Filebeat in Container mode + multiline Parser

fidelgonzo · December 10, 2022, 11:09am

I have a problem with Filebeat (7.17) that when trying to read multiline Java Stacktrace logs, it works without problems when input.type: filestream but when running the same in our Kubernetes stack, as input.type: container then the multiline parser is not picked up.

My config:

filebeat.inputs:
      - type: container
        paths:
          - /var/log/containers/*.log
        parsers:
        - multiline:
            type: pattern
            pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
            negate: false
            match: after

or is there another workaround to receive Java Stacktraces as single message entries in Elastic?
We are using K8S Filebeat pods > Elastic + Ingest Pipelines at the moment.

stephenb · December 10, 2022, 5:47pm

Hi @fidelgonzo Welcome to the community.

Hmmmm...
It's possible I would have to check the container input is still using the older log input under the covers and thus it would use the older multi-line syntax

If you still use the deprecated log input, there is no need to use parsers.

multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after

But I thought that got updated but you could check that.

system · January 7, 2023, 7:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.