Rsyslog - Tomcat Exceptions

Question

I am trying to get tomcat exception lines into 1 msg but when adding the regex part to the config nothing works. Without the regex part I can get all logs line by line!

module(load="imfile" PollingInterval="10") #needs to be done just once
#File 1
input(type="imfile"
File="/tomcat/logs/catalina.out"
Tag="catalina"
Severity="info"
Facility="local1")

# Filter for JasperException stack traces and forward to remote server
if $msg regex "(?s)org\.apache\.jasper\.JasperException:.*?Caused by: java\.lang\.NullPointerException.*?\s{4}at.*?[\r\n]*" then {
    action(type="omfwd" target="192.168.0.1" port="514" protocol="tcp" facility="local1" severity="err")
}

local1.* @192.168.0.1:514

---

This is my sample

org.apache.jasper.JasperException: An exception occurred processing [J48OutputPage.jsp] at line [48]

45:     {
46:             Attribute currAttribute=(Attribute)attributes.nextElement();
47:             String selValue=request.getParameter(currAttribute.name());
48:             if(selValue.equals("-1"))
49:                     invalidSelection=true;
50:             else
51:                     targetvals[currAttrIndex]=Double.parseDouble(selValue);


Stacktrace:
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
        at org.apache.jsp.J48OutputPage_jsp._jspService(J48OutputPage_jsp.java:170)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:67)
        at org.apache.jsp.J48OutputPage_jsp._jspService(J48OutputPage_jsp.java:170)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:67)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466)
        ... 40 more

---

Still no sucess, when i include the if part (as per below) nothing works.

rsyslogd -N1

rsyslogd: version 8.2102.0-5.el8, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: error during parsing file /etc/rsyslog.d/tomcat.conf, on or before line 9: syntax error on token 'regex' [v8.2102.0-5.el8 try https://www.rsyslog.com/e/2207 ]

  module(load="imfile" PollingInterval="1") #needs to be done just once
#File 1
input(type="imfile"
File="/tomcat/logs/catalina.out"
Tag="catalina"
Severity="info"
Facility="local1")

if $msg regex "(?sm)org\.apache\.jasper\.JasperException:.* java\.lang\.NullPointerException[\r\n]{1,2}(\s+(?:at )?[^\s]+[\r\n]{1,2}){1,}" then {
    action(type="omfwd" target="192.168.0.1" port="514" protocol="udp" facility="local1" severity="err")
}

local1.* @192.168.0.1:514

Answer 1

The imfile module does not read multi-line input by default, so the $msg property will never match. You need to use either input parameter startmsg.regex or endmsg.regex (not both) to have a multi-line message. The regex must match only what is on a single line. If the file only holds this style of input, you will not need an if test at all.

Here's how using a ruleset can restrict the input from the file to be processed only by a specific omfwd action:

ruleset(name="myrule1"){
  action(type="omfwd" target="192.168.0.1" port="514" protocol="tcp" facility="local1" severity="err")
}
input(type="imfile" File="/tomcat/logs/catalina.out"
  Tag="catalina" Severity="info" Facility="local1"
  Ruleset="myrule1"
  readTimeout="1"
  startmsg.regex="jasper.JasperException")

The multi-line input is sent as one line with the 2 characters \n showing where each line was joined. The readTimeout is needed to ensure the last set of data in the file is sent on, despite it not yet being followed by the startmsg regex. This wouldn't be necessary if using the endmsg regex instead, but then you need to find a distinctive single line pattern that will always end the set of data, and not match elsewhere.

Answer 2

Given this stack trace

org.apache.jasper.JasperException: An exception occurred processing [J48OutputPage.jsp] at line [48]

45:     {
46:             Attribute currAttribute=(Attribute)attributes.nextElement();
47:             String selValue=request.getParameter(currAttribute.name());
48:             if(selValue.equals("-1"))
49:                     invalidSelection=true;
50:             else
51:                     targetvals[currAttrIndex]=Double.parseDouble(selValue);


Stacktrace:
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
        at org.apache.jsp.J48OutputPage_jsp._jspService(J48OutputPage_jsp.java:170)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:67)
        at org.apache.jsp.J48OutputPage_jsp._jspService(J48OutputPage_jsp.java:170)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:67)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466)
        ... 40 more

This regex would match all the lines

(?sm)org\.apache\.jasper\.JasperException:.* java\.lang\.NullPointerException[\r\n]{1,2}(\s+[^\s]+[\r\n]{1,2}){1,}

Or this one to take into account 'at ' pattern

(?sm)org\.apache\.jasper\.JasperException:.* java\.lang\.NullPointerException[\r\n]{1,2}(\s+(?:at )?[^\s]+[\r\n]{1,2}){1,}

Would matched all of

org.apache.jasper.JasperException: java.lang.NullPointerException
   at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:502)
   at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:430)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)

Finally

(?sm)(org\.apache\.jasper\.JasperException:.[^\r\n]+[\r\n]?|Caused by: java\.lang\.NullPointerException[\r\n]{1,2}(\s+(?:at )?[^\s]+[\r\n]{1,2}){1,})

would matched

org.apache.jasper.JasperException: An exception occurred processing [J48OutputPage.jsp] at line [48]

Or

Caused by: java.lang.NullPointerException
        at org.apache.jsp.J48OutputPage_jsp._jspService(J48OutputPage_jsp.java:170)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:67)
        at org.apache.jsp.J48OutputPage_jsp._jspService(J48OutputPage_jsp.java:170)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:67)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466)