I am running filebeat 7.0 using osquery module. I am trying to override the the module's input by filtering for multiline. I am not sure why access command and placing multiline filter into the module is not working. Filebeat is ignoring my osquery module changes and still not reading the osquery json logs as single events. Could someone explain module input overriding to me?
According documentation: I thought I put access: block and leave the result: block on
Commented out result keyword and set the global var.path inside the access keyword
Tried commenting inputs section in the filebeat.yml and left access block in osquery.yml
Placed multiline filters inside the result block
I tested with dummy file and put the logs on newlines. Osquery module was able to read the json logs.
#Set custom paths for the log files. If left empty, #Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/osquery/result.log"]
#If true, all fields created by this module are prefixed with
#osquery.result. Set to false to copy the fields in the root #of the document. The default is true.
var.use_namespace: true #trying to get multiline to work inside module
multiline.pattern: '(}$}'
multiline.negate: true
multiline.match: after
#access: #input: #multiline.pattern: '(}}}' #multiline.negate: true #multiline.match: after
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.