At the moment, I'm just running it manually via STDIN and observing the output on STDOUT while I test that the configuration works OK.
This is the full test configuration I am using to test that the parsing:
input { stdin { } }
filter {
grok {
match => { "message" => "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{SYSLOG5424PRINTASCII:thread}%{SPACE}%{JAVACLASS:logger}%{SPACE}\[%{JAVAMETHOD:method}:%{NUMBER:line}]%{SPACE}-%{SPACE}%{GREEDYDATA:message}" }
overwrite => ["message"]
}
date {
match => [ "timestamp", "MMM dd YYY HH:mm:ss", "MMM d YYY HH:mm:ss", "ISO8601" ]
remove_field => [ "timestamp" ]
}
multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}
output {
stdout { codec => rubydebug }
}
And then manually running it with: /bin/logstash -f ../testconfigs/multiline.conf