Here is my logstash.conf file
input {
file {
path => "/var/log/appslogs/**/*.log"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => plain {
charset => "UTF-8"
}
type => "app"
}
file {
path => "/var/log/serverlogs/*.log"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => multiline {
pattern => "(?<timestamp>\d{2}-\w{3}-\d{4} \d{2}:\d{2}:\d{2}\.\d{3}) \[(?<thread>[^\]]+)\] (?<loglevel>(INFO|ERROR|DEBUG|TRACE|WARN)) \[(?<classname>[^\]]+)\] (?<message>.+(?:(?<=\n)(?!^\d{2}-\w{3}-\d{4} \d{2}:\d{2}:\d{2}\.\d{3} \[)))"
negate => true
what => "previous"
}
type => "server"
}
}
filter{
if [type] == "app" {
grok{
match => {"message" => [
"%{TIMESTAMP_ISO8601:time} %{LOGLEVEL:log_level} %{GREEDYDATA:message_of_log}",
"%{TIMESTAMP_ISO8601:time} \[ %{LOGLEVEL:log_level}\] %{GREEDYDATA:message_of_log}\(%{GREEDYDATA}\)",
"%{TIMESTAMP_ISO8601:time} \[ %{LOGLEVEL:log_level}\] %{GREEDYDATA:message_of_log}",
"%{TIMESTAMP_ISO8601:time} \[%{LOGLEVEL:log_level}\] %{GREEDYDATA:message_of_log}"
]}
add_field => {
"time_of_log" => "%{time}"
}
}
}
if [type] == "server" {
grok{
match => {"message" => [
"%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{LOGLEVEL:log_level} %{GREEDYDATA:message_of_log}",
"\[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{LOGLEVEL:log_level} %{GREEDYDATA:message_of_log}\]"
]}
add_field => {
"time_of_log" => "%{day}-%{month}-%{year} %{time}"
}
}
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
user => "elastic"
password => "changeme"
ecs_compatibility => disabled
}
}
The problem is that I have multiple type of logs in the path /var/log/serverlogs/*.log
I would like to have multiple multiline pattern, one for each type of logs but how can I do that ?