Syslog and multiline

Magnus_Therning · July 7, 2018, 11:33am

I'm trying to get logging from a service connected to filebeat (running in another container). The log messages are sent using syslog and many of them are split over several lines so I want to set up multiline, but I can't seem to get it to work.

I set up filebeat like this:

  filebeat:
    image: docker.elastic.co/beats/filebeat:6.3.1
    stdin_open: true
    tty: true
    command: filebeat -v -c /config-dir/filebeat.yml
    restart: always
    ports:
      - "5000:5000"
    volumes:
      - ./log-cfg/filebeat.yml:/config-dir/filebeat.yml

and the filebeat configuration itself looks like this:

filebeat.inputs:
  - type: syslog
    enabled: true
    protocol.tcp.host: ":5000"
    multiline:
      pattern: '^[0-9]{4}'
      negate: true
      match: after

output:
  console.pretty: true

I test it by sending a multi-line log message like this:

logger --server localhost --port 5000 --tcp --rfc3164 -f /dev/stdin <<EOF
2018-07-07 foo
  bar
2018-07-07 bar
  baz
EOF

I was expecting the above to result in 2 JSON objects being produced by filebeat but I get 4. Am I making some silly mistake here?

jsoriano · July 13, 2018, 10:32am

Hi @Magnus_Therning,

multiline is not currently supported in syslog input. I have created an issue for that https://github.com/elastic/beats/issues/7594

system · August 10, 2018, 10:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting multiline to work Beats filebeat	3	389	August 5, 2018
Filebeat configuration : multiline.* (working) vs parsers (not working) Beats docker , filebeat	3	349	December 31, 2023
Filebeat not parsing multiline Beats docker , filebeat	3	461	February 18, 2022
What does filebeat's multiline tool match Beats filebeat	4	1166	April 28, 2020
Multiline logs are not working using filebeat Beats filebeat	1	510	November 19, 2021

Syslog and multiline

Related topics