2

How to redirect JBoss / Wildfly logs to Logstash using syslog

Logstash is a fantastic product to parse and process logs and events from other systems. You can store the resulting data in ElasticSearch and later visualize and analyze the results with Kibana. The combination of the three is called ELK and it produces a really powerful way of working with data, from processing and storing it to its visualization in many forms.

If you work with a web application deployed in JBoss or Wildfly (I’ll cover in this article Wildfly 8.2.0) you can send your all your logs or only the ones coming from your application to Logstash, for further processing. You can use it for example to visualize in Kibana how many errors your application threw, or how many times a specific event was triggered.

There are several ways of connecting this web application server to logstash but I’ll focus in one of the simplest: through syslog channel. Syslog is a standard to format log messages and send them through a TCP port. Both logstash and JBoss can handle this way of logging so it’s pretty easy to connect them.

Logstash configuration

I’ll assume at this point that you have your ElasticSearch and Logstash installations already configured (in my case in localhost). After that, the only thing you need to do to make logstash listen for syslog messages is to run:

As you can see it’s as easy as configuring the syslog input. In my case I’ve chosen a custom port to avoid colliding with any other syslog channel in the system. You can configure the output to do whatever you want, in my case it’s simply storing the messages in ElasticSearch.

Wildfly / JBoss configuration

Now you need to configure the other side, the generator of events which is in this case the application server. In order to do that you need to configure your standalone.xml file, create a handler for syslog and add this handler to your logger.

First open the file [wildfly_root]/standalone/configuration/standalone.xml and go to the specific section for logging:

As you can see in the highlighted sections all you need is to configure a syslog-handler pointing to the same host and port where you have logstash listening, and later configure a logger that uses the handler. I’m assuming here that you are using the JBoss logging implementation to handle your application logs, if you’re overriding it with log4j or any other implementation that won’t work.

You need to set up the logger category to point to your application root package (category="my.app.package"), or feel free to configure as many loggers you want with the severity options you prefer.

That’s all! Start your application server with your application deployed and your log messages will go to ElasticSearch. I recommend you to play a little with logstash filters if you want to select the messages you want to store.

Related Posts

How to deploy a Spring Boot WAR in Wildfly / JBoss This is a short guide on how to deploy a war packaged Spring Boot application in Wildfly. As you know Wildfly is the new name for JBoss AS since 8.0 v...

2 Comments

  1. hi iam using wildfly 9 and i want to write logs to splunk using syslog handler in wildfly, so what i did was as you said in the above i have added syslog handler in standalone.xml file and testing but its not logging the logs to splunk. My Question was do we required any other configuration or installation for syslog to work.I am doing in Windows machine.

    • Hi pandu,
      Is Splunk configured correctly in the same port? You can even test it with must or kiwi.
      If you are sure it’s up and running then maybe wildfly is finding problems to get to that port. Can you check it with a different syslog server?
      Hope it helps!

Leave a Reply