Hi All,
I am trying to send dmarc logs to elasticsearch and running into some issues with the logstash config. Logstash only appears to process the first few lines of the xml log file as per below.
It seems to be something with the pattern => "^<?feedback.*>" but I could be wrong. Below is the Logstash config
input {
file {
path => "/var/cache/dmarc-reports/*.xml"
start_position => "beginning"
discover_interval => "1"
tags => ["dmarc-reports"]
codec => multiline {
pattern => "^<?feedback>"
negate => true
what => "previous"
}
}
}
filter {
xml {
#store_xml => "false"
target => "dmarc"
source => "message"
}
}
output {
elasticsearch {
hosts => ["10.10.10.34:9200"]
http_compression => "true"
index => "dmarc-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
