I have another question on getting mulitline to work with syslog, but I thought I'd simplify my configuration a little and remove syslog from the equation.
The Docker Compose config for the filebeat container is
filebeat:
image: docker.elastic.co/beats/filebeat:6.3.1
stdin_open: true
tty: true
command: filebeat -v -c /config-dir/filebeat.yml
restart: always
volumes:
- ./log-cfg/filebeat.yml:/config-dir/filebeat.yml
- ./beat-in/:/beat-in/
and the filebeat configuration is
filebeat.inputs:
- type: log
paths:
- /beat-in/*.log
multiline:
pattern: '^[[:space]]'
negate: false
match: after
output:
console.pretty: false
After a docker-compose up filebeat I open a second terminal and run
cat <<EOF > ./beat-in/foo.log
2018-07-07 foo
bar
EOF
The two added lines are picked up by filebeat, but I get two messages out, despite the multiline configuration above:
{"@timestamp":"2018-07-07T17:36:03.793Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.3.1"},"offset":38,"message":"2018-07-07 foo","source":"/beat-in/foo.log","prospector":{"type":"log"},"input":{"type":"log"},"beat":{"hostname":"4e19f393b815","version":"6.3.1","name":"4e19f393b815"},"host":{"name":"4e19f393b815"}}
{"@timestamp":"2018-07-07T17:36:03.793Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.3.1"},"source":"/beat-in/foo.log","offset":53,"message":" bar","prospector":{"type":"log"},"input":{"type":"log"},"beat":{"name":"4e19f393b815","hostname":"4e19f393b815","version":"6.3.1"},"host":{"name":"4e19f393b815"}}
Clearly I'm missing something here, but what?
Thanks for helping me find my stupid mistake!