Hi,
I'm trying to do a shift of the current log setup we have in place from text to JSON so that we can accommodate MDC and get more info from our logs.
The current setup is pretty basic with no real changes from the standard setup: Filebeat gets the logs and ships them to logstash.
I changed the logger in our code, used the logstash.LogstashEncoder for the logback.RollingFileAppender
I went in, added the JSON log-related properties to filebeat.yml and am seeing some logs (the live check ones) reaching Kibana however none of the rest are present(not to mention ERROR logs).
filebeat.inputs:
- type: log
enable: "true"
paths:
- /var/log/security_software.log
- /var/log/bsmx_logs/**/*.log
json.message_key: msg
json.keys_under_root: true
json.add_error_key: true
fields_under_root: true
multiline.pattern: '^[:20:]'
multiline.negate: true
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
output.logstash:
hosts: ["10.1.2.12:5044"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
I didn't do any changes to the logstash setup. Could that be the cause?
Any help is much welcome!
LE: I did a bit of additional investigating and it seems that removing the multiline settings resolves my problems.
How could I setup different processing based on the type of the log line(text/JSON)?
I dug around and saw that setting up a processor could work but which one would work for me?