How to use json logs and also multiline together

user2416 · December 11, 2020, 1:04am

Hi,

We are using multiline pattern in filebeat but we also have Json logs which doesnt match that multiline pattern. We are seeing both multiline logs and json logs but some json logs are missing and also json logs are being sent to logstash very slow. Here is my configuration

Can someone please help me understand if I am doing something wrong? And how can I get both multiline matching logs and Json format logs.

 - type: log
      paths:
        - /var/lib/docker/containers/*/*.log
      json.message_key: log
      json.keys_under_root: true
      multiline.pattern: '^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3}\s'
      multiline.negate: true
      multiline.match: after

sample logs
Json

{"log":"{\"level\":30,\"time\":1607639208698,\"service\":\"service\",\"platform\":{\"type\":\"mobile\",\"os\":\"ios\"},\"responseMs\":124,\"hasErrors\":false}}\n","stream":"stdout","time":"2020-12-10T22:26:48.698983505Z"}

Multiline matching logs

{"log":"2020-12-11 01:02:13.182  INFO 1 --- log message"}}\n","stream":"stdout","time":"2020-12-11T01:02:13.182699685Z"}

mtojek · December 14, 2020, 10:00am

Did you try to configure two separate inputs for different kind of logs? One for JSON logs, one for basic multiline?

user2416 · December 16, 2020, 1:35am

@mtojek Logs for each pod are written to /var/lib/docker/containers location on the Kubernetes node, so we cannot have separate inputs for these 2 types of logs. Is there a way I can specify in filebeat that if pod.labels match "apptype1" use multiline and if pod.labels match "apptype2" use json?

mtojek · December 16, 2020, 8:33am

With autodiscover you can experiment with conditions: https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover.html

system · January 13, 2021, 10:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.