Logstash multiline source validation


I am in the process of building ELK infrastructure for my systems.
I have several filebeats and so far one logstash.
I have several Java servers and apache servers.

As we all know, we have something like stacktrace on Java servers :smiley:

Ultimately, my colleague wants to assemble resources and make one filebeat.

And now my dilemma :slight_smile:

Is there a possibility that if some stackctace is sent, then some other log may interrupt multitiline.

E.g. Stacktrace goes and has 100 lines. In the meantime, apache or another Java server sends a different log. Is this a problem that multiline may have a problem with?

Does the multiline module verify the source?

If there is a problem here, is there a solution?

It would be best if the whole solution was based on the logstash itself.


Yes, this is exactly why the documentation says to do multiline processing in filebeat, and not in a multiline codec on a beats input.

Ok. It makes sense :slight_smile:

In that case we are moving multiline to filebeat.

Let's assume that this filebeat will have eg 5 Java servers connected. Will filebeat know what to assign? Do I parse files "separately"? Will I have to install filebeat per Java server?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.