Shipping tomcat logs to logstash
Posted by joe | Filed under Java, Linux
In my previous post I explained how to setup Logstash. This time we will expand it to ship the log files from Tomcat.
I assume you are using Fedora / RHEL / Centos as OS, and have installed tomcat from the RPMS which are provided by the repository. The tutorial can easily adapted to different Linux distributions or tomcat installations, only file locations will change.
As the first step we will change Tomcat’s logging behavior and disable the built-in log rotation. In /etc/tomcat/server.xml you need to change the section at the very bottom of the configuration:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="access"
suffix=".log" rotatable="false" resolveHosts="false"
pattern="%h %l %u %t "%r" %s %b" />
and disable the log rotation in /etc/tomcat/logging.properties
1catalina.org.apache.juli.FileHandler.level = FINE
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina
1catalina.org.apache.juli.FileHandler.rotatable = false
2localhost.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost
2localhost.org.apache.juli.FileHandler.rotatable = false
3manager.org.apache.juli.FileHandler.level = FINE
3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
3manager.org.apache.juli.FileHandler.prefix = manager
3manager.org.apache.juli.FileHandler.rotatable = false
4host-manager.org.apache.juli.FileHandler.level = FINE
4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
4host-manager.org.apache.juli.FileHandler.prefix = host-manager
4host-manager.org.apache.juli.FileHandler.rotatable = false
Now the log files in /var/log/tomcat/ will be written into a files with constant names like access.log, manager.log etc.
To prevent that the files grow infinitely, we’ll use logrotate.
yum install logrotate
And add a configuration for tomcat at /etc/logrotate.d/tomcat
/var/log/tomcat/catalina.out {
copytruncate
daily
rotate 7
compress
missingok
create 0644 tomcat tomcat
}
/var/log/tomcat/*.log {
copytruncate
daily
rotate 7
compress
missingok
create 0644 tomcat tomcat
}
You may want to use different users and retention periods.
Now we will configure the logstash-forwarder to ship the current file; in /opt/logstash-forwarder/ setup a configuration file logstash-forwarder.conf
{
"network": {
"servers": [ "my-logstash-server.example.org:9998" ],
"ssl certificate": "/etc/pki/tls/certs/client01.crt",
"ssl key": "/etc/pki/tls/private/client01.key",
"ssl ca": "/etc/pki/CA/cacert.pem"
},
"files": [
{
"paths": [ "/var/log/tomcat/access.log" ],
"fields": { "type": "apache-access" }
}
]
}
and you’ll need to setup the logstash-forwarder as a daemon as explained in the last post. Now it will transmit the log files (in this example only the access.log) to logstash. To be able to parse the file correctly, you’ll need to configure the server with a parser for the type apache-access (which is similar to Apache HTTPD access.log). The first post has a working setup for this.
If you want to ship the tomcat’s server log, or your application logs you will need to configure different parsers depending on the log format.