I have correctly configured filebeat to deal with a multiline event generated by ISC's kea software.
I want to parse that event into various fields, but none of my grok statements are matching. I think it may have to do with EOL, but my attempts to use things like \n or $ are not matching. Here's an example of an event:
2019-10-14T12:01:11.131-0400 INFO [kea-dhcp-ddns.d2-to-dns/13043] DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID 000001152FBA39EEA026B1D7B5E76088BBD4FBA6835B4854D3994882B13FA1279FDD84: successfully added the DNS mapping addition for this request: Type: 0 (CHG_ADD)
Forward Change: yes
Reverse Change: yes
FQDN: [ddns-192-168-17-103.dhcp.ldev.]
IP Address: [192.168.17.103]
DHCID: [000001152FBA39EEA026B1D7B5E76088BBD4FBA6835B4854D3994882B13FA1279FDD84]
Lease Expires On: 20191014170111
Lease Length: 3600
I want to parse some fields from the first line, and from each line after that one.
I'm stuck on how to parse field data from the multiline event, any pointers?