I am using graylog 4.1.3 configured in a 3 node cluster and encounter problem as depicted by following screenshot:
It seems that tomcat logs are saved to “filebeat_event_original” instead of “message” field and i would like to know if that’s an expected behavior or i am doing something wrong?
Preferably i would like it to be saved into message field which is displayed on default dashboard as it is in case of other servers i am managing logs from like mongodb, haproxy - only tomcat logs get that special treatment so to speak. How would i go about it?
Tomcat logs are forwarded to graylog through beats input by filebeat as is in the case with other mentioned services. Please let me know what other info would be useful in tackling this problem.
- Debian 11
- Graylog 4.1.3
- MongoDB 4.4.8
- Elasticsearch 7.10.2
Here’s the filebeat tomcat module config file:
``` - module: tomcat # All logs log: enabled: true # Set which input to use between syslog (default) or file. var.input: file # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. var.paths: - /opt/tomcat/current/logs/*.log - /opt/tomcat/current/logs/catalina.out ```
For longer code or configuration bits, please enclose your snippet in a summary block like this:
Summary of your code snippet or config here
Your code goes inside the triple backticks