Filebeat in Container mode + multiline Parser

fidelgonzo · December 10, 2022, 11:09am

I have a problem with Filebeat (7.17) that when trying to read multiline Java Stacktrace logs, it works without problems when input.type: filestream but when running the same in our Kubernetes stack, as input.type: container then the multiline parser is not picked up.

My config:

filebeat.inputs:
      - type: container
        paths:
          - /var/log/containers/*.log
        parsers:
        - multiline:
            type: pattern
            pattern: '^[[:space:]]+(at|\.{3})[[:space:]]+\b|^Caused by:'
            negate: false
            match: after

or is there another workaround to receive Java Stacktraces as single message entries in Elastic?
We are using K8S Filebeat pods > Elastic + Ingest Pipelines at the moment.

stephenb · December 10, 2022, 5:47pm

Hi @fidelgonzo Welcome to the community.

Hmmmm...
It's possible I would have to check the container input is still using the older log input under the covers and thus it would use the older multi-line syntax

If you still use the deprecated log input, there is no need to use parsers.

multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after

But I thought that got updated but you could check that.

system · January 7, 2023, 7:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline usage Beats beats-module , filebeat	3	431	March 25, 2022
Filebeat.autodiscover on Kubernetes not honoring multiline message config Beats docker , filebeat	2	1347	December 6, 2019
Input docker: multiple multiline.pattern Beats filebeat	1	596	October 3, 2019
What does filebeat's multiline tool match Beats filebeat	4	1166	April 28, 2020
Filebeat multiline pattern with negate works for all logs even without pattern Beats filebeat	1	340	June 4, 2019

Filebeat in Container mode + multiline Parser

Related topics