Class: LogStash::Inputs::Log4j

Inherits:

Base

• Object
• Base
• LogStash::Inputs::Log4j

Defined in:

lib/logstash/inputs/log4j.rb

Overview

Deprecation Notice

NOTE: This plugin is deprecated. It is recommended that you use filebeat to collect logs from log4j.

The following section is a guide for how to migrate from SocketAppender to use filebeat.

To migrate away from log4j SocketAppender to using filebeat, you will need to make 3 changes:

1) Configure your log4j.properties (in your app) to write to a local file. 2) Install and configure filebeat to collect those logs and ship them to Logstash 3) Configure Logstash to use the beats input.

.Configuring log4j for writing to local files

In your log4j.properties file, remove SocketAppender and replace it with RollingFileAppender.

For example, you can use the following log4j.properties configuration to write daily log files.

# Your app's log4j.properties (log4j 1.2 only)
log4j.rootLogger=daily
log4j.appender.daily=org.apache.log4j.rolling.RollingFileAppender
log4j.appender.daily.RollingPolicy=org.apache.log4j.rolling.TimeBasedRollingPolicy
log4j.appender.daily.RollingPolicy.FileNamePattern=/var/log/your-app/app.%d.log
log4j.appender.daily.layout = org.apache.log4j.PatternLayout
log4j.appender.daily.layout.ConversionPattern=%d{YYYY-MM-dd HH:mm:ss,SSSZ} %p %c{1}:%L - %m%n

Configuring log4j.properties in more detail is outside the scope of this migration guide.

.Configuring filebeat

Next, www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation.html[install filebeat]. Based on the above log4j.properties, we can use this filebeat configuration:

# filebeat.yml
filebeat:
  prospectors:
    -
      paths:
        - /var/log/your-app/app.*.log
      input_type: log
output:
  logstash:
    hosts: ["your-logstash-host:5000"]

For more details on configuring filebeat, see www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration.html[the filebeat configuration guide].

.Configuring Logstash to receive from filebeat

Finally, configure Logstash with a beats input:

# logstash configuration
input {
  beats {
    port => 5000
  }
}

It is strongly recommended that you also enable TLS in filebeat and logstash beats input for protection and safety of your log data..

For more details on configuring the beats input, see www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[the logstash beats input documentation].

”‘

Read events over a TCP socket from a Log4j SocketAppender. This plugin works only with log4j version 1.x.

Can either accept connections from clients or connect to a server, depending on ‘mode`. Depending on which `mode` is configured, you need a matching SocketAppender or a SocketHubAppender on the remote side.

One event is created per received log4j LoggingEvent with the following schema:

• ‘timestamp` => the number of milliseconds elapsed from 1/1/1970 until logging event was created.

• ‘path` => the name of the logger

• ‘priority` => the level of this event

• ‘logger_name` => the name of the logger

• ‘thread` => the thread name making the logging request

• ‘class` => the fully qualified class name of the caller making the logging request.

• ‘file` => the source file name and line number of the caller making the logging request in a colon-separated format “fileName:lineNumber”.

• ‘method` => the method name of the caller making the logging request.

• ‘NDC` => the NDC string

• ‘stack_trace` => the multi-line stack-trace

Also if the original log4j LoggingEvent contains MDC hash entries, they will be merged in the event as fields.

Defined Under Namespace

Classes: Log4jInputStream

Instance Method Summary

• #add_socket_mixin(socket) ⇒ Object
• #build_client_socket ⇒ Object

  def run.

• #create_event(log4j_obj) ⇒ Object
• #initialize(*args) ⇒ Log4j constructor

  A new instance of Log4j.

• #register ⇒ Object
• #run(output_queue) ⇒ Object
• #stop ⇒ Object

  method used to stop the plugin and unblock pending blocking operatings like sockets and others.

Constructor Details

#initialize(*args) ⇒ Log4j

Returns a new instance of Log4j.

# File 'lib/logstash/inputs/log4j.rb', line 120

def initialize(*args)
  super(*args)
end

Instance Method Details

#add_socket_mixin(socket) ⇒ Object

# File 'lib/logstash/inputs/log4j.rb', line 257

def add_socket_mixin(socket)
  socket.instance_eval { class << self; include ::LogStash::Util::SocketPeer end }
end

#build_client_socket ⇒ Object

def run

# File 'lib/logstash/inputs/log4j.rb', line 251

def build_client_socket
  s = TCPSocket.new(@host, @port)
  add_socket_mixin(s)
  s
end

#create_event(log4j_obj) ⇒ Object

# File 'lib/logstash/inputs/log4j.rb', line 142

def create_event(log4j_obj)
  # NOTE: log4j_obj is org.apache.log4j.spi.LoggingEvent
  event = LogStash::Event.new("message" => log4j_obj.getRenderedMessage)
  event.set("timestamp", log4j_obj.getTimeStamp)
  event.set("path", log4j_obj.getLoggerName)
  event.set("priority", log4j_obj.getLevel.toString)
  event.set("logger_name", log4j_obj.getLoggerName)
  event.set("thread", log4j_obj.getThreadName)
  event.set("class", log4j_obj.getLocationInformation.getClassName)
  event.set("file", log4j_obj.getLocationInformation.getFileName + ":" + log4j_obj.getLocationInformation.getLineNumber)
  event.set("method", log4j_obj.getLocationInformation.getMethodName)
  event.set("NDC", log4j_obj.getNDC) if log4j_obj.getNDC
  event.set("stack_trace", log4j_obj.getThrowableStrRep.to_a.join("\n")) if log4j_obj.getThrowableInformation

  # Add the MDC context properties to event
  if log4j_obj.getProperties
    log4j_obj.getPropertyKeySet.each do |key|
      event.set(key, log4j_obj.getProperty(key))
    end
  end
  return event
end

#register ⇒ Object

# File 'lib/logstash/inputs/log4j.rb', line 125

def register
  begin
    Java::OrgApacheLog4jSpi.const_get("LoggingEvent")
  rescue
    raise(LogStash::PluginLoadingError, "Log4j java library not loaded")
  end

  @logger.warn("This plugin is deprecated. Please use filebeat instead to collect logs from log4j applications.")

  if server?
    @logger.info("Starting Log4j input listener", :address => "#{@host}:#{@port}")
    @server_socket = TCPServer.new(@host, @port)
  end
  @logger.info("Log4j input")
end

#run(output_queue) ⇒ Object

# File 'lib/logstash/inputs/log4j.rb', line 231

def run(output_queue)
  if server?
    while !stop?
      Thread.start(@server_socket.accept) do |s|
        add_socket_mixin(s)
        @logger.debug? && @logger.debug("Accepted connection", :client => s.peer,
                      :server => "#{@host}:#{@port}")
        handle_socket(s, output_queue)
      end # Thread.start
    end # loop
  else
    while !stop?
      client_socket = build_client_socket
      @logger.debug? && @logger.debug("Opened connection", :client => "#{client_socket.peer}")
      handle_socket(client_socket, output_queue)
    end # loop
  end
rescue IOError
end

#stop ⇒ Object

method used to stop the plugin and unblock pending blocking operatings like sockets and others.

# File 'lib/logstash/inputs/log4j.rb', line 223

def stop
  begin
    @server_socket.close if @server_socket && !@server_socket.closed?
  rescue IOError
  end
end