Hello All,
I'm sending Syslog messages to our elasticsearch cluster via logstash and have currently configured one multiline codec in my logstash.conf input section to handle a default behaviour of syslog for many equal messages ("last message repeated n times"):
file {
path => "/var/adm/messages"
sincedb_path => "/export/logstash/sincedb"
start_position => "beginning"
tags => ["syslog", "solaris"]
codec => multiline {
charset => "ISO-8859-1"
pattern => "^%{TIMESTAMP_ISO8601} {SYSLOGHOST} last message repeated "
what => "previous"
negate => false
}
}
Now I found in my syslogs another multiline case:
Jan 25 10:19:10 xxx nfs: [ID 941083 kern.info] NOTICE: NFS4 FACT SHEET:
Jan 25 10:19:10 xxx Action: NR_STALE
Jan 25 10:19:10 xxx NFS4 error: NFS4ERR_STALE
My question is not about the pattern itself to handle this multiline, but how to integrate a "second" pattern for this into the above file section of logstash.conf?
Thanks in advance for a tiny hint!
Best Regards
Matthias