Hi All,
we moved our testing environment from Logstash 1.x to the latest version 2.2.x and we have to import some multiline events from an Openfire instance. The log entries are single lines and in some case an exception like this.
indent preformatted text by 4 spaces
2016.02.15 22:41:31 org.jivesoftware.openfire.handler.PresenceUpdateHandler - Internal server error. Triggered by packet: .....
indent preformatted text by 4 spaces
We tried to create this rule with the multiline codec but it doesn't work correctly (the lines are skipped).
indent preformatted text by 4 spaces
file {
path => "/mnt/openfire/logs/info.log*"
exclude => "*.gz"
type => "openfire"
start_position => "end"
sincedb_path => "/opt/logstash/tmp/openfire-info.db"
sincedb_write_interval => 30
add_field => { "verbosity" => "INFO" }
codec => multiline {
pattern => "^%{YEAR}.%{MONTHNUM}.%{MONTHDAY}"
negate => true
what => previous
}
}
indent preformatted text by 4 spaces
Could someone help us to debug this behavior?
Thanks,
Marcello