Filebeat Process multilne XML

Sourabh_Narang · March 8, 2017, 5:28am

I have a log file where I am printing request and response XML bodies. This log file also has some additional lines that are not XML. Example below --

 ===========================================
<request>
  <data>
     abc
</data>
</request>
some random lines concerning the processing of request..
fha;js;fkgak;gj;kj;a
jgahkg;gaj;
Now response follows 
<response>
    <output>
    def
 </output>
</response>
===================================================

How to use use filebeat multiline feature to parse such a data and have each XML as a single event to be sent to logstash?

helloworld · March 8, 2017, 9:09am

I also faced this problem once. I couldn't find the solution. Modifying the log file at the source is one such option. But not always recommended.

andrewkroh · March 11, 2017, 12:29am

I don't think this can be done with Filebeat alone.

One approach would be to use multiline in Filebeat to group all the lines from the request and response into one event.

filebeat.prospectors:
  - paths: ['/my/file.log']
    multiline.pattern: ^<request>
    multiline.negate: true
    multiline.match: after

Then in either Logstash or Ingest Node, use grok to parse the request, response, and text about the request into separate fields.

And after grok'ing out the request and response you could apply an xml filter to parse those messages.

system · March 29, 2017, 5:29am

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Filebeat and multiline events Logstash	1	184	May 27, 2021
Filebeat - multiline: Ingest XML's without line feed at end of file Beats filebeat	7	3355	October 16, 2017
File beat multiline is not working for XML type of files Beats filebeat	9	5253	July 5, 2017
Filebeat logrotation multiline data loss Beats filebeat	2	559	November 22, 2018
Multi Line Pattern Beats filebeat	1	231	May 20, 2021

Filebeat Process multilne XML

Related topics