException))
#2 [internal function]: yii\base\ErrorHandler-
>handleException(Object(yii\web\NotFoundHttpException))
#3 {main}
Previous exception:
exception 'yii\base\InvalidRouteException' with message 'Unable to resolve the request "post/index".' in
/var/www/blog/vendor/yiisoft/yii2/base/Module.php:532
Stack trace:
#0 /var/www/blog/vendor/yiisoft/yii2/web/Application.php(102):
yii\base\Module->runAction('post/index', Array)
#1 /var/www/blog/vendor/yiisoft/yii2/base/Application.php(380):
yii\web\Application->handleRequest(Object(yii\web\Request))
#2 /var/www/blog/backend/web/index.php(18): yii\base\Application->run()
#3 {main}
Next exception 'yii\web\NotFoundHttpException' with message 'Page not
found.' in /var/www/blog/vendor/yiisoft/yii2/web/Application.php:114
Stack trace:
#0 /var/www/blog/vendor/yiisoft/yii2/base/Application.php(380):
yii\web\Application->handleRequest(Object(yii\web\Request))
#1 /var/www/blog/backend/web/index.php(18): yii\base\Application->run()
#2 {main}
i'm pretty late to the party
but i got a few bones to pick with this solution provided.. so here it goes:
you mention you have different front and back configurations
so you are serving different folders for yii.com/:80 and yii.com/:81 respectively /frontend/web and /backend/web.
keeping this in mind,
no amount of aliases can make content of one of them available to the other.
the yii-advanced-app has #frontend and #backend aliases defined in common/config/bootstrap
Yii::setAlias('#common', dirname(__DIR__));
Yii::setAlias('#frontend', dirname(dirname(__DIR__)) . '/frontend');
Yii::setAlias('#backend', dirname(dirname(__DIR__)) . '/backend');
Yii::setAlias('#console', dirname(dirname(__DIR__)) . '/console');
DO NOT CHANGE THESE unless you know very well what you're doing.
Yii is using these aliases to autoload classes defined under these namespaces common, frontend, backend and console. this exact thing is causing the ridiculous chain of "errors occurring while handling other errors"
more details on Yii autloading documentaion
you can simply share content of these folders by creating a symlink from frontend/web/uploads to backend/web/uploads.
your webserver config (or .htaccess) will require the +FollowSymLinks option
Yii can manage this if you add a few lines to the environments/index.php file
'Development' => [
// .. other options
'setWritable' => [
// .. leave the default stuff there
'frontend/web/uploads',
],
'createSymlink' => [
// link => real folder
'backend/web/uploads' => 'frontend/web/uploads',
]
],
'Production' => [
// ..
'setWritable' => [
// ..
'frontend/web/uploads',
],
'createSymlink' => [
// link => real folder
'backend/web/uploads' => 'frontend/web/uploads',
]
],
and then run the init command again, just like in the installation guide (you do have to option to not overwrite local config files)
if you are running under windows, this might now ask you for elevated privileges
php init
or if you chose to make the symlinks manually you can try this quick guide
you can try this solution :
Yii::setAlias('#frontend', 'http://frontend.sample.dev');
Yii::setAlias('#backend', 'http://backend.sample.dev');
and if you upload files in backend set the src parameter of image to
Yii::getAlias('#backend/path/to/your/image/file');
and if you save your files in frontend replace #backend with #frontend
create this function in components folder
namespace common\components;
use Yii;
class Helper extends \yii\web\Request {
public static function getFrontendUrl($path) {
$frontUrl = str_replace('/adminpanel', '', $path);
return $frontUrl;
}
}
and use in backend :
$path \common\components\Helper::getFrontendUrl(Yii::$app->request->baseUrl).$img;
notic: in frontend You do not need

