I want to monitor "messages" and my application log. For doing that I define two pattern in grok (one for messages and other for my exception in application)
filter {
if [type] == "log" {
grok {
match => { "message" => [
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ,
"(Exception in \*\*\*) (?<Level>.*)(\*\*\* occured.\nDate&Time: )%{TIMESTAMP_ISO8601:timestamp}\n(Root:)(?<Message.Root>(.|\r|\n)*[^\*]{5,})
((\*|\n)*)(ExceptionList:)(?<Message.ExceptionList>(.|\r|\n)*)"
]
}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
and it is my elastic index pattern:
"mappings": {
"_default_": {
"_all": {
"enabled": true,
"norms": {
"enabled": false
}
},
"dynamic_templates": [
{
"template1": {
"mapping": {
"doc_values": true,
"ignore_above": 50000,
"index": "not_analyzed",
"type": "{dynamic_type}"
},
"match": "*"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"message": {
"type": "string",
"index": "analyzed"
},
"offset": {
"type": "long",
"doc_values": "true"
},
"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"location" : { "type" : "geo_point" }
}
}
}
}
},
"settings": {
"index.refresh_interval": "2s"
},
"template": "filebeat-*"
kibana shows message from "messages file" load perfectly but about my specific log it break into multi line . what is my problems?
thank you