I'm working with a virtual appliance that has Filebeat baked in.
I have no control over the Filebeat configuration, which is forwarding multiple files of different formats.
I can filter on source and grab the file that I need, but I'm struggling to process the 'interesting' log data, which is XML and is presented over multiple lines between tags. These are currently being output as discrete events/lines, when I need to aggregate these as an event.
I can find plenty of examples of processing multiple lines within the Filebeat configuration, but not in the Logstash input (where input type is beats) or filter phases. Indeed, if I do file input and file output then I can process the event as expected. My problem is when input is beats...
Any pointers?