I'm trying to get logging from a service connected to filebeat (running in another container). The log messages are sent using syslog and many of them are split over several lines so I want to set up multiline, but I can't seem to get it to work.
I set up filebeat like this:
filebeat:
image: docker.elastic.co/beats/filebeat:6.3.1
stdin_open: true
tty: true
command: filebeat -v -c /config-dir/filebeat.yml
restart: always
ports:
- "5000:5000"
volumes:
- ./log-cfg/filebeat.yml:/config-dir/filebeat.yml
and the filebeat configuration itself looks like this:
filebeat.inputs:
- type: syslog
enabled: true
protocol.tcp.host: ":5000"
multiline:
pattern: '^[0-9]{4}'
negate: true
match: after
output:
console.pretty: true
I test it by sending a multi-line log message like this:
logger --server localhost --port 5000 --tcp --rfc3164 -f /dev/stdin <<EOF
2018-07-07 foo
bar
2018-07-07 bar
baz
EOF
I was expecting the above to result in 2 JSON objects being produced by filebeat but I get 4. Am I making some silly mistake here?