Filebeat 1.1.0: Multiline Patterns

dawiro · April 11, 2016, 6:57am

Hi,
Does filebeat have any definitions for common patterns that need to be matched in log lines? Could the logstash grok patterns be reused? Is there a way I could make a set of pattern definitions available to filebeat?

Regards,
David

ruflin · April 11, 2016, 7:16am

Grok support in beats is something that pops up quite frequently. See https://discuss.elastic.co/search?q=grok%20category%3A42

I assume the problem in your case is that the regexp get too complex? Currently the best way would be to extend the docs of filebeat with these patterns so others can just copy /paste it. A good place would be probably here: https://github.com/elastic/beats/blob/master/libbeat/docs/regexp.asciidoc

steffens · April 11, 2016, 11:34am

To be honest, I haven't really encountered a good use-case one needs the complicated patterns (even if abstracted away by grok). Trick is to not look at content as is (no need to write a 'full' regular parser), but look for patterns/shape of content.

Disadvantage of 'overcomplicated' patterns (sure they are not, but for use case of merging lines often is), is increased processing time by regex engine.

We're watching the forum and trying to collect use cases for documentation purposes. Any use-case you want to share?

dawiro · April 12, 2016, 7:36am

Well, I'm looking at cassandra style logs which have a format like this:

<Log Level> [<Component>] <Datestamp> <Timestamp> <Message>

steffens · April 12, 2016, 4:24pm

well, that's only half of the story, how do multline logs look like exactly? Assuming multiline is just stack traces starting with spaces a pattern like '^[[:space:]]+ might do the trick.

dawiro · April 13, 2016, 3:03pm

When I uncomment this bit of the config no log lines get processed at all.

steffens · April 13, 2016, 7:31pm

Sorry, I don't understand what you're talking about.

dawiro · April 14, 2016, 7:22am

The multiline config is commented out. It is commented out because when it is active all processing stops because of the error reported earlier.

steffens · April 14, 2016, 12:11pm

config file is yaml and pretty sensitive to indentation and so on. Can you please share your filebeat.yml file so I can have a look?

If it continues to fail due to error reported earlier, does it mean you didn't change the regex to '^[[:space:]]'?

dawiro · April 15, 2016, 1:35pm

Ok, here's my prospector config:

filebeat:
    prospectors:
    -   document_type: cassandra
        input_type: log
        paths:
          - /var/log/cassandra/*.log
          - /var/log/cassandra/audit/*.log
        scan_frequency: 5s
        ignore_older: 168h
        multiline:
          pattern: '^\s'
          match: after

dawiro · April 15, 2016, 1:36pm

Seems like the indentation has been lost...

dawiro · April 15, 2016, 2:00pm

Changing the config to use the modified regex format you described seems to work...thank you:)