Afternoon,
I'm having some issues with the multiline codec config and it adding events to the previous message so not being very helpful.
in logstash I have the following input definition
syslog {
id => "input-syslog"
port => 5140
type => "syslog"
codec => multiline {
patterns_dir => [ "/etc/logstash/conf.d/patterns.d" ]
pattern => "(^%{SYSLOGBASE})|(^%{SYSLOGBASE_RFC5424})|(Udp data)"
negate => true
what => "previous"
}
add_field => { "[logstash][host][name]" => "${LOGSTASH_HOSTNAME}" }
}
This seems to be working for some systems that throw a stack trace via syslog occasionally and where RFC5424 messages are sent (they always appear as a single event), but it doesn't appear to like the %{SYSLOGBASE} messages.
So I'm getting those types of messages rolled up
For example:
<134> 12/31/2019:15:01:32 GMT LB-TST-VPX01 0-PPE-0 : default EVENT MONITORUP 17181 0 : Monitor DBSMonServiceBinding_log-collectors-syslog:514_(tcp-default)(#syslog-internal_service-log-collectors-syslog
<134> 12/31/2019:15:01:40 GMT LB-TST-VPX01 0-PPE-0 : default GUI CMD_EXECUTED 17184 0 : User sparkblaze - Remote_ip 192.168.100.6 - Command "show ns config" - Status "Success"
Have I missed something obvious that I can't see at the moment?