Filebeat multiline Pattern on Apache Logs does not work as expected (Filebeat -> Logstash -> ES)

Bndlr · April 6, 2022, 11:44am

Hello,

if have the following multiline pattern in Filebeat Configuration:

multiline.pattern: ^((-)*[0-9]{4}-[0-9]{2}-[0-9]{2}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} )

to handle mulitline Log Patterns that contains a timestamp first (Tomcats catalina.log) OR an IP Adress like in the Apache Proxy Logs.

With the catalina.log everything work as expected.
But from the Apache Log a got several LogLines in ONE Message.

leandrojmp · April 6, 2022, 12:18pm

Please share your full filebeat.yml file and also a sample of both log types you are collecting.

If the format of your logs are different, you should not use the same multiline pattern.

Bndlr · April 7, 2022, 6:23am

Filebeat.yml

filebeat.inputs:
- type: docker
  enabled: true
  containers.ids: '*'

  multiline.pattern: ^((-)*[0-9]{4}-[0-9]{2}-[0-9]{2}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} )
  multiline.negate: true
  multiline.match: after

#============================= Filebeat modules ===============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

output.logstash:
 hosts: ["${Elastic_Host}"]

processors:
  - add_docker_metadata:
    labels.dedot: true

catalina.log

2022-04-07 08:20:02,887 [http-nio-8080-exec-77] INFO  performance.http.HttpRequest | session.id= | client.ip=192.168.0.115 | request.id= | service.id= | tenant.id= | jobexecution.id= | sourceFeature.name= - /services/de/npm/core/service/cron/trigger/CronTriggerService/executeTrigger took 2488 ms

Apache Proxy Log

192.168.1.93 - - [07/Apr/2022:08:22:05 +0200] "GET /auth/realms/master/metrics HTTP/1.1" 200 3246

If the format of your logs are different, you should not use the same multiline pattern.

The multiline Pattern has an OR Expression so i don't know why this should not work.

system · May 5, 2022, 8:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat multiline with line breaks Beats	10	2544	June 23, 2017
Filebeat Multiline Config Help Beats filebeat	2	259	September 26, 2020
Filebeat multiline configuration issue Beats filebeat	2	625	March 8, 2018
Filebeat multiline matching Docker log Beats docker , filebeat	1	603	December 24, 2021
Filebeat multiline pattern for PHP stack trace Beats docker , filebeat	2	1123	September 16, 2021

Filebeat multiline Pattern on Apache Logs does not work as expected (Filebeat -> Logstash -> ES)

Related Topics