All,
I'm having a slight issue having multiline apply to my stack trace logs.
I have tried with the pattern of:
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
and:
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
Both of these options were on Elastic's documentation around applying multiline to stack trace messages.
I am trying to ship from beats to logstash.
My beats config looks like:
filebeat:
prospectors:
- input_type: log
paths:
- /var/log/tomcat8/CWeb.log
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
scan_frequency: 60s
ignore_older: 24h
document_type: cweb
- input_type: log
paths:
- /var/log/tomcat8/*.log
exclude_files: ['CWeb.log']
scan_frequency: 60s
ignore_older: 24h
document_type: tomcat
- input_type: log
paths:
- /var/log/tomcat8/*.txt
scan_frequency: 60s
ignore_older: 24h
document_type: access
- input_type: log
paths:
- /var/log/tomcat8/catalina.out
multiline.pattern: '\%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}'
multiline.negate: true
multiline.match: after
scan_frequency: 60s
ignore_older: 24h
- input_type: log
paths:
- /var/log/httpd/elasticbeanstalk-access_log
exclude_lines: ['^.*ELB-HealthChecker.*$']
scan_frequency: 60s
ignore_older: 24h
document_type: apache
output:
logstash:
hosts: ["DNS:5044"]
tls:
certificate_authorities: ["/etc/pki/tls/certs/ServerCertificate.crt"]
certificate: "/etc/pki/tls/certs/anotherhost.crt"
certificate_key: "/etc/pki/tls/certs/anotherhost.key"
my logstash config looks like:
input {
beats {
port => 5044
ssl => true
ssl_verify_mode => "force_peer"
ssl_certificate_authorities => ["/config/certs/ServerCertificate.crt"]
ssl_certificate => "/config/certs/Client-Signed-Certificate.crt"
ssl_key => "/config/certs/ClientPrivateKey.key"
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
}
}