Currently, filebeat expects one json object per-line and not an array. In the future we might overcome this limitation.
If you don't have control over the log format, you still can get rid of JSON settings under the log prospector.
Remove this lines:
json.keys_under_root: true
json.add_error_key: true
And have the decode_json_fields prospector parse the log.
This is the output I get:
{
"@timestamp": "2018-05-07T14:43:41.233Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "7.0.0-alpha1"
},
"offset": 1048,
"message": [
{
"signpostID": "0",
"subsystem": "com.apple.sharing",
"category": "AirDrop",
"threadID": "6008981",
"activityIdentifier": "0",
"parentActivityIdentifier": "0",
"timezoneName": "",
"traceID": "9261530138935300",
"senderImageUUID": "34BD8CEF-7770-3DF6-9B02-B32788EA0C35",
"senderImagePath": "/usr/libexec/sharingd",
"timestamp": "2018-05-07 08:04:36.381104-0400",
"machTimestamp": "1557005637979752",
"eventMessage": "startSending, validated airdrop items. properties: {\n ConvertMediaFormats = 0;\n Files = (\n {\n ConvertMediaFormats = 0;\n FileBomPath = \"./lunch.pdf\";\n FileIsDirectory = 0;\n FileName = \"lunch.pdf\";\n FileType = \"com.adobe.pdf\";\n }\n );\n ReceiverComputerName = \"Tim\\U2019s iPhone\";\n ReceiverID = daffcc6a517d;\n VerifiableIdentity = 0;\n}",
"processID": "45882",
"senderProgramCounter": "1086398",
"messageType": "Default",
"eventType": "logEvent",
"source": null,
"processImagePath": "/usr/libexec/sharingd",
"processImageUUID": "34BD8CEF-7770-3DF6-9B02-B32788EA0C35"
}
],
"tags": [
"airdrop"
],
"prospector": {},
"input": {
"type": "log"
}
}