in my setup I had to use the redis aggregator:
varnish+apache+tomcat (filebeat) --> redis <-- |fw|-- logstash 5.0
in this setup I got different log types from different sources that need to be parsed correctly.
the main problem is related to java logs that provides different type of log format (catalina.out, tomcat.log, ...) that often have multiline setup.
I tried using the multiline filter but I got:
reason=>"Couldn't find any filter plugin named 'multiline'. Are you sure this is correct? Trying to load the multiline filter plugin resulted in this error: LoadError"
I think I've to use the codec-multiline, but, how can I configure multiline that comes from the same input (the redis server) that need to be treated differently?
thank you very much
You should ideally assemble multi-line entries as close to the source as this process requires the events to arrive in sequence. It should therefore be done before putting it on any message queue. Filebeat supports multi-line processing, so that is where I would recommend doing this processing.
thank you very much for your reply. can I use the same pattern syntax both in filebeat as in logstash?
can I use the same pattern syntax both in filebeat as in logstash?
No. See the Filebeat documentation for details on what kind of patterns are allowed.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.