Multiline logs with a unique identifier

NerdSec · August 24, 2018, 6:18am

Hi All,

I am reading messages from a syslog file in the following format:

<161>notify-1089122.1.alert: abcd
<161>notify-1089122.2.alert: xyz
<161>notify-1089133.1.alert: abc
<161>notify-1089122.3.alert: qwer

These are actually, multi line messages that are broken down by the syslog that is sending these into parts. They all have a unique identifier that tells, that they are part of the same event. How do I convert them to a single line?

The usual patterns do not work in this scenario. I need FileBeat to compare the lines using the unique identifier.

Regards,
Nachiket

pierhugues · August 24, 2018, 2:55pm

@NerdSec I think you want the following output?

<161>notify-1089122.1.alert: abcd xyz qwer
<161>notify-1089133.1.alert: abc

NerdSec · August 25, 2018, 4:02am

Thank you for the reply pier. Yes, that is exactly the intended output.

pierhugues · August 27, 2018, 3:20pm

@NerdSec currently multiline doesn't support aggregating out of order events which is what you need, you might be able to do it with Logstash and the [Logstash aggregate filter](https://www.elastic.co/guide/en/logstash/current/plugins-filters-aggregate.html

NerdSec · August 28, 2018, 5:21pm

Thanks for the confirmation pier. I ended up receiving logs over http and parsing the corresponding json, using the http input in logstash.

Topic		Replies	Views
Filebeat Multiline for logs starting in the same way Beats filebeat	2	319	September 6, 2019
Processing multiline events from filebeat Logstash	5	394	May 2, 2018
Multiple logs are concatenated to single event by Logstash Logstash	3	747	October 19, 2020
Multiline message with repeated header Beats filebeat	2	387	February 13, 2020
Multiline vs aggregate Beats filebeat	13	2474	March 14, 2019

Multiline logs with a unique identifier

Related topics