Multi Line Pattern

Hello everyone,

I am currently having a hard time trying to parse a customized log to logstash using filebeat. My servers are windows servers, using the latest version of filebeat 7.0.12.

the sample log

Received XML Message:
SECURITYLOGINBATCH list4<USER_NAME>USERNAME</USER_NAME>PASSWORD<ZONE_ID>1</ZONE_ID>NoYes

20210422 05:00:06:351 - [INFO] 'SECURITY / LOGIN' Received from '' on 127.0.0.1
20210422 05:00:06:429 - [INFO] TEXT...
20210422 05:00:06:445 - [INFO] TEXT...
20210422 05:00:06:445 - [INFO] TEXT...
20210422 05:00:06:445 - [INFO] TEXT...
20210422 05:00:06:445 - [INFO] TEXT...

Sent XML Message:
SecurityLoginSuccess<SESSION_ID>0</SESSION_ID><SERVER_VERSION>4</SERVER_VERSION><SERVER_EDITION>Enterprise</SERVER_EDITION><PASSWORD_EXPIRED>No</PASSWORD_EXPIRED><LIST_SET_ID/><DEFAULT_RANK/><DEFAULT_DETECT_COUNTRY/><DEFAULT_DETECT_VESSEL/><USER_ZONE_ID>1</USER_ZONE_ID><USER_ZONE_NAME/><USER_ID>999</USER_ID><PROFILES_COUNT>1</PROFILES_COUNT><PROFILE_ID>999</PROFILE_ID><PROFILE_NAME>WC</PROFILE_NAME><GROUPS_COUNT>1</GROUPS_COUNT><GROUP_ID>999</GROUP_ID><GROUP_NAME>NAME</GROUP_NAME>

Example of what the log looks like formatted on server

image895×214 7.48 KB

I am using the below to try and grab the whole log, which is not currently working.

multiline.pattern: '(?im)^Received XML Message:'
multiline.negate: true
multiline.match: after
multiline.flush_pattern: '(?im)^Sent XML Message:\r?\n<XML.*'

Any idea how i can manage to parse the full message please?

If you have a question about filebeat you would be better off asking in the beats forum rather than the logstash forum.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.