I am attempting to set up the multiline input for GELF but it doesn't seem to work and I'm not sure why. Is there a way to debug the multiline input, or does anybody know otherwise why this wouldn't be working?
Here's the configuration. I have tried a number of different patterns but none of them seem to work:
...
gelf {
port => 12201
type => gelf
codec => multiline {
pattern => "^\s"
what => next
}
}
...
Other relevant details:
- I am sending logs from the Docker daemon from a different machine via the
gelflog driver - Logs are showing up in Logstash fine, the multiline functionality is the only part that isn't working
- Docker version is 1.13 for the hosts sending logs, version 1.11 on the ELK side
- Logstash and the rest of the ELK stack is running as a container and is v5.2
Any idea what could be causing the problem or how to fix?