Multiline for FileBeat

SJN8 · July 31, 2018, 5:33am

Hi All,

I have tomcat access logs to be combined in a single event using multi-line via filebeat ,

Below are kind of access logs ,

99.99.999.99 - - [30/Jul/2018:08:38:37 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:38:41 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:38:41 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:38:52 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:38:52 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:38:56 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:38:56 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:04 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:04 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:07 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:07 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:11 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:11 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:19 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:19 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:22 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:22 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:26 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:26 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:34 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:34 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:37 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:37 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:41 +0200] "GET /healthcheck/ HTTP/1.1" 200 29
99.99.999.99 - - [30/Jul/2018:08:39:41 +0200] "GET /healthcheck/ HTTP/1.1" 200 29

Below is my multiline settings ,

multiline.pattern: '^[[:digit:]]'
multiline.negate: true
multiline.match: before

but i am getting events per line not as multiline event also tried with all combination like ,
negate : false/ture
match : after/before

please help me , i am not getting what is wrong here .

adrisr · July 31, 2018, 9:14am

Works for me:

multiline.pattern: '^[[:digit:]]'
multiline.negate: false
multiline.match: before

Have a look at the option multiline.timeout, which is also useful to you:
https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html

SJN8 · August 2, 2018, 4:52am

Hi Adrian,

You worked for me by above settings ,

I have another problem ,

Below are logs ,

Aug 01, 2018 9:44:46 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/local/java/jdkcur/jre/lib/amd64/server:/usr/local/java/jdkcur/jre/lib/amd64:/usr/local/java/jdkcur/lib/amd64:/lib:/usr/lib:/usr/local/apr/lib:/usr/local/application/server/linux_a64/code/bin:/usr/local/application/server/linux_a64/code/lib:
Aug 01, 2018 9:44:46 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-7023"]
Aug 01, 2018 9:44:46 PM org.apache.openejb.util.OptionsLog info
INFO: Using 'openejb.jdbc.datasource-creator=org.apache.tomee.jdbc.TomEEDataSourceCreator'
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: ********************************************************************************
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: OpenEJB http://tomee.apache.org/
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: Startup: Wed Aug 01 21:44:46 CEST 2018
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: Copyright 1999-2013 (C) Apache OpenEJB Project, All Rights Reserved.
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: Version: 4.7.2
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: Build date: 20150517
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: Build time: 10:10
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: ********************************************************************************
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: openejb.home = /usr/local/dsxdev/apache-tomee-plus-1.7.2
Aug 01, 2018 9:44:46 PM org.apache.openejb.OpenEJB$Instance
INFO: openejb.base = /usr/local/dsxdev/apache-tomee-instances/PEO-DEV-23
Aug 01, 2018 9:44:46 PM org.apache.openejb.cdi.CdiBuilder initializeOWB
INFO: Created new singletonService org.apache.openejb.cdi.ThreadSingletonServiceImpl@780cb77
Aug 01, 2018 9:44:46 PM org.apache.openejb.cdi.CdiBuilder initializeOWB
INFO: Succeeded in installing singleton service
Aug 01, 2018 9:44:46 PM org.apache.openejb.config.ConfigurationFactory init
INFO: openejb configuration file is '/usr/local/dsxdev/apache-tomee-instances/PEO-DEV-23/conf/tomee.xml'
Aug 01, 2018 9:44:46 PM org.apache.openejb.config.ConfigurationFactory configureService
INFO: Configuring Service(id=Tomcat Security Service, type=SecurityService, provider-id=Tomcat Security Service)
Aug 01, 2018 9:44:46 PM org.apache.openejb.config.ConfigurationFactory configureService
INFO: Configuring Service(id=Default Transaction Manager, type=TransactionManager, provider-id=Default Transaction Manager)
Aug 01, 2018 9:44:46 PM org.apache.openejb.config.ConfigurationFactory configureService
INFO: Configuring Service(id=ResourceAdapter, type=Resource, provider-id=Default JMS Resource Adapter)
Aug 01, 2018 9:44:46 PM org.apache.openejb.config.ConfigurationFactory configureService
INFO: Configuring Service(id=jms/connectionFactory, type=Resource, provider-id=Default JMS Connection Factory)
Aug 01, 2018 9:44:46 PM org.apache.openejb.config.ConfigurationFactory configureService
INFO: Configuring Service(id=application.dsxclient.queue, type=Resource, provider-id=Default Queue)
Aug 01, 2018 9:44:46 PM org.apache.openejb.config.ConfigurationFactory configureService
INFO: Configuring Service(id=application.dsxclient.topic, type=Resource, provider-id=Default Topic)
Aug 01, 2018 9:44:46 PM org.apache.openejb.util.OptionsLog info
INFO: For help or more information please see: http://activemq.apache.org
Aug 01, 2018 9:44:47 PM org.apache.activemq.broker.BrokerService checkSystemUsageLimits
SEVERE: Temporary Store limit is 51200 mb, whilst the temporary data directory: /usr/local/dsxdev/apache-tomee-instances/PEO-DEV-23/temp/activemq-data/localhost/tmp_storage only has 17094 mb of usable space - resetting to maximum available 17094 mb.
Aug 01, 2018 9:44:47 PM org.apache.openejb.resource.activemq.ActiveMQ5Factory$1 run
INFO: Starting ActiveMQ checkpoint
Aug 01, 2018 9:44:47 PM org.apache.openejb.resource.activemq.ActiveMQ5Factory createBroker
INFO: ActiveMQ broker started
Aug 01, 2018 9:44:47 PM org.apache.openejb.assembler.classic.Assembler createRecipe
Aug 01, 2018 9:44:47 PM org.apache.openejb.assembler.classic.Assembler unusedProperty
WARNING: Property "ServiceId" not supported by "enovia.dsxclient.queue"
Aug 01, 2018 9:44:47 PM org.apache.openejb.assembler.classic.Assembler unusedProperty
WARNING: Property "ServiceId" not supported by "enovia.dsxclient.topic"
Aug 01, 2018 9:44:47 PM org.apache.openejb.assembler.classic.Assembler createRecipe

above Logs has has lines starting with
Aug 01, 2018 i.e Mmm dd, YYYY
INFO:
SEVERE:
WARNING:

these are 4 patterns above logs has .

now below are my configuration for multiline ,

multiline.pattern: '^[A-Za-z]{3} [0-9]{2}, [0-9]{4}|^[A-Za-z]{4}|^[A-Za-z]{6}|^[A-Za-z]{7}'
multiline.negate: true
multiline.match: after
multiline.max_lines: 2000

i have tried with above and combination of negate T/F and match after/before but no luck .

also tried with below pattern still no luck ,

multiline.pattern: '^[[:alnum:]]{3}[[:space:]][[:alnum:]]{2},[[:space:]][[:alnum:]]{4}|^[[:alnum:]]{4}:|^[[:alnum:]]{6}:|^[[:alnum:]]{7}:'

tried doing with hardcoded pattern but still no luck

multiline.pattern: '^Jan [0-9]{2}, [0-9]{4}|^Feb [0-9]{2}, [0-9]{4}|^Mar [0-9]{2}, [0-9]{4}|^Apr [0-9]{2}, [0-9]{4}|^Jul [0-9]{2}, [0-9]{4}|^Aug [0-9]{2}, [0-9]{4}|^Sep [0-9]{2}, [0-9]{4}|^Oct [0-9]{2}, [0-9]{4}|^Nov [0-9]{2}, [0-9]{4}|^Dec [0-9]{2}, [0-9]{4}|^INFO:|^SEVERE:|^WARNING:'

please help , what i am missing here ?

Thanks,
Shashank

system · August 30, 2018, 4:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with Tomcat multiline entries Beats filebeat	2	2314	June 29, 2017
Filebeat 'multiline' multiline pattern Beats filebeat	4	1165	April 9, 2018
Filebeat parsing issue Beats filebeat	1	356	March 4, 2020
Multiline read in filebeat Beats filebeat	16	2765	December 16, 2016
SOLVED - Multi Line Help Beats filebeat	2	378	May 14, 2019

Multiline for FileBeat

Related topics