The number of line of this type of log are not constant (from 4 to 120) and also the file contains many other different single line logs (that I have alredy filtered).
So my idea (but I'm not sure if this is possible) is to filter the line code first (all this log have the same - 1929) and use it as pattern for the multiline.
Then, I need to cicle a filter for each 1901 code line until I don't find the end line (line code 1907).
So, the final question is, can I create something like that using logstash?
These line numbers could change in each version of OpenSSL so you should pick some other way of recognizing the start and end of the interesting message. Not sure what that would be, though.
Thank you for you reply and for the info about the line number.
As I said as in a previous post I have just start with this job so sometimes of the times I have no idea what I'm doing...
The text (BIO dump follows) might be usable.
We don't know what the rest the data looks like so we can't advise on a suitable pattern that will match on single line and multiline sections.
And now my problem is... How to filter something like that???
For the first line there are no problems.
For the other...I have no idea about how to procede.
As I said, there are not a regular amount line and for for create something well structured I need to save the element in 2 field (hexadecimal = 99 ba d8 99 23 c3 a4 b3-b8 77 61 4c ae 79 08 c6) and (ashi = ....#....waL.y.. )
It is doable I think. The biggest concern is that there are multiple hex and ascii sets in each multiline message field. It will be quite trial and error.
You need to add fields to the event before a grok filter. In the file input add (I don't know whether this works.)
How I think it works...
We add two fields that have empty arrays, hex and ascii.
As grok applies the matched text it sees that the hex or ascii field is an array and appends the matched text to each one.
So...
Really many thanks for your reply, it help me a lot! My main trouble was exactly how to apply a filter to multiline log without a regular number of string.
Now I'm still working on the multiline pattern, trying to create one that read the log from the begin to the end (I suppose is the only way to proceed because there are many types of log inside the same file).
So I create this one (is a test, it's not complete obviously):
Sorry if I bother you with another question but I still don't get how to create a proper setting for a case like this... I don't know, maybe it is impossible filter for this particular case or I'm simply tard...
I need to set a begin and an end point for the pattern because in the same file there are may type of logs so If I place a begin logstash simply don't know when he must stop and vice versa if I place only the pattern of the last line it don't know where the multiline log begin!
So I create a regex (created and tested using regex buddy with ruby codec) for all pattern
This make me sad and happy at the same time...
Sad because I can't finish to parse all the file... Happy because I'm not so tard after all!
I thank you so much again for your help and for your help.
About the other line of logs don't worry, my was mostly a test to check if logstash was able to parse something of so complex from a single file/stream.
I have already create a full filter for system log, apache, message log and log4j... that was my main purpose.
And anyway I can also filter all the debug log from apache (except for the multiline obviously) and this is a huge step ahead from analyse them from raw message
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.