Gelf input with multiline

111228 · June 5, 2020, 8:52am

Hello all
Tell me how to configure correctly PHP errors with Stack trace in multiline.
I have such messages
1 message ) [05-Jun-2020 11:35:39 Europe/Kiev] PHP Fatal error: require(): Failed opening required 'askldjalksnas' (include_path='.:/usr/local/lib/php') in /srv/src/myproject/sites/workfolder/121/error.php on line 3
2 message )
[05-Jun-2020 11:35:39 Europe/Kiev] PHP Stack trace:
3 message )
[05-Jun-2020 11:35:39 Europe/Kiev] PHP 1. {main}() /srv/src/myproject/sites/workfolder/121/error.php:0

But I want to connect these messages
my settings:
Input
gelf {
port_udp => 14223
tags => naf1_php
use_udp => true
type => naf1_php
host => "0.0.0.0"
codec => multiline {
pattern => "(.+PHP Stack trace: .+)"
negate => true
what => "previous"
}
}

filter
grok {
match => [ "message", "[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{WORD:zone}/%{WORD:country}] PHP %{DATA:error_level}: %{GREEDYDATA:error}" ]
add_field => { "timestamp" => "%{day}-%{month}-%{year} %{time} %{zone}/%{country}" }
add_tag => [ "%{level}" ]
remove_field => [ "day", "month", "year", "time", "zone", "country" ]
}

But it doesn 't work
I tried to change pattern on "(.+PHP Stack trace: .+)" But it didn 't help too

Badger · June 5, 2020, 2:11pm

Please do not post pictures of text, they are hard to read and not searchable.

111228 · June 5, 2020, 2:31pm

Sorry I remade

Badger · June 5, 2020, 3:25pm

You do not need the (.+ or the .+), and there is no space after the colon in your sample data, so this will never match.

There is not really enough sample data to make it clear what you want to do. If you want to combine those three lines then

 pattern => 'PHP Stack trace:|PHP Fatal error' negate => false what => "next"

might be good for you. However, if you want to handle a multi-line stack trace you pretty much have to use

 pattern => 'PHP Stack trace:' negate => true what => "previous"

but that will capture the following 'PHP Fatal error', not the previous one. I suspect a multiline codec cannot do what you want to do.

system · July 3, 2020, 3:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline input codec not working (php stacktrace) Logstash	1	507	September 13, 2019
Codec in gelf input plugin not working Logstash	6	280	July 21, 2022
Gelf to multiline filter messes up newlines Logstash	2	1852	July 6, 2017
Need help with Parsing Multiline StackTrace Logstash	5	2781	July 31, 2019
Multiline parsing error Logstash	2	219	January 3, 2021

Gelf input with multiline

Related Topics