Multiline Filebeat

Jasonespo · April 1, 2019, 3:59pm

Hi all!

HELP PLEASE!

I have a log file, each "log" consists of 4 lines and is separated by ** Alert. [Simple enough]

Can somebody try to explain why this is not working??

Example Log:

** Alert 1554131277.244802: - pam,syslog,
2019 Apr 01 15:07:57 OSSEC_Hids->/var/log/auth.log
Rule: 5502 (level 3) -> 'Login session closed.'
Apr  1 15:07:56 OSSEC_Hids sudo: pam_unix(sudo:session): session closed for user root

As shown in the below screenshot:

And I am using

multiline:
pattern: '^\*'
negate: true
match: after

As shown in screenshot below:

The regex must work:

I am going crazy.

Michal_Pristas · April 2, 2019, 11:30am

hey @Jasonespo

not sure if the formatting of your input is incorrect but first thing I would check is indentation of you config
try replacing this:

multiline:
pattern: '^\*'
negate: true
match: after

with this

multiline:
    pattern: '^\*'
    negate: true
    match: after

or flatten the config as in the example

multiline.pattern: '^\*'
multiline.negate: true
multiline.match: after

Jasonespo · April 3, 2019, 9:22am

Hi and thank you for the response @Michal_Pristas.

I have tried both those formats and after restarting filebeat after each change, I was getting the same output.

If the logic is correct I have no idea what else could be wrong.

I want all 4 lines in each alert to be considered as one line, this is what I believe the multiline parameter does?

BKG · April 3, 2019, 11:27am

Tried double quotes? Could be some quirk.

Michal_Pristas · April 3, 2019, 11:39am

one more thing comes to mind.
is your multiline config under inputs config section? multiline must specify specific prospector

example:

filebeat.prospectors:
- type: log
  paths:
    - /my/path/to/*.log
  multiline:
    pattern: '^\*'
    negate: true
    match: after

system · May 1, 2019, 11:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.