I have many log look like (json array)
This is raw log
[{"CreationTime":"2017-06-17T06:28:56","Id":"77bf08c6-5bb9-4333-a394-03f181d7250a","Operation":"UserLoggedIn","OrganizationId":"4ebc33361-871a-44c5-93a5-60eb590917cd","RecordType":15,"ResultStatus":"Succeeded","UserKey":"10037FFE9D6C9759@fpt.com.vn","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"116.96.81.65","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"ManhNT16@company.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"},{"Name":"UserAuthenticationMethod","Value":"65"},{"Name":"RequestType","Value":"WsFederation:wsfederation"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"f6a73d23-ddba-4333-9106-08efaee81e0e","Type":0},{"ID":"ManhNT16@company.com","Type":5},{"ID":"10037FFE9D6C9759","Type":3}],"ActorContextId":"4ebc9261-333a-44c5-93a5-60eb590917cd","ActorIpAddress":"116.96.81.65","InterSystemsId":"2948868c-6f8a-4b13-a44a-8011b254559d","IntraSystemId":"d5fef7d3-3337-45a2-b91b-b8f004ae1300","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"4ebc9261-871a-44c5-93a5-60eb590917cd","ApplicationId":"00000002-0000-0ff1-ce00-000000000000"}]
How to make filebeat read log above ? I know that filebeat does not start with [ and combines them with the previous line that does.
I add some config but it's not work. Filebeat can't read log file
multiline.pattern: '^['
multiline.negate: true
multiline.match: after
And here is friendly log
[
{
"CreationTime": "2017-06-17T06:28:56",
"Id": "77bf08c6-5bb9-41d1-a394-03f181d7250a",
"Operation": "UserLoggedIn",
"OrganizationId": "4ebc9261-871a-44c5-93a5-60eb333317cd",
"RecordType": 15,
"ResultStatus": "Succeeded",
"UserKey": "10037AAA9D6C9759@mycompany.com",
"UserType": 0,
"Version": 1,
"Workload": "AzureActiveDirectory",
"ClientIP": "116.96.81.65",
"ObjectId": "00000002-1111-0ff1-ce00-000000000000",
"UserId": "ManhNT16@mycompany.com",
"AzureActiveDirectoryEventType": 1,
"ExtendedProperties": [
{
"Name": "UserAgent",
"Value": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
},
{
"Name": "UserAuthenticationMethod",
"Value": "65"
},
{
"Name": "RequestType",
"Value": "WsFederation:wsfederation"
},
{
"Name": "ResultStatusDetail",
"Value": "Success"
}
],
"Actor": [
{
"ID": "f6a73d23-ddba-4552-9106-08efeee81e0e",
"Type": 0
},
{
"ID": "ManhNT16@mycompany.com",
"Type": 5
},
{
"ID": "10037AAA9D6C9759",
"Type": 3
}
],
"ActorContextId": "4ebc9261-871a-44c5-93a5-60eb333917cd",
"ActorIpAddress": "116.96.81.65",
"InterSystemsId": "2948868c-6f8a-4b13-a44a-8011b334559d",
"IntraSystemId": "d5fef7d3-4417-45a2-b91b-b8f033ae1300",
"Target": [
{
"ID": "00000002-0000-0ff1-ce00-000000000000",
"Type": 0
}
],
"TargetContextId": "4ebc9261-871a-44c5-93a5-60eb333917cd",
"ApplicationId": "00000002-0000-0ff1-ce00-000000000000"
}
]