Issue with Multiline Logs

Vivek_Sharma · August 17, 2017, 1:53pm

Hi

I am trying to read log file with multilines for a single log.

I have configured filebeat.yml as below:

> - input_type: log 
>   paths:
>     - C:\ELK\*.log
>   fields: 
>     tech_stack: XXX
>     kpi_type: YYY
> 
>   multiline.pattern: '^([Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec])\w+\s(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])\s(?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)'
>   multiline.negate: true
> 
>   multiline.match: after

Logstash has been defined as below:

> input {
>   beats {
>     port => 5044
>   }
>    
> }
> 
>   filter {
>   grok {
>     match => { "message" => [
> #	For reading STO log files. This will be common for both start and stop service success scenario
> 	"%{SYSLOGTIMESTAMP:timestamp} \[Host:%{HOSTNAME:host_name}\:-1\|Service:%{PROG:log_service_name}\|Context:%{USERNAME:context}\|Session:%{USERNAME:session_id}\|User:%{USERNAME:user_name}\|ApplicationId:%{USERNAME:application_id}\|MessageId:%{USERNAME:message_id}\|CorrelationId:%{USERNAME:correlation_id}\|GeneratingSystem:%{USERNAME:generating_system}\|LogMessage:%{GREEDYDATA:log_message}\|MessageBody:STO_NUMBER:%{USERNAME:sto_number}]\|"
> 	] }
>   }
> 	
>     mutate {
>       add_field => { "tech_stack" => "%{[fields][tech_stack]}" }
> 	  add_field => { "kpi_type" => "%{[fields][kpi_type]}" }
>     }
> }
> 
> output {
>   elasticsearch {
>     hosts => "localhost:9200"
> 	user => "elastic"
> 	password => "changeme"
>     manage_template => false
> 	index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" 
>     document_type => "%{[@metadata][type]}" 
>   }
>    stdout { codec => rubydebug }
> }

Now my logs are as below:

Jul 29 19:16:43 [Host:dlap-w1is0419.xxxxxxxxx.com:-1|Service:RPU_WWW_RT_CC_Utils.LoggingFramework:logMessage|
Context:a9604140-f805-1469-9704-fffffffaa84d|Session:null|User:Administrator|ApplicationId:RT_IA1424|MessageId:null|CorrelationId:d4e01dbb-17f8-4851-b54b-31074a4a57fb|GeneratingSystem:webMethods|
LogMessage:Service Start :RPU_WWW_RT_PRP_OrderDetails.Maps:mapXXXXXXXXXXXSvc|MessageBody:XXX_NUMBER:1245789654]|

As per filebeat configuration, these three lines of log need to be merged into a single line and then passed to logstash. But logstash is receiving all these logs in separate lines.

Could anyone please help.

steffens · August 17, 2017, 10:03pm

Multiline support is based on regular expression. As the [<chars>] term creates a custom character class, I don't think [Jan|Feb|...] is doing what you'd expect. Use (...) to create an 'or' group. Like (Jan|Feb|...). You can try to shorten the regex to this (the expression should capture a structural pattern, no need to be too strict on actual content): '^[JFMASOND][a-z]{2} \d{2}:\d{2}:\d{2} \['

Btw. since filebeat 5.3 (I think) you can use () to build groups. The matcher in libbeat applies some simple optimizations to the pattern. Like internally optimizing (<terms>) to (?:<terms>).

system · September 14, 2017, 10:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat 1.2.0. multiline Beats filebeat	12	2173	July 5, 2017
Something wrong with multiline Beats filebeat	4	350	August 22, 2018
Multiline logs are not working using filebeat Beats filebeat	1	510	November 19, 2021
Filebeat multiline works as single liners Beats filebeat	2	581	March 4, 2019
Multiline \| Not even working Beats filebeat	3	757	November 3, 2017

Issue with Multiline Logs

Related topics