I want to extract the logs that include the "FaceLogBean" ,Configuration file is:
filebeat.prospectors:
- input_type: log
document_type: cloud
paths:
- /usr/logs/*.log
include_lines:["FaceLogBean"]
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
multiline.timeout: 10s
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
After the configuration, the filebeat startup failed:
filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Fri 2018-03-02 11:41:14 CST; 27s ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Process: 12829 ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat (code=exited, status=1/FAILURE)
Main PID: 12829 (code=exited, status=1/FAILURE)
Mar 02 11:41:14 dongjingang-test3.syswin.com systemd[1]: filebeat.service: main process exited, code=exited, status=1/FAILURE
Mar 02 11:41:14 dongjingang-test3.syswin.com systemd[1]: Unit filebeat.service entered failed state.
Mar 02 11:41:14 dongjingang-test3.syswin.com systemd[1]: filebeat.service failed.
Mar 02 11:41:14 dongjingang-test3.syswin.com systemd[1]: filebeat.service holdoff time over, scheduling restart.
Mar 02 11:41:14 dongjingang-test3.syswin.com systemd[1]: start request repeated too quickly for filebeat.service
Mar 02 11:41:14 dongjingang-test3.syswin.com systemd[1]: Failed to start filebeat.
Mar 02 11:41:14 dongjingang-test3.syswin.com systemd[1]: Unit filebeat.service entered failed state.
Mar 02 11:41:14 dongjingang-test3.syswin.com systemd[1]: filebeat.service failed.
But annotate the code “ include_lines:["FaceLogBean"]”and start the success.
Hope to get help,thank!