Hi all!
HELP PLEASE!
I have a log file, each "log" consists of 4 lines and is separated by ** Alert. [Simple enough]
Can somebody try to explain why this is not working??
Example Log:
** Alert 1554131277.244802: - pam,syslog,
2019 Apr 01 15:07:57 OSSEC_Hids->/var/log/auth.log
Rule: 5502 (level 3) -> 'Login session closed.'
Apr 1 15:07:56 OSSEC_Hids sudo: pam_unix(sudo:session): session closed for user root
As shown in the below screenshot:
And I am using
multiline:
pattern: '^\*'
negate: true
match: after
As shown in screenshot below:
The regex must work:
I am going crazy.
hey @Jasonespo
not sure if the formatting of your input is incorrect but first thing I would check is indentation of you config
try replacing this:
multiline:
pattern: '^\*'
negate: true
match: after
with this
multiline:
pattern: '^\*'
negate: true
match: after
or flatten the config as in the example
multiline.pattern: '^\*'
multiline.negate: true
multiline.match: after
Hi and thank you for the response @Michal_Pristas .
I have tried both those formats and after restarting filebeat after each change, I was getting the same output.
If the logic is correct I have no idea what else could be wrong.
I want all 4 lines in each alert to be considered as one line, this is what I believe the multiline parameter does?
BKG
April 3, 2019, 11:27am
4
Tried double quotes? Could be some quirk.
one more thing comes to mind.
is your multiline config under inputs config section? multiline must specify specific prospector
example:
filebeat.prospectors:
- type: log
paths:
- /my/path/to/*.log
multiline:
pattern: '^\*'
negate: true
match: after
system
(system)
Closed
May 1, 2019, 11:39am
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.