Filebeat in Container mode + multiline Parser

fidelgonzo · December 10, 2022, 11:09am

I have a problem with Filebeat (7.17) that when trying to read multiline Java Stacktrace logs, it works without problems when input.type: filestream but when running the same in our Kubernetes stack, as input.type: container then the multiline parser is not picked up.

My config:

filebeat.inputs:
      - type: container
        paths:
          - /var/log/containers/*.log
        parsers:
        - multiline:
            type: pattern
            pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
            negate: false
            match: after

or is there another workaround to receive Java Stacktraces as single message entries in Elastic?
We are using K8S Filebeat pods > Elastic + Ingest Pipelines at the moment.

stephenb · December 10, 2022, 5:47pm

Hi @fidelgonzo Welcome to the community.

Hmmmm...
It's possible I would have to check the container input is still using the older log input under the covers and thus it would use the older multi-line syntax

If you still use the deprecated log input, there is no need to use parsers.

multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after

But I thought that got updated but you could check that.

system · January 7, 2023, 7:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline usage Beats beats-module , filebeat	3	429	March 25, 2022
Filebeat filestream with pipeline and multiline Beats filebeat	4	575	June 30, 2023
Filebeat configuration : multiline.* (working) vs parsers (not working) Beats docker , filebeat	3	344	December 31, 2023
Filebeat: wrong multiline merging Beats filebeat	4	353	May 2, 2020
Log type Filebeat deprectaed and Filestream multiline doesn't works Beats filebeat	2	2350	March 18, 2022

Filebeat in Container mode + multiline Parser

Related Topics