Multiline patterns

Satyajeet_Singh · May 14, 2020, 11:57am

Hi Trying to create a config for logstash which can aggregate multiple lines with different pattern

example loglines:
2020-05-14 13:43:05.222 SSL accepted cipher=ECDHE-RSA-AES128-SHA256
2020-05-14 13:43:05.222 Connection protocol=TLSv1.2
2020-05-14 13:43:05.225 [anonymous@xyz123.example.com]: Connected, connection id=7515, client id=, type: queue, UTC offset=3

all these lines should be logged once in logstash with all of the details together.
in the config:

input {
  file {
    path => "/log/ems/tibems.log"
    type => "tibco"
    tags => ["jndi"]
    codec => multiline {
       pattern => "SSL accepted cipher"
       what => "next"
    }
  }
}

Above will aggregate the 1st two lines but not the 3rd line. How can we combine all 3 in one?

Badger · May 14, 2020, 2:43pm

If those are the only lines in the log then

pattern => "SSL accepted cipher"
negate => true
what => "previous"

should work.

Satyajeet_Singh · May 15, 2020, 7:50am

These are not the only lines.
These are the lines for SSL connection requests.

the setting which are suggesting is going to add any line which doesn't contain "SSL accepted cipher" to previous line. Which is not correct.

The 1st two lines should be added to 3rd line.

There will be startup logs which wont contain "anonymous@xyz123.example.com"
and there will other non-ssl request which will only have anonymous@xyz123.example.com and not the previous lines with ssl details.

Badger · May 15, 2020, 3:36pm

If the three lines always come together then you could use alternation

pattern => "Connection protocol=|Connected, connection id="

If there are ever other lines interleaved then I do not think the problem is solvable in logstash.

Satyajeet_Singh · May 16, 2020, 6:42pm

Thanks
I tried

pattern => "SSL accepted cipher|Connection protocol"

it worked

system · June 13, 2020, 6:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.