Do I just use a rule, to detect for strings in those lines, then more complex set_fields?
The other issue is - that last line is multiline =(. (Yeah, I know, that makes parsing hard). Is there a good way of handling that? (Assuming the next message must start with a timestamp).
if you can identify the logline - the beginning of a new logline - using filebeat as shipper for multiline logs should not be a problem.
Then you would write some pipeline rules that will extract all information out of the messages that are needed. That isn’t that special and should be doable
I can probably use the timestamp to identify the start of the line. I assume I’d have to be fairly unlucky to split a line that also contained a timestamp in exactly the same format. However, not sure of a way to be more robust/precise than that.
filebeat is the one from elastic yes. For Graylog you do not need additional software. The beats protocol is supported native by Graylog.
In the definition of the start pattern of a multiline message (the timestamp) you can add simple ^ that the timestamp needs to be the first field on a line.