I'm trying to track down a bug in the file input that is combining multiline events separated by a blank line. Here's the alerts.log file which has events:
** Alert 1460993714.111282277: mail - syslog,linuxkernel,service_availability,
2016 Apr 18 15:35:14 (example) 10.0.84.42->/var/log/syslog
Rule: 5108 (level 12) -> 'System running out of memory. Availability of the system is in risk.'
Apr 18 15:35:13 example kernel: [10514276.882967] Memory cgroup out of memory: Kill process 27060 (php5-fpm) score 594 or sacrifice child
** Alert 1460993722.111282701: mail - syslog,errors,
2016 Apr 18 15:35:22 (example) 10.0.7.182->/var/log/syslog
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Apr 18 15:35:21 example kernel: [34163081.760072] xen:balloon: reserve_additional_memory: add_memory() failed: -17
** Alert 1460993724.111283019: - syslog,access_control,
2016 Apr 18 15:35:24 (example) 10.0.7.182->/var/log/syslog
Rule: 2508 (level 3) -> 'OpenLDAP connection open.'
Apr 18 15:35:24 example slapd[13202]: conn=9520 fd=72 ACCEPT from IP=10.0.0.66:39066 (IP=0.0.0.0:636)
** Alert 1460993728.111283315: - syslog,access_control,
2016 Apr 18 15:35:28 (example) 10.0.7.182->/var/log/syslog
Rule: 2508 (level 3) -> 'OpenLDAP connection open.'
Apr 18 15:35:27 example slapd[13202]: conn=9521 fd=72 ACCEPT from IP=10.0.0.66:39077 (IP=0.0.0.0:636)
** Alert 1460993728.111283611: - syslog,access_control,
2016 Apr 18 15:35:28 (example) 10.0.7.182->/var/log/syslog
Rule: 2508 (level 3) -> 'OpenLDAP connection open.'
Apr 18 15:35:27 example slapd[13202]: conn=9522 fd=72 ACCEPT from IP=10.0.0.66:39078 (IP=0.0.0.0:636)
Here's what I get when running with the stdin input and multiline codec (this is the behavior I want):
cat /tmp/alerts.log | bin/logstash -e 'input { stdin { codec => multiline { pattern => "^$" negate => true what => "previous" } } } output { stdout { codec => rubydebug } }'
Settings: Default pipeline workers: 4
Logstash startup completed
{
"@timestamp" => "2016-04-18T16:02:21.686Z",
"message" => "** Alert 1460993714.111282277: mail - syslog,linuxkernel,service_availability,\n2016 Apr 18 15:35:14 (example) 10.0.84.42->/var/log/syslog\nRule: 5108 (level 12) -> 'System running out of memory. Availability of the system is in risk.'\nApr 18 15:35:13 example kernel: [10514276.882967] Memory cgroup out of memory: Kill process 27060 (php5-fpm) score 594 or sacrifice child",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"host" => "logs.example.com"
}
{
"@timestamp" => "2016-04-18T16:02:21.766Z",
"message" => "\n** Alert 1460993722.111282701: mail - syslog,errors,\n2016 Apr 18 15:35:22 (example) 10.0.7.182->/var/log/syslog\nRule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'\nApr 18 15:35:21 example kernel: [34163081.760072] xen:balloon: reserve_additional_memory: add_memory() failed: -17",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"host" => "logs.example.com"
}
{
"@timestamp" => "2016-04-18T16:02:21.775Z",
"message" => "\n** Alert 1460993724.111283019: - syslog,access_control,\n2016 Apr 18 15:35:24 (example) 10.0.7.182->/var/log/syslog\nRule: 2508 (level 3) -> 'OpenLDAP connection open.'\nApr 18 15:35:24 example slapd[13202]: conn=9520 fd=72 ACCEPT from IP=10.0.0.66:39066 (IP=0.0.0.0:636)",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"host" => "logs.example.com"
}
{
"@timestamp" => "2016-04-18T16:02:21.776Z",
"message" => "\n** Alert 1460993728.111283315: - syslog,access_control,\n2016 Apr 18 15:35:28 (example) 10.0.7.182->/var/log/syslog\nRule: 2508 (level 3) -> 'OpenLDAP connection open.'\nApr 18 15:35:27 example slapd[13202]: conn=9521 fd=72 ACCEPT from IP=10.0.0.66:39077 (IP=0.0.0.0:636)",
"@version" => "1",
"tags" => [
[0] "multiline"
],
"host" => "logs.example.com"
}
Logstash shutdown completed