Hello,
I would like to merge (or aggregate) auditd logs with logstash. I have see lot of solutions with an agent but it seem tricky to do with a syslog source 
I received auditd messages form multiple sources on a unique logstash pipeline. Each source is a syslog server that centralize auditd messages from multiple hosts.
hosts -> syslog servers -> my logstash.
The multiline option seems not working if i have multiple hosts sending logs at the same time. We cant be sure all messages arrived with right order.
I think i can do this in two step : Firstly logstash receive messages and store them in a file or an index. And in a second time (another pipeline), logstash read this temporary documents and use aggregate filter to merge multi line auditd messages into one new event.
I would like to know if there are others methods, simplier and better, to ingest multiline events with multiple sources on a single logstash pipeline ?
Thank you, Gamb.