input { file { codec => multiline { pattern => "^\[2016" negate => true what => previous } type => "log4j" path => "/usr/local/soft/logs/*.log" } } filter { grok { match => { "message" => "\[(?<CreatedOn>[0-9]{4}-[0-9]{2}-[0-9]{2}\s[0-9]{2}:[0-9]{2}:[0-9]{2}) (?<ErrorLevel>\w+)\] \[(?<TargetMethod>.*)\] \((?<TargetClass>.*)\) - (?<Message>(\w|\s)*)\r\n(?<Stack>.*)" } } mutate { rename => { "host" => "ServerIP"} remove_field => ["message","tags"] } } output { elasticsearch { hosts => ["114.215.171.188:9200"] index=>"logstash-%{type}" #%{type}-%{+YYYY.MM.dd} document_type=>"%{type}" } stdout{codec=>rubydebug} }