Multiline Filebeat

Hi all!

HELP PLEASE! :slight_smile:

I have a log file, each "log" consists of 4 lines and is separated by ** Alert. [Simple enough]

Can somebody try to explain why this is not working??

Example Log:

** Alert 1554131277.244802: - pam,syslog,
2019 Apr 01 15:07:57 OSSEC_Hids->/var/log/auth.log
Rule: 5502 (level 3) -> 'Login session closed.'
Apr  1 15:07:56 OSSEC_Hids sudo: pam_unix(sudo:session): session closed for user root

As shown in the below screenshot:

And I am using

multiline:
pattern: '^\*'
negate: true
match: after

As shown in screenshot below:

The regex must work:

I am going crazy.

hey @Jasonespo

not sure if the formatting of your input is incorrect but first thing I would check is indentation of you config
try replacing this:

multiline:
pattern: '^\*'
negate: true
match: after

with this

multiline:
    pattern: '^\*'
    negate: true
    match: after

or flatten the config as in the example

multiline.pattern: '^\*'
multiline.negate: true
multiline.match: after

Hi and thank you for the response @Michal_Pristas.

I have tried both those formats and after restarting filebeat after each change, I was getting the same output.

If the logic is correct I have no idea what else could be wrong.

I want all 4 lines in each alert to be considered as one line, this is what I believe the multiline parameter does?

Tried double quotes? Could be some quirk.

one more thing comes to mind.
is your multiline config under inputs config section? multiline must specify specific prospector

example:

filebeat.prospectors:
- type: log
  paths:
    - /my/path/to/*.log
  multiline:
    pattern: '^\*'
    negate: true
    match: after

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.