Filebeat multiline in Graylog 3


#1

Hello,

I’m pretty new in greylog, so I would like to ask you how can I setup up multiline for sidecar filebeat input.

Right now I have configured:

Latest version of Greylog 3 with windows sidecar filebeat. It is sending data without problem but when I trying to configure multiline in filebeat conf it still sending line by line

Sidecar conf:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: server1
fields.gl2_source_collector: 17b91e09-295f-4529-b817-f1a09fdf224a

filebeat.inputs:
- input_type: log
  paths:
    - C:\logs\*.log
  type: log

output.logstash:
   hosts: ["xxx.xxx.xxx.xxx:5044"]

path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs

multiline:  
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after

Sample of the log:

3/14/2019 12:00:00 AM##1868##9212##DateTime=2019-03-13T23:00:00.8300562Z
ServiceLogger Error: 41 : 3/14/2019 12:00:01 AM##1868##3516##Loc #1, path:, System.ArgumentException: The path is not of a legal form.
   at System.IO.Path.LegacyNormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.NormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.GetFullPathInternal(String path)
   at System.IO.FileSystemEnumerableIterator`1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost)
   at System.IO.Directory.EnumerateFiles(String path)
   at EmbargoSvc.MyFileSystemWatcher.FileProcessor(EmbargoMessageLocation loc, String connString, Int32 sqlCommandTimeout)
3/14/2019 12:00:01 AM##1868##3516##ThreadId=8
3/14/2019 12:00:01 AM##1868##3516##DateTime=2019-03-13T23:00:01.8072308Z
EmbargoServiceLogger Error: 41 : 3/14/2019 12:00:01 AM##1868##7340##Loc #2, path:, System.ArgumentException: The path is not of a legal form.
   at System.IO.Path.LegacyNormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.NormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.GetFullPathInternal(String path)
   at System.IO.FileSystemEnumerableIterator`1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost)
   at System.IO.Directory.EnumerateFiles(String path)
   at EmbargoSvc.MyFileSystemWatcher.FileProcessor(EmbargoMessageLocation loc, String connString, Int32 sqlCommandTimeout)
3/14/2019 12:00:01 AM##1868##7340##ThreadId=9
3/14/2019 12:00:01 AM##1868##7340##DateTime=2019-03-13T23:00:01.8072308Z

Thank you.


(Jan Doberstein) #2

He @Sodjag

if you would have formated your message like mentioned in the FAQ of this community we would be able to help you with that.

To know what and how a multiline configuration should be, it is helpful to have more than just a single line …


#3

Sorry for wrong formating, I tried to fixed it. Hope it is ok. Thank you.


(Jan Doberstein) #4

Just for question, is that one event?

3/14/2019 12:00:01 AM##1868##3516##DateTime=2019-03-13T23:00:01.8072308Z
EmbargoServiceLogger Error: 41 : 3/14/2019 12:00:01 AM##1868##7340##Loc #2, path:, System.ArgumentException: The path is not of a legal form.
   at System.IO.Path.LegacyNormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.NormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.GetFullPathInternal(String path)
   at System.IO.FileSystemEnumerableIterator`1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost)
   at System.IO.Directory.EnumerateFiles(String path)
   at EmbargoSvc.MyFileSystemWatcher.FileProcessor(EmbargoMessageLocation loc, String connString, Int32 sqlCommandTimeout)
3/14/2019 12:00:01 AM##1868##7340##ThreadId=9

#5
EmbargoServiceLogger Error: 41 : 3/14/2019 12:00:01 AM##1868##7340##Loc #2, path:, System.ArgumentException: The path is not of a legal form.
   at System.IO.Path.LegacyNormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.NormalizePath(String path, Boolean fullCheck, Int32 maxPathLength, Boolean expandShortPaths)
   at System.IO.Path.GetFullPathInternal(String path)
   at System.IO.FileSystemEnumerableIterator`1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost)
   at System.IO.Directory.EnumerateFiles(String path)
   at EmbargoSvc.MyFileSystemWatcher.FileProcessor(EmbargoMessageLocation loc, String connString, Int32 sqlCommandTimeout)

This should be one event