Logstash vs rsyslog java stack multiline issue

Marcello_A · August 18, 2017, 4:22pm

I think that this is the final configuration:

input {
  syslog {
    type => "docker-dev-support"
    host => "0.0.0.0"
    port => 6000
    codec => multiline {
      pattern => "^<%{NUMBER}>%{NUMBER} %{TIMESTAMP_ISO8601} %{NOTSPACE} %{NOTSPACE} %{NUMBER} - - (%{TIMESTAMP_ISO8601}|%{IPORHOST}|\[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}\])"
      negate => true
      what => "previous"
    }
  }
}

filter {
  if [type] == "docker-dev-support" {
    grok {
      patterns_dir => ["/etc/logstash/patterns/"]
      match => { "message" => "%{DOCKERSYSLOG}" }
    }
    if "_grokparsefailure_sysloginput" in [tags] {
      mutate {
        remove_tag => [ "_grokparsefailure_sysloginput" ]
      }
    }
    mutate {
      remove_field => [ "message" ]
    }
  }
}

output {
if [type] == "docker-dev-support" {
elasticsearch {
action => "index"
codec => "plain"
hosts => [ "http://localhost:9200" ]
index => "logstash-docker-test-dev-support-%{+YYYY.MM.dd}"
}
}
}

I need to check if the logstash wait a new closing line to store the last rows processed into the multiline pipeline.

Topic		Replies	Views
Multiline issue with 2 different patterns for a single event Logstash	13	1499	July 6, 2017
Making the best of an existing Syslog stream Logstash	3	1075	September 15, 2019
Config file for multiple multiline patterns Logstash	9	5430	October 5, 2017
Logstash unable to parse multiline Logstash	3	1120	November 9, 2017
Multiline Java Stack Traces with Syslog Logstash	2	1697	March 21, 2017

Logstash vs rsyslog java stack multiline issue

Related topics