Logstash mixed logs - multiline and normal

Question

I use input file to get logs like this:

input {
  file {
  path => "/home/ec2-user/*.log"
  }
}

In one of the log files some events are loging with 1 line:

2018-12-10 10:01:30.1097|0|Services.Services|INFO|  Message: test

Another are multilines like this one :

2018-12-10 10:01:30.1097|0|Services.Services|INFO|  Message: {
"account_id": "ec812648-3857-4625-9d9a-fc8ce1835493",
"name": "Player_539017",
"creation_time": "10/12/2018 10:52:52",
"hq_level": 2,
"force": 2570
} successfully dequeued |url: |action:

How can I capture both of the messages with logstash filter:

score 0 · Answer 1 · edited Dec 14 '18 at 09:39

0

Below is an example from this page which uses the multiline codec to capture log lines starting with a date timestamp as single event. This will work for both of the log events mentioned above.

file {
  path => "/home/ec2-user/*.log"
  codec => multiline {
    # Grok pattern names are valid
    pattern => "^%{TIMESTAMP_ISO8601} "
    negate => true
    what => "previous"
  }
}

edited Dec 14 '18 at 09:39

baudsp

4,076
1
17
35

answered Dec 13 '18 at 10:54

ben5556

2,915
2
11
16

Thanks ben5556 - everything is parsing fine now! – airdata Dec 13 '18 at 11:29

Logstash mixed logs - multiline and normal

1 Answers1