Bleeding of separate log files into single event when using codec multiline

Elastic Stack Beats
1

Please bear with me as I am new to this. I am using ELK 5.0.1

I am trying to ship my app logs(stack traces multiple lines as well as single line) and syslogs(mostly single line), I am using codec multiline in input of logstash but its not working properly. I have tagged syslogs as "syslog" and app logs as "applog". In kibana, I am seeing syslogs are coming under applogs which is bizarre, isn't it?

for example:
/tmp/app.log
some app log text

/tmp/sys.log
some syslog text

in Kibana, it is showing as single event like below :
some app log text
some syslog text

and showing source as /tmp/sys.log and type as "syslog" whereas app logs are also there :(, Now it is difficult to find which are app's events and which are system's events.

earlier I was using logstash-forwarder on older box , there it was working fine.

Please guide...

2

please provide your configuration, it is most likely a problem with how you did the inputs

3

Thanks for your response.

logstash server side:

input {
  beats {
    port => 5050
    codec => multiline {
      pattern => "^\[|^[0-9]|^Jan|^Feb|^Mar|^Apr|^May|^Jun|^Jul|^Aug|^Sep|^Oct|^Nov|^Dec|^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun"
      negate => true
      what => "previous"
    }
    }
}

client side filebeat:

filebeat.prospectors:
# for syslog
- input_type: log
  paths:
    - /var/log/*.log
    - /var/log/message
    - /var/log/secure
    - /var/log/maillog
    - /var/log/cron
    - /var/log/dmesg
  document_type: syslog
# for IHS/access logs
- input_type: log
  paths:
    - /opt/httplogs/access_log*
  document_type: wcsihs
# for IHS/error logs
- input_type: log
  paths:
    - /opt/httplogs/error_log*
  document_type: wcsihserr
# where to ship? Centralized location
output.logstash:
  hosts: ["elk:5044"]
4

Multiline can be quite tricky in LS. One has to create some kind of id to correctly correlate lines. To simplify multiline processing, filebeat integrates multiline itself. Difference to Logstash multiline is, filebeat multiline operates on per file reducing chances of errors.

Keep in mind, if using syslog, multiline and normal logs might become mixed up by syslog itself.

5

Also your doing Multiline on the receiving side, it probably does not track which log is comfing from which server. your best to do the multiline on the Filebeat host

https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.