Hello everyone,
I am currently having a hard time trying to parse a customized log to logstash using filebeat. My servers are windows servers, using the latest version of filebeat 7.0.12.
the sample log
Received XML Message:
SECURITYLOGINBATCH list4<USER_NAME>USERNAME</USER_NAME>PASSWORD<ZONE_ID>1</ZONE_ID>NoYes
20210422 05:00:06:351 - [INFO] 'SECURITY / LOGIN' Received from '' on 127.0.0.1
20210422 05:00:06:429 - [INFO] TEXT...
20210422 05:00:06:445 - [INFO] TEXT...
20210422 05:00:06:445 - [INFO] TEXT...
20210422 05:00:06:445 - [INFO] TEXT...
20210422 05:00:06:445 - [INFO] TEXT...
Sent XML Message:
SecurityLoginSuccess<SESSION_ID>0</SESSION_ID><SERVER_VERSION>4</SERVER_VERSION><SERVER_EDITION>Enterprise</SERVER_EDITION><PASSWORD_EXPIRED>No</PASSWORD_EXPIRED><LIST_SET_ID/><DEFAULT_RANK/><DEFAULT_DETECT_COUNTRY/><DEFAULT_DETECT_VESSEL/><USER_ZONE_ID>1</USER_ZONE_ID><USER_ZONE_NAME/><USER_ID>999</USER_ID><PROFILES_COUNT>1</PROFILES_COUNT><PROFILE_ID>999</PROFILE_ID><PROFILE_NAME>WC</PROFILE_NAME><GROUPS_COUNT>1</GROUPS_COUNT><GROUP_ID>999</GROUP_ID><GROUP_NAME>NAME</GROUP_NAME>
Example of what the log looks like formatted on server
I am using the below to try and grab the whole log, which is not currently working.
multiline.pattern: '(?im)^Received XML Message:'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: '(?im)^Sent XML Message:\r?\n<XML.*'
Any idea how i can manage to parse the full message please?