Filebeat and laravel logs

Elastic Stack Beats
1

Hello everyone. Can someone tell me how to set up laravel logs in filebeat (without logstash).

Slack%20-%20TC%20Team%202019-02-28%2010-17-21
Slack - TC Team 2019-02-28 10-17-21.png1780×342 98.4 KB

In the picture i showed with arrows that i want the log to break: date to timestamp field, type in env field, error-type to severity field. And everything else in the message field.

But, whatever petterns i use, i get the whole error entirely in the message field:
https://take.ms/S73uI

My filebeat.yml conf:

filebeat.inputs:

  • type: log
    enabled: true
    paths:
    • /var/www/html/lara/storage/logs/*.log
      multiline.pattern: "%{TIMESTAMP_ISO8601}%{GREEDYDATA}"
      multiline.negate: true
      multiline.match: after
2

@belledota

Which version of filebeat you are using?

3

There is an example configuration in our documentation on multiline. I think this one fits exactly your use case: https://www.elastic.co/guide/en/beats/filebeat/master/_examples_of_multiline_configuration.html#_timestamps

4

Hi. I'm using filebeat-6.6.0

5

I'm change my filebeat.yml to:

multiline.pattern: '[%{TIMESTAMP_ISO8601:timestamp}] %{WORD:env}.%{LOGLEVEL:severity}: %{GREEDYDATA:message}'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: '"}'

But, result is the same as the my first post.

6

The documentation contains the following configuration:

multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after

You need to paste these three lines into your configuration.
The pattern of multiline is a regex pattern, not grok.

7

If you need further processing, you either need to use Ingest pipelines or Logstash instead of Filebeat.