rosselg
March 24, 2017, 9:35am
1
Hi folks,
Filebeat applies the "multiline coded", even if the log file doesn't contains any multiline logs.
I guess this is related to Drupal log mechanism, as the log file is written every 10sec. with all the logs that occurred during the last 10sec (I assume for less Disk's I/O).
My filebeat is configured as follow:
filebeat:
output:
Logstash is configured with the following pattern:
match => { 'message' => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:logdate}\] "(?:%{WORD:method} %{URIPATH:URLpath}(?:%{URIPARAM:URLquery})?(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:responseCode} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:responseTime} \[id\: %{WORD:XSolidRequestID}\]'}
And the context.xml is the following:
Many thanks in advance!
rosselg
March 27, 2017, 9:54am
3
Hi @ruflin ,
Thanks for your response.
Here some logs output:
10.10.10.50 - - [24/Mar/2017:23:59:56 +0100] "GET /myAPP/myAPPapi/quotes/1102994-SWX-CHF?fields=CASH_LINK,M_NAME,M_TREND,M_CUR:value:id,SC_GROUPED,M_VALOR,M_SYMB,M_MARKET:value:id,M_ISIN,COMPFULLNAME,LVAL,I_NET_VPERPR_V,I_NET_VPERPR_V_PR,EUSIPA:id&autologin=myAPP_0 HTTP/1.0" 200 783 "-" "Drupal (+http://drupal.org/)" 38 [id: 1a5c557a6790c80eaf40dcec8b58e170]
No, it should only be single line inside
Regarding the logstash config :
beats {
10- filter:
if [fields][app_type] == "myAPP" {
20-Output
} else if [fields][app_name] == "myAPP" {
steffens
March 28, 2017, 8:14am
4
having no multiline configured in filebeat, filebeat will not execute any multiline logic at all. Filebeat splits the log file on \r\, \n or \r\n symbol. Have you checked you log-file in an hex-editor containing newline symbols (0x0A, 0x0D) ?
rosselg
March 28, 2017, 10:34am
5
Hi guys,
It was my mistake... I had the wrong port configured on a host.
Thanks for the your help
system
April 25, 2017, 10:34am
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.