I tried using this config (multiline-examples), but logstash doesn't output anymore, if i remove parsers section, it can output
filebeat.yml
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: true
paths:
- /tmp/smb2.log
parsers:
multiline:
type: pattern
pattern: '^\['
negate: true
match: after
output.logstash:
hosts: ["localhost:5044"]
logstash/conf.d/tmp.conf:
input {
beats {
port => 5044
}
stdin{}
}
filter {
}
output {
stdout{}
}
log format is :
[2024/05/13 08:37:59.564313, 10, pid=52418, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:4531(smbd_smb2_process_negprot)
smbd_smb2_first_negprot: packet length 236
[2024/05/13 08:37:59.565358, 10, pid=52418, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:2979(smbd_smb2_request_dispatch)
smbd_smb2_request_dispatch: opcode[SMB2_OP_NEGPROT] mid = 0
[2024/05/13 08:37:59.566104, 3, pid=52418, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_negprot.c:301(smbd_smb2_request_process_negprot)
Selected protocol SMB3_11
[2024/05/13 08:37:59.575583, 10, pid=52418, effective(0, 0), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3840(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: mid [0] idx[1] status[NT_STATUS_OK] body[64] dyn[yes:156] at ../../source3/smbd/smb2_negprot.c:856