I am running filebeat v1.1.1 and can't seem to get multiline to work unless the input timeout passes.
my data is from NNMi (trying to forward audit to ELK), the data/log looks like...
2016-03-08 14:31:49,744 INFO [com.hp.ov.nms.ui.framework.util.SignInOutAuditLog] (tomcat-exec-10) Failed Sign In Attempt
User: system
Remote Host: 192.168.1.5
Remote Port: 60542
Locale: en_US
2016-03-08 14:31:53,658 INFO [com.hp.ov.nms.ui.framework.util.SignInOutAuditLog] (tomcat-exec-10) Successful Sign In
User Account: system
NNMi Role: Administrator (admin)
Client Host: 192.168.1.5
Client Port: 60542
Locale: {5}
My multiline config (was pattern: "^[::alpha::]"
but changed to digit based on another thread)
multiline:
pattern: "^[::digit::]{4}-[::digit::]{2}-[::digit::]{2}"
negate: true
match: after
If the 2 lines are within the input timeout i get the following event out of filebeat where both lines are one event. Any help with what I am diong wrong in this case?
{\"message\":\"2016-03-08 14:42:16,865 INFO [com.hp.ov.nms.ui.framework.util.SignInOutAuditLog] (tomcat-exec-1) Failed Sign In Attempt\\n\\tUser:\\t\\tsystem\\n\\tRemote Host:\\t192.168.1.5\\n\\tRemote Port:\\t61028\\n\\tLocale:\\t\\ten_US\\n2016-03-08 14:42:19,502 INFO [com.hp.ov.nms.ui.framework.util.SignInOutAuditLog] (tomcat-exec-1) Successful Sign In\\n\\tUser Account:\\t\\tsystem\\n\\tNNMi Role:\\t\\tAdministrator (admin)\\n\\tClient Host:\\t192.168.1.5\\n\\tClient Port:\\t61028\\n\\tLocale:\\t\\t{5}\",\"@version\":\"1\",\"@timestamp\":\"2016-03-08T19:42:21.959Z\",\"application\":\"NNMi\",\"beat\":{\"hostname\":\"nnmi-01\",\"name\":\"nnmi-01\"},\"count\":1,\"input_type\":\"log\",\"offset\":5046,\"source\":\"/var/opt/OV/log/nnm/signin.log\",\"type\":\"audit\",\"host\":\"nnmi-01\",\"tags\":[\"beats_input_codec_plain_applied\"]}