Filebeat multiline Pattern on Apache Logs does not work as expected (Filebeat -> Logstash -> ES)

Hello,

if have the following multiline pattern in Filebeat Configuration:

multiline.pattern: ^((-)*[0-9]{4}-[0-9]{2}-[0-9]{2}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} )

to handle mulitline Log Patterns that contains a timestamp first (Tomcats catalina.log) OR an IP Adress like in the Apache Proxy Logs.

With the catalina.log everything work as expected.
But from the Apache Log a got several LogLines in ONE Message.

Please share your full filebeat.yml file and also a sample of both log types you are collecting.

If the format of your logs are different, you should not use the same multiline pattern.

Filebeat.yml

filebeat.inputs:
- type: docker
  enabled: true
  containers.ids: '*'

  multiline.pattern: ^((-)*[0-9]{4}-[0-9]{2}-[0-9]{2}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} )
  multiline.negate: true
  multiline.match: after

#============================= Filebeat modules ===============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

output.logstash:
 hosts: ["${Elastic_Host}"]

processors:
  - add_docker_metadata:
    labels.dedot: true

catalina.log

2022-04-07 08:20:02,887 [http-nio-8080-exec-77] INFO  performance.http.HttpRequest | session.id= | client.ip=192.168.0.115 | request.id= | service.id= | tenant.id= | jobexecution.id= | sourceFeature.name= - /services/de/npm/core/service/cron/trigger/CronTriggerService/executeTrigger took 2488 ms

Apache Proxy Log

192.168.1.93 - - [07/Apr/2022:08:22:05 +0200] "GET /auth/realms/master/metrics HTTP/1.1" 200 3246

If the format of your logs are different, you should not use the same multiline pattern.

The multiline Pattern has an OR Expression so i don't know why this should not work.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.