As you have suggest in Multiline issue with 2 different patterns for a single event I have put :
beats {
port=>5044
multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}
and in the beginning of filter before anything I have put :
overwrite => ["message"]
should this configuration work for parsing.