Play framework, SQLTimeoutException

In play framework my every first (after compilation) request ends with SQLTimeoutException after 1001 ms
Text of error:
[error] application -
! #72p3a11me - Internal server error, for (GET) [/read] ->
play.api.http.HttpErrorHandlerExceptions$$anon$1: Execution exception[[SQLTimeoutException: Timeout after 1001ms of waiting for a connection.]]
at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:280)
at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:206)
at play.api.GlobalSettings$class.onError(GlobalSettings.scala:160)
at play.api.DefaultGlobal$.onError(GlobalSettings.scala:188)
at play.api.http.GlobalSettingsHttpErrorHandler.onServerError(HttpErrorHandler.scala:98)
at play.core.server.netty.PlayRequestHandler$$anonfun$2$$anonfun$apply$1.applyOrElse(PlayRequestHandler.scala:100)
at play.core.server.netty.PlayRequestHandler$$anonfun$2$$anonfun$apply$1.applyOrElse(PlayRequestHandler.scala:99)
at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)
at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345)
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32)
Caused by: java.sql.SQLTimeoutException: Timeout after 1001ms of waiting for a connection.
at com.zaxxer.hikari.pool.BaseHikariPool.getConnection(BaseHikariPool.java:227)
at com.zaxxer.hikari.pool.BaseHikariPool.getConnection(BaseHikariPool.java:182)
at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:93)
at slick.jdbc.hikaricp.HikariCPJdbcDataSource.createConnection(HikariCPJdbcDataSource.scala:12)
at slick.jdbc.JdbcBackend$BaseSession.conn$lzycompute(JdbcBackend.scala:415)
at slick.jdbc.JdbcBackend$BaseSession.conn(JdbcBackend.scala:414)
at slick.jdbc.JdbcBackend$SessionDef$class.prepareStatement(JdbcBackend.scala:297)
at slick.jdbc.JdbcBackend$BaseSession.prepareStatement(JdbcBackend.scala:407)
at slick.jdbc.StatementInvoker.results(StatementInvoker.scala:33)
at slick.jdbc.StatementInvoker.iteratorTo(StatementInvoker.scala:22)
Controller action:
def readEquipment = Action.async { implicit request =>
equipmentService.read map { eq => Ok(Json.toJson(eq)) }
}
DAO method:
override def read(): Future[Seq[Equipment]] =
db.run(equipment.result)
It seems the problem is with lazy initialization which starts only after first request to database. How can I solve this problem?

Filtering Bluemix cloud foundry ERR logs on logstash

I am currently working on setting up ELK stack on Bluemix containers. By following this blog, I was able to create a logstash Drain and get all the Cloud Foundry logs from the Bluemix web app into logstash.
Is there a way to filter out logs based on log levels? I am trying to filter out ERR in logstash output and send them to Slack.
The following code is the filter configuration of the logstash.conf file:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(?:%{NOTSPACE:syslog5424_app}|-) +(?:%{NOTSPACE:syslog5424_proc}|-) +(?:%{WORD:syslog5424_msgid}|-) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|) +%{GREEDYDATA:syslog5424_msg}" }
}
I am trying to add a Slack webhook to the logstash.conf output so that when a log level with ERR is detected, the error message is posted into the Slack channel.
My output conf file with the Slack HTTP post looks something like this code:
output {
if [loglevel] == "ERR" {
http {
http_method => "post"
url => "https://hooks.slack.com/services/<id>"
format => "json"
mapping => {
"channel" => "#logstash-staging"
"username" => "pca_elk"
"text" => "%{message}"
"icon_emoji" => ":warning:"
}
}
}
elasticsearch { }
}
Sample Logs from cloud Foundry:
2016-05-25T13:14:51.269-0400[App/0]ERR npm ERR! There is likely additional logging output above.
2016-05-25T13:14:51.269-0400[App/0]ERR npm ERR! npm owner ls pca-uiapi
2016-05-25T13:14:51.274-0400[App/0]ERR npm ERR! /home/vcap/app/npm-debug.log
2016-05-25T13:14:51.274-0400[App/0]ERR npm ERR! Please include the following file with any support request:
2016-05-25T13:14:51.431-0400[API/1]OUT App instance exited with guid cc73db5d- 6e8c-4ff4-b20f-a69d7c2ba9f4 payload: {"cc_partition"=>"default", "droplet"=>"cc73db5d-6e8c-4ff4-b20f-a69d7c2ba9f4", "version"=>"f9fb3e09-f234-43d4-94b1-a337f8ad72ad", "instance"=>"9d7ad0585b824fa196a2a64e78df9eef", "index"=>0, "reason"=>"CRASHED", "exit_status"=>1, "exit_description"=>"app instance exited", "crash_timestamp"=>1464196491}
2016-05-25T13:16:10.948-0400[DEA/50]OUT Starting app instance (index 0) with guid cc73db5d-6e8c-4ff4-b20f-a69d7c2ba9f4
2016-05-25T13:16:36.032-0400[App/0]OUT > pca-uiapi#1.0.0-build.306 start /home/vcap/app
2016-05-25T13:16:36.032-0400[App/0]OUT > node server.js
2016-05-25T13:16:36.032-0400[App/0]OUT
2016-05-25T13:16:37.188-0400[App/0]OUT PCA REST Service is listenning on port: 62067
2016-05-25T13:19:02.241-0400[App/0]ERR at Layer.handle_error (/home/vcap/app/node_modules/express/lib/router/layer.js:71:5)
2016-05-25T13:19:02.241-0400[App/0]ERR at /home/vcap/app/node_modules/body-parser/lib/read.js:125:7
2016-05-25T13:19:02.241-0400[App/0]ERR at Object.module.exports.log (/home/vcap/app/utils/Logger.js:35:25)
Is there a way to get this working? Is there a way to check the log level of each message? I am kinda stuck and was wondering if you could help me out.
In the Bluemix UI, the logs can be filtered based on the channel ERR or OUT. I could not figure how to do the same on logstash.
Thank you for looking into this problem.
The grok provided in that article is meant to parse the syslog message coming on port 5000. After all syslog filters have run, your application log (i.e. the sample log lines you've shown in your question) are in the #message field.
So you need another grok in order to parse that message. So after the last mutate you can add this:
grok {
match => {"#message" => "%{TIMESTAMP_ISO8601:timestamp}\[%{WORD:app}/%{NUMBER:num}\]%{WORD:loglevel} %{GREEDYDATA:log}"}
}
After this filter runs, you'll have a field named loglevel which will contain either ERR or OUT and in the former case will activate your slack output.

how to fix "Duplicate extensions not allowed" with logstash/jruby?

I'm running logstash like it saids in the starting page:
java -jar logstash-1.2.1-flatjar.jar agent --config logstash-dev.conf
With logstash-dev.conf like this:
input {
file {
path => ["/tmp/catalina.jsonevent.log"]
codec => json {
charset => "UTF-8"
}
}
}
output {
# Use stdout in debug mode again to see what logstash makes of the event.
stdout {
debug => true
}
elasticsearch_http {
host => "127.0.0.1"
}
}
And it jumps with this error:
Exception in thread "LogStash::Runner" org.jruby.exceptions.RaiseException: (StoreError) loading file failed: problem creating X509 Aux certificate: java.io.IOException: problem parsing cert: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
at org.jruby.ext.openssl.X509Store.add_file(org/jruby/ext/openssl/X509Store.java:151)
at RUBY.initialize(file:/usr/local/bin/logstash/logstash-1.2.1-flatjar.jar!/ftw/agent.rb:70)
at RUBY.register(file:/usr/local/bin/logstash/logstash-1.2.1-flatjar.jar!/logstash/outputs/elasticsearch_http.rb:46)
at org.jruby.RubyArray.each(org/jruby/RubyArray.java:1617)
at RUBY.outputworker(file:/usr/local/bin/logstash/logstash-1.2.1-flatjar.jar!/logstash/pipeline.rb:208)
at RUBY.start_outputs(file:/usr/local/bin/logstash/logstash-1.2.1-flatjar.jar!/logstash/pipeline.rb:140)
I've looking everywhere (google, mail groups of logstash and jruby, and the same with their ircs) but I don't find a way to solve this. I only see similar stacktraces but no solution.
Can you give me any pointer in address this?
thanks in advance
We've been looking for this as well and this fixed it for us:
curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/etc/openssl/cert.pem