Comments on: SharePoint ULS log analysis using ELK http://blog.comperiosearch.com/blog/2014/08/01/sharepoint-log-analysis-using-elk/ A blog about Search as THE solution Mon, 26 Oct 2015 18:07:52 +0000 hourly 1 https://wordpress.org/?v=3.9.40 By: Dustin Miller http://blog.comperiosearch.com/blog/2014/08/01/sharepoint-log-analysis-using-elk/#comment-19121 Tue, 12 May 2015 20:30:41 +0000 http://blog.comperiosearch.com/?p=2775#comment-19121 Thought I’d throw in here – I have a config that supports the multi-line expressions used for ULS logs pretty handily, just in case you’re still seeking log analysis bliss with Logstash:


if [type] == "uls" {
grok {
match => { "message" => "%{DATESTAMP:ulstime}.? %{PROG:process} \(%{BASE16NUM:processid}\)%{SPACE}%{BASE16NUM:tid}%{SPACE}%{DATA:area}\s{2,}%{SPACE}%{DATA:category}\s{2,}%{SPACE}%{WORD:event_id}%{SPACE}%{WORD:priority}%{SPACE}%{DATA:ulsmessage}\.{,3}%{SPACE}(?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})?$" }
add_field => [ "received_at", "%{@timestamp}" ]
}
date {
match => [ "ulstime", "MM/dd/YYYY HH:mm:ss.SS"]
timezone => "America/Chicago"
}
mutate {
replace => [ "message", "%{ulsmessage}" ]
remove_field => [ "ulsmessage" ]
}
multiline {
pattern => "^[^\.]"
negate => true
what => "previous"
add_tag => [ "multiline" ]
}
}

]]>