Logstash合并多行日志为一行（Tomcat日志的合并和grok处理）

tomcat的catalina.out日志如下：

[root@localhost logs]# cat to_catalina.log
-----------------alarm start------------------------
--------------mail start---------------
-----------------alarm start------------------------
--------------mail start---------------
[2020-04-01 03:37:33.595] ERROR [com.base.util.MailUtils @348] - 发送邮件失败！
javax.mail.MessagingException: Could not connect to SMTP host: smtphz.qiye.163.com, port: 25
	at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1961) ~[mail-1.4.7.jar:1.4.7]
	at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654) ~[mail-1.4.7.jar:1.4.7]
	at javax.mail.Service.connect(Service.java:295) ~[mail-1.4.7.jar:1.4.7]
	at javax.mail.Service.connect(Service.java:176) ~[mail-1.4.7.jar:1.4.7]
	at com.base.util.MailUtils.sendMail(MailUtils.java:344) [classes/:?]
	at com.common.service.sysemail.SEmailService.sendEmail(SEmailService.java:109) [classes/:?]
	at com.timer.SysEmailOneMinuteTask.doTask(SysEmailOneMinuteTask.java:74) [classes/:?]
	at sun.reflect.GeneratedMethodAccessor670.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]
	at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:269) [spring-core-4.0.2.RELEASE.jar:4.0.2.RELEASE]
	at org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:321) [spring-context-support-4.0.2.RELEASE.jar:4.0.2.RELEASE]
	at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:111) [spring-context-support-4.0.2.RELEASE.jar:4.0.2.RELEASE]
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.0.jar:?]
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.0.jar:?]
Caused by: java.net.SocketException: 网络不可达 (connect failed)
	at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_181]
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_181]
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_181]
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_181]
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_181]
	at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_181]
	at java.net.Socket.connect(Socket.java:538) ~[?:1.8.0_181]
	at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:321) ~[mail-1.4.7.jar:1.4.7]
	at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:237) ~[mail-1.4.7.jar:1.4.7]
	at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1927) ~[mail-1.4.7.jar:1.4.7]
	... 14 more
-----------------alarm start------------------------
--------------mail start---------------
--------------mail start---------------
-----------------alarm start------------------------
--------------mail start---------------
-----------------alarm start------------------------
--------------mail start---------------
[2020-04-01 03:37:33.595] ERROR [com.base.util.MailUtils @348] - 发送邮件失败！
javax.mail.MessagingException: Could not connect to SMTP host: smtphz.qiye.163.com, port: 25
	at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1961) ~[mail-1.4.7.jar:1.4.7]
	at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654) ~[mail-1.4.7.jar:1.4.7]
	at javax.mail.Service.connect(Service.java:295) ~[mail-1.4.7.jar:1.4.7]
	at javax.mail.Service.connect(Service.java:176) ~[mail-1.4.7.jar:1.4.7]
	at com.base.util.MailUtils.sendMail(MailUtils.java:344) [classes/:?]
	at com.common.service.sysemail.SEmailService.sendEmail(SEmailService.java:109) [classes/:?]
	at com.timer.SysEmailOneMinuteTask.doTask(SysEmailOneMinuteTask.java:74) [classes/:?]
	at sun.reflect.GeneratedMethodAccessor670.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181]
	at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:269) [spring-core-4.0.2.RELEASE.jar:4.0.2.RELEASE]
	at org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:321) [spring-context-support-4.0.2.RELEASE.jar:4.0.2.RELEASE]
	at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:111) [spring-context-support-4.0.2.RELEASE.jar:4.0.2.RELEASE]
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.0.jar:?]
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.0.jar:?]
Caused by: java.net.SocketException: 网络不可达 (connect failed)
	at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_181]
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_181]
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_181]
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_181]
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_181]
	at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_181]
	at java.net.Socket.connect(Socket.java:538) ~[?:1.8.0_181]
	at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:321) ~[mail-1.4.7.jar:1.4.7]
	at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:237) ~[mail-1.4.7.jar:1.4.7]
	at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1927) ~[mail-1.4.7.jar:1.4.7]
	... 14 more
-----------------alarm start------------------------
--------------mail start---------------

我们使用logstash收集日志，需要忽略这些分割线，并且将以日期开头的一段作为一条日志收集并grok处理

root@6b7e8249a524:/# vim /opt/conf/logstash.conf 

input {
    file {
        path => ["/opt/logs/catalina.out"]
    }
}
filter {
     # 以-------------开头的行全忽略
     if ([message] =~ "-------------") {
         drop {}
     }
     # 没匹配上这种正则开头的行，全部合并到匹配上正则的行里面作为一段
     multiline {
        pattern => "^\[\d{4}-\d{1,2}-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}"
        negate => true    //匹配正则
        what => "previous"    // 以正则形式的开头
     }
     # grok分割，分成 时间戳，日志等级和详细信息
     grok {
        match => { "message" => "\[%{DATA:logdate}\] %{LOGLEVEL:loglevel} %{GREEDYDATA:detailReason}" }
     }
     mutate {
        remove_field => ["message"]
     }
}
output {

    stdout { codec => rubydebug }
}

TIPS：这个配置文件中写的注释是帮助理解的，要是运行出错就删除

运行logstash，匹配成功。