Filebeat on Windows Server R2 2008 Issue

Hi All,

Have been setting filebeat on Windows Server 2008 . The filebeat is installed as service but the problem here is using the multiline .
While parsing the same file through logstash it is parsing properly with the multiline codec in file input but while using filebeat the multiline doesn't work as expected it brings the whole file in a single message.
While going through the forum found that it doesn't support Windows 2008
Just t need help on this.

Log file sample

Application name:
Application type: CFGGVPMCP (145)
Command line: pwcallmgr.exe -service vpMediaControl64 -app MUM_MediaControlPlatform_1 -host HYDDCGENCME1 -port 2020 -sstart
Host name: MUMCCGENMCP1
Start time (UTC): 2019-04-16T15:33:16
Running time: 2:15:25:57
Host info: Windows 6.1.7601, 2, Service Pack 1, 1.0, 0112, 3
File: (652) E:\Ged\MUM_MCP

2019-04-19T12:29:13.402 Int 50035 00A901CB-10E79A18 4460 log varStmntToDate = *****
2019-04-19T12:29:13.402 Int 50035 00A901CB-10E79A18 4460 log varPaymentDueDate =*****
2019-04-19T12:29:13.402 Int 50035 00A901CB-10E79A18 4460 log varPaymentDueDate =*****

For Logstash multiline config
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
For Filebeat multiline
multiline.pattern: '^%{TIMESTAMP_ISO8601}'
multiline.negate: true
multiline.match: after

Hi,

Your multiline pattern is not valid for filebeat because your using a named grok pattern. Logstash multiline codec supports the named grok pattern that come in a file. look at the logstash doc for the multiline codec and you’ll see that it claims support for grok named pattern.

In filebeat you need to write the real regex and you can’t reference a grok named pattern. filebeat has no clue what this is: %{TIMESTAMP_ISO8601}. Logstash does because it fetches the real regex from the named pattern file.

Hi @martinr_ubi ,

Thanks it worked gracefully.
But I was applying same grok time on windows 10 where filebeat 6.3.1 is present and its working over there.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.