I have some log files generated by Log4J2. I am outputting the logs into a .json file using the JSONLayout in the log4j2.xml configuration file. My JSONLayout is defined like this:

<JSONLayout complete="false"></JSONLayout>

As logs get entered into the log file on my machine, they are appended, one-after-another, and look like this in logs.log:

  {
    "logger":"com.mycompany.myLogger",
    "timestamp":"1396792374326",
    "level":"ERROR",
    "thread":"pool-2-thread-2",
    "message":"System: unable to perform action",
    "throwable":"java.lang.NullPointerException\\n\tat com.myCompany.MyClass $.java:432)\\n\tat java.lang.Thread.run(Thread.java:744)\\n"
  },

I am trying to structure this JSON so that I can query it from ElasticSearch. During that process, I'm trying to add a custom field to ALL records. To do that, I'm using the following:

input {
  file {
    type => "json"
    path => "/var/logs/myApp/logs.log"
  }
}
filter {
  json {
    add_tag => [ "HardcodedTagName"]
    source => "message"
  }
}
output {
  elasticsearch {
    protocol => "http"
    codec => "json"
    host => "[myServerAddress]"
    port => "9200"
  }
}

Oddly, my custom tag NEVER seems to get added. At the same time, I'd really like to break out my JSON into fields that I can query in ElasticSearch. The things I'd like to query are clearly available. They are:

• level
• message
• timestamp

Yet, I can't seem to get this information out. When I see the JSON records in Kibana, I just see something like this:

{
  "_index": "logstash-2014.04.07",
  "_type": "json",
  "_id": "tG-s6-5pSnq5HZwLhM6Dxg",
  "_score": null,
  "_source": {
    "message": "    \"message\":\"System: unable to perform action\"\r",
    "@version": "1",
    "@timestamp": "2014-04-07T18:01:38.739Z",
    "type": "json",
    "host": "ip-MyipAddress",
    "path": "/var/logs/myApp/logs.log"
  },
  "sort": [
    1396893698739,
    1396893698739
  ]
}

What surprises me most is that the log level isn't even there. Neither is the thread information. I was surprised I couldn't find a blog post of a Log4J example that uses a filter. Any help is sincerely appreciated!

You do not need to use the json filter. You can specify the codec format at your input.

input {
    file {
       type => "json"
       path => "/var/logs/myApp/logs.log"
       codec => json
    }
}

Logstash will automatically parse your log to json format and add the corresponding field.