Why is the error log being sent divided?

Elastic Stack Logstash
1

I am sending error and fatal logs, these have multiple lines, so the multiline is configured like this:
image

filebeat multiline:
image

This is throwing me an error:

image
image1147×539 28.7 KB

my error and fatal log have this structure:

<log4j:event logger="LogGeneratorApp.MainForm" timestamp="1664208384844" level="ERROR" thread="1"><log4j:message>This is a test log message</log4j:message><log4j:properties><log4j:data name="log4net:UserName" value="TEN\60085367" /><log4j:data name="log4jmachinename" value="TAMP00043541" /><log4j:data name="log4japp" value="LogGeneratorApp.exe" /><log4j:data name="log4net:HostName" value="TAMP00043541" /></log4j:properties><log4j:throwable>System.Exception: This is a test log message
   en LogGeneratorApp.MainForm.SendToLog(String level, String message)</log4j:throwable><log4j:locationInfo class="LogGeneratorApp.MainForm" method="SendToLog" file="" line="0" /></log4j:event>

image
image1297×35 7.3 KB

and in kibana I can see that the log sends it like this:

part 1:
image

par2:
image

Note in the image that the first line and the second are sent separately.
This happens to me when I send two fatal or two errors or a fatal and an error from different apps.
If I only send from one, I have no problems.

2

Resolved. At first I was configuring a multiline for all inputs so I tried assigning a multiline for each input just like the processors and it corrected the error.

filebeat.inputs:

- type: filestream
  id: tricentisT-app4
  enabled: true
  paths:
    - C:\Users\60085367\Desktop\ServerTest3\3_Log_Generados1\*
  processors:
  - add_fields: 
      fields: 
        V_APP_NAME: TricentisT.Log.Tester1
  
  parsers:
    - multiline:
        type: pattern
        pattern: '^<log4j:event.*'
        negate: true
        match: after

- type: filestream
  id: detection-app5
  enabled: true
  paths:
    - C:\Users\60085367\Desktop\ServerTest3\3_Log_Generados2\*
  processors:
  - add_fields: 
      fields: 
        V_APP_NAME: Detection.Log.Tester2

  parsers:
    - multiline:
        type: pattern
        pattern: '^<log4j:event.*'
        negate: true
        match: after
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.