To Read particular event form text file

aman97 · April 14, 2020, 7:25am

Hi,

I am having a multiline text file with multiple events, I want to read a particular event from a file.
First, I want to know how can I read this particular multiline text file in filebeat
then after how can i extract particular event from file

aman97 · April 14, 2020, 7:27am

MachineName: DEVELOPER-PC
UserDomainName: Developer-PC
UserName: Developer
OSVersion: Microsoft Windows NT 6.1.7601 Service Pack 1
UserInteractive: True
CLR Version: 4.0.30319.42000

Command Line: "R:\Bin\NCR.APTRA.UATestServer.exe"
Configuration Path: R:\Bin\Config\NCR.APTRA.UATestServer.accfg
Current Directory: R:\Bin
CodeBase Directory: R:\Bin

ApplicationData: C:\Users\Developer\AppData\Roaming
CommonApplicationData: C:\ProgramData
CommonProgramFiles: C:\Program Files\Common Files
LocalApplicationData: C:\Users\Developer\AppData\Local
ProgramFiles: C:\Program Files

Host Name: Developer-PC
IPAddress(es): fe80::c11c:4c40:1d2:8ad4%11 10.0.2.15

Time Zone Information
Short DateTime Pattern: M/d/yyyy h:mm tt
DateTime.Kind: Local
Standard time name: India Standard Time
Daylight saving time name: India Daylight Time
Current date and time: 11/18/2019 4:44:03 PM
Daylight saving time? False
Coordinated Universal Time: 11/18/2019 11:14:03 AM
UTC offset: 05:30:00
Daylight saving time for year 2019:
1/1/0001 12:00:00 AM to 1/1/0001 12:00:00 AM, delta: 00:00:00

Creating test data...
ServerManagement WebService
[Address] = 127.0.0.1, [Port] = 8080, [RelativeURI] = project24/services/ManagementService, [Compression] = None, [SecurityMode] = None, [CertIssuer] = , [CertSubject] = , [CertSerialNumber] = , [MaxArrayLength] = 2147483647, [MaxBytesPerRead] = 4096, [MaxDepth] = 2147483647, [MaxNameTableCharCount] = 2147483647, [MaxStringContentLength] = 2147483647, [MaxBufferPoolSize] = 524288, [MaxBufferSize] = 524288, [MaxReceivedMessageSize] = 524288, [OpenTimeout] = 180, [CloseTimeout] = 180, [SendTimeout] = 180, [ReceiveTimeout] = 600, [MutualAuthentication] = False, [CertificateHash] =

ClientManagement WebService
[Address] = 127.0.0.1, [Port] = 9090, [RelativeURI] = project24/aptra/unifiedagent/clientmgmt/server, [Compression] = None, [SecurityMode] = None, [CertIssuer] = , [CertSubject] = , [CertSerialNumber] = , [MaxArrayLength] = 2147483647, [MaxBytesPerRead] = 4096, [MaxDepth] = 2147483647, [MaxNameTableCharCount] = 2147483647, [MaxStringContentLength] = 2147483647, [MaxBufferPoolSize] = 524288, [MaxBufferSize] = 524288, [MaxReceivedMessageSize] = 524288, [OpenTimeout] = 180, [CloseTimeout] = 180, [SendTimeout] = 180, [ReceiveTimeout] = 600, [MutualAuthentication] = False, [CertificateHash] =

================================================================================
11/18/2019 4:44:03 PM Test Server hosted URI: http://127.0.0.1:8080/project24/services/ManagementService

serverMgmtHost_Opening
serverMgmtHost_Opened
---------- Construct Client ----------
[Address] = 127.0.0.1, [Port] = 9090, [RelativeURI] = project24/aptra/unifiedagent/clientmgmt/server, [Compression] = None, [SecurityMode] = None, [CertIssuer] = , [CertSubject] = , [CertSerialNumber] = , [MaxArrayLength] = 2147483647, [MaxBytesPerRead] = 4096, [MaxDepth] = 2147483647, [MaxNameTableCharCount] = 2147483647, [MaxStringContentLength] = 2147483647, [MaxBufferPoolSize] = 524288, [MaxBufferSize] = 524288, [MaxReceivedMessageSize] = 524288, [OpenTimeout] = 180, [CloseTimeout] = 180, [SendTimeout] = 180, [ReceiveTimeout] = 600, [MutualAuthentication] = False, [CertificateHash] =

================================================================================
11/18/2019 4:45:12 PM Received Message from 127.0.0.1: Register
terminal = TerminalInfo
Address = 127.0.0.1
UniqueId = 4260ad98-0ecc-46e8-a286-e7b7eb9050a6
CustomerCode = Undefined
Properties =
[0] [TerminalId] = Developer-PC-0
[1] [MACAddress] = 00:00:00:00:00:00
[2] [MachineName] = Developer-PC
[3] [UAVersion] = 04.06.00.01
[4] [GUID] = 4260ad98-0ecc-46e8-a286-e7b7eb9050a6
[5] [IPAddress] = 127.0.0.1
[6] [CustomerCode] = Undefined
[7] [ConfigurationHashUAWSLoaded] =
[0] = 119
[1] = 203
[2] = 91
[3] = 196
[4] = 166
[5] = 186
[6] = 222
[7] = 93
[8] = 108
[9] = 81
[10] = 170
[11] = 147
[12] = 118
[13] = 62
[14] = 235
[15] = 114
[8] [ConfigurationHashUAWSStaged] =
[0] = 119
[1] = 203
[2] = 91
[3] = 196
[4] = 166
[5] = 186
[6] = 222
[7] = 93
[8] = 108
[9] = 81
[10] = 170
[11] = 147
[12] = 118
[13] = 62
[14] = 235
[15] = 114
[9] [ConfigurationHashSWD1] =
[10] [ConfigurationHashSWD2] =
[11] [CultureInfo.LCID] = 1033
[12] [CultureInfo.Name] = en-US
[13] [XFSVendorName] =
[14] [ServerCommsMode] = Active
CollectorInfo =
state =
[0] [SubscribedEventOccurred.SequenceNumber] = 0
[1] [TerminalInfo.TerminalId] = Developer-PC-0
[2] [TerminalInfo.MACAddress] = 00:00:00:00:00:00
[3] [TerminalInfo.MachineName] = Developer-PC
Exception: Value cannot be null.
Parameter name: stream
Could not load file: NCR.APTRA.UATestServer.SNMPManagementCollector.xml

11/18/2019 4:46:49 PM Received Message from 127.0.0.1: SubscribedEventOccurred
sequenceNum = 52
terminal = TerminalInfo
Address = 127.0.0.1
UniqueId = 4260ad98-0ecc-46e8-a286-e7b7eb9050a6
CustomerCode = Undefined
Properties =
[0] [TerminalId] = Developer-PC-0
[1] [MACAddress] = 00:00:00:00:00:00
[2] [MachineName] = Developer-PC
[3] [UAVersion] = 04.06.00.01
[4] [GUID] = 4260ad98-0ecc-46e8-a286-e7b7eb9050a6
[5] [IPAddress] = 127.0.0.1
[6] [CustomerCode] = Undefined
CollectorInfo =
[0] [Version] = 1.0.0.3
eventName = NCR.APTRA.Reboot.Complete
eventDetails =
[0] = ManagementEventInfo
ClassUri = NCR.APTRA.Reboot.Complete
Properties =
[0] [WindowsRebootEventID] = 1074
[1] [WindowsRebootReason] = Recovery Reboot due to CX AGENT ISSUE
Reason Code: 0x80020003
Shutdown Type: restart
Comment:
[2] [WindowsRebootUTCEventTimestamp] = 12/10/2019 3:00:00 AM
[3] [TriggerEventUri] = NCR.APTRA.IMgmtServerComms.UANullptr
[4] [TriggerEventSequenceNumber] = 0
[5] [TriggerUTCTimestamp] = NCR.APTRA.IMgmtServerComms.UANullptr
[6] [UTCTimeStamp] = 12/10/2019 6:03:56 AM
classDetails =

documentFragment = Document
Uri =
InstanceName =
Command = RebuildAndRetrieve (0)
Data =

================================================================================
11/18/2019 4:48:09 PM Received Message from 127.0.0.1: DocumentUpload
terminal = TerminalInfo
Address = 127.0.0.1
UniqueId = 4260ad98-0ecc-46e8-a286-e7b7eb9050a6
CustomerCode = Undefined
Properties =
[0] [TerminalId] = Developer-PC-0
[1] [MACAddress] = 00:00:00:00:00:00
[2] [MachineName] = Developer-PC
[3] [UAVersion] = 04.06.00.01
[4] [GUID] = 4260ad98-0ecc-46e8-a286-e7b7eb9050a6
[5] [IPAddress] = 127.0.0.1
[6] [CustomerCode] = Undefined
CollectorInfo =
[0] [Version] = 2.17.0.1
result = RequestResult
Status = Success
requestId = 0
classUri = NCR.APTRA.InventoryCollector.AggregateInventory
instanceName = Default
documentFragment = Document
Uri = NCR.APTRA.InventoryCollector.AggregateInventory
InstanceName = Default
Command = RetrieveDelta (2)
Data = <?xml version="1.0" encoding="utf-8"?><Removed /

================================================================================
11/18/2019 4:46:49 PM Received Message from 127.0.0.1: SubscribedEventOccurred
sequenceNum = 52
terminal = TerminalInfo
Address = 127.0.0.1
UniqueId = 4260ad98-0ecc-46e8-a286-e7b7eb9050a6
CustomerCode = Undefined
Properties =
[0] [TerminalId] = Developer-PC-0
[1] [MACAddress] = 00:00:00:00:00:00
[2] [MachineName] = Developer-PC
[3] [UAVersion] = 04.06.00.01
[4] [GUID] = 4260ad98-0ecc-46e8-a286-e7b7eb9050a6
[5] [IPAddress] = 127.0.0.1
[6] [CustomerCode] = Undefined
CollectorInfo =
[0] [Version] = 1.0.0.3
eventName = NCR.APTRA.Reboot.Complete
eventDetails =
[0] = ManagementEventInfo
ClassUri = NCR.APTRA.Reboot.Complete
Properties =
[0] [WindowsRebootEventID] = 1074
[1] [WindowsRebootReason] = Recovery Reboot due to CX AGENT ISSUE
Reason Code: 0x80020003
Shutdown Type: restart
Comment:
[2] [WindowsRebootUTCEventTimestamp] = 14/10/2019 5:30:00 AM
[3] [TriggerEventUri] = NCR.APTRA.IMgmtServerComms.UANullptr
[4] [TriggerEventSequenceNumber] = 0
[5] [TriggerUTCTimestamp] = NCR.APTRA.IMgmtServerComms.UANullptr
[6] [UTCTimeStamp] = 14/10/2019 6:03:56 AM
classDetails =

documentFragment = Document
Uri =
InstanceName =
Command = RebuildAndRetrieve (0)
Data =

mtojek · April 14, 2020, 9:10am

You will need an ingest pipeline to process the log files. In the ingest pipeline you can define all potential fields.

Topic		Replies	Views
Filebeat multiline.pattern set up Beats filebeat	0	263	January 26, 2021
Handling multiline with filebeat Beats filebeat	7	479	April 12, 2022
Exclude a file based on a value inside this file Logstash	8	1522	June 21, 2018
Filebeat multiline - how to tell filebeat when a message ends while parsing Microsoft Defender ATP logs Beats filebeat	0	325	February 2, 2023
Multiline read in filebeat Beats filebeat	15	2880	November 18, 2016

To Read particular event form text file

MachineName: DEVELOPER-PC UserDomainName: Developer-PC UserName: Developer OSVersion: Microsoft Windows NT 6.1.7601 Service Pack 1 UserInteractive: True CLR Version: 4.0.30319.42000

Command Line: "R:\Bin\NCR.APTRA.UATestServer.exe" Configuration Path: R:\Bin\Config\NCR.APTRA.UATestServer.accfg Current Directory: R:\Bin CodeBase Directory: R:\Bin

ApplicationData: C:\Users\Developer\AppData\Roaming CommonApplicationData: C:\ProgramData CommonProgramFiles: C:\Program Files\Common Files LocalApplicationData: C:\Users\Developer\AppData\Local ProgramFiles: C:\Program Files

Host Name: Developer-PC IPAddress(es): fe80::c11c:4c40:1d2:8ad4%11 10.0.2.15

================================================================================ 11/18/2019 4:44:03 PM Test Server hosted URI: http://127.0.0.1:8080/project24/services/ManagementService

Related topics

MachineName: DEVELOPER-PC
UserDomainName: Developer-PC
UserName: Developer
OSVersion: Microsoft Windows NT 6.1.7601 Service Pack 1
UserInteractive: True
CLR Version: 4.0.30319.42000

Command Line: "R:\Bin\NCR.APTRA.UATestServer.exe"
Configuration Path: R:\Bin\Config\NCR.APTRA.UATestServer.accfg
Current Directory: R:\Bin
CodeBase Directory: R:\Bin

ApplicationData: C:\Users\Developer\AppData\Roaming
CommonApplicationData: C:\ProgramData
CommonProgramFiles: C:\Program Files\Common Files
LocalApplicationData: C:\Users\Developer\AppData\Local
ProgramFiles: C:\Program Files

Host Name: Developer-PC
IPAddress(es): fe80::c11c:4c40:1d2:8ad4%11 10.0.2.15

================================================================================
11/18/2019 4:44:03 PM Test Server hosted URI: http://127.0.0.1:8080/project24/services/ManagementService