Multiline patterns

Hi Trying to create a config for logstash which can aggregate multiple lines with different pattern

example loglines:
2020-05-14 13:43:05.222 SSL accepted cipher=ECDHE-RSA-AES128-SHA256
2020-05-14 13:43:05.222 Connection protocol=TLSv1.2
2020-05-14 13:43:05.225 []: Connected, connection id=7515, client id=, type: queue, UTC offset=3

all these lines should be logged once in logstash with all of the details together.
in the config:

input {
  file {
    path => "/log/ems/tibems.log"
    type => "tibco"
    tags => ["jndi"]
    codec => multiline {
       pattern => "SSL accepted cipher"
       what => "next"

Above will aggregate the 1st two lines but not the 3rd line. How can we combine all 3 in one?

If those are the only lines in the log then

pattern => "SSL accepted cipher"
negate => true
what => "previous"

should work.

These are not the only lines.
These are the lines for SSL connection requests.

the setting which are suggesting is going to add any line which doesn't contain "SSL accepted cipher" to previous line. Which is not correct.

The 1st two lines should be added to 3rd line.

There will be startup logs which wont contain ""
and there will other non-ssl request which will only have and not the previous lines with ssl details.

If the three lines always come together then you could use alternation

pattern => "Connection protocol=|Connected, connection id="

If there are ever other lines interleaved then I do not think the problem is solvable in logstash.

I tried

pattern => "SSL accepted cipher|Connection protocol"

it worked

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.