We collect our infrastructure logs with filebeat on elastic cloud.
We'd like to add a logstash cluster (multiple logstash instances load-balanced) between our filebeat agents and our elastic cloud cluster. The goal here is to leave all the parsing and data transform to logstash. However, I think we might have a problem when it comes to handle multiline logs (like exceptions, error, etc). We'd like it to be in only one document and I think the load balancing might break this.
I know we can handle it from filebeat directly but I was wondering if it was possible to let Logstash do it in this particular configuration.
If you are sending multiline events to Logstash, use the options described here to handle multiline events before sending the event data to Logstash. Trying to implement multiline event handling in Logstash (for example, by using the Logstash multiline codec) may result in the mixing of streams and corrupted data.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.