Problem about pushing oracle alert.log to es

Hi Guys,
I'm trying to push oracle alert.log to es,like this:
alert log->filebeat->logstash->elasticsearch

alert log format like blow:

Sun Mar 19 16:55:27 2017
DBRM started with pid=7, OS id=21297
Sun Mar 19 16:58:33 2017
DIA0 started with pid=8, OS id=21299

I configured below multiline pattern in filebeat.yml (filebeat 5.6.4):

multiline.pattern: '^[A-Z]{1}[a-z]{2} [A-Z]{1}[a-z]{2} [0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2} [0-9]{4}'
multiline.negate: true
multiline.match: after

but the first message missed "Sun" letters,the second message is normal,I don't know why, anybody could help me? thanks.

C:\Users\Administrator\Desktop\filebeat-5.6.4-windows-x86_64>filebeat.exe
{
"@timestamp": "2017-12-06T11:14:16.604Z",
"beat": {
"hostname": "TESTAP01",
"name": "TESTAP01",
"version": "5.6.4"
},
"fields": {
"oracle_sid": "TESTDB"
},
"input_type": "log",
"message": " Mar 19 16:55:27 2017\nDBRM started with pid=7, OS id=21297 ", #"Sun" is missed
"offset": 1092,
"source": "c:\alert_TESTDB.log",
"type": "oraclealertlog"
}
{
"@timestamp": "2017-12-06T11:14:16.604Z",
"beat": {
"hostname": "TESTAP01",
"name": "TESTAP01",
"version": "5.6.4"
},
"fields": {
"oracle_sid": "TESTDB"
},
"input_type": "log",
"message": "Sun Mar 19 16:58:33 2017\nDIA0 started with pid=8, OS id=21299 \n
n\n",
"offset": 1158,
"source": "c:\alert_TESTDB.log",
"type": "oraclealertlog"
}

Please format configs and logs using the </> button or 3 back-ticks.

Can you share you complete filebeat config?

This looks like filebeat did read the line starting at offset 3. Do you have tail_files enabled?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.