I have an ELK stack running on ubuntu server. I want to get the logs from one of my windows server where the filebeat is running. I have tried everything but Iam unable to get the log which is of multiple lines. Also note that I'm getting the iis logs successfully which means that filebeat is running fine, its just the problem with logs with multiple line.
Here is my filebeat.yml :
- type: log
enabled: true
paths:
- C:\ELK-Logger\*.txt
fields_under_root: true
fields:
type: errorlogs
multiline.pattern: '^%{TIMESTAMP_ISO8601}'
multiline.negate: false
multiline.match: after
Here is my log:
2019-01-02T14:33:30.7269760+03:00:: System.Collections.ListDictionaryInternal Column 'ParentId' does not belong to table Table3. at System.Data.DataRow.GetDataColumn(String columnName)
at System.Data.DataRow.get_Item(String columnName)
at Common.DTOs.B2BPermission.PermissionDTO.GetPermissions(DataTable dt)
at DataProvider.DataAccess.UserDA.GetCaxPermissionsFromList(DataTable dt)-------------------------------------------------------------------------------------------
Here is my logstash conf :
filter {
if [type] == "errorlogs" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:TIME}:: %{JAVACLASS:SYSTEM} (?<ERROR>(.|\r|\n)*)"}
}
}
